New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect behaviour for vault_approle_auth_backend_role_secret_id - Recreates even when still valid if wrapped #976
Comments
Apologies for tagging you both directly, but this has been sitting dormant with no guidance for some time now. Could either @bflad or @jasonodonnell point me at the right person to progress this issue (at least in a theoretical/discussion manner, the actual code changes can happen later, but we need direction in order to propose any code changes...) ? |
@melbit-michaelw Adding a new parameter to use the wrapped token does make sense to me. Possibly something like:
|
Currently, this is a breaking issue for me. I use Terraform to create a wrapped AppRole secret, and I put it in the config for a VM which will pick it up on boot, unwrap it and use the underlying periodic service token. Unfortunately, afterwards the wrapped token will no longer be valid/available, so every subsequent I think there's two options:
I don't know of any work-around for this issue. I have considered generating the wrapped secret manually (or well, automated in the CD pipeline) outside of Terraform, but then you just move the problem of determining when to actually recreate the resource and outside of Terraform that would be even more complicated... |
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Gist of initial terraform apply: https://gist.github.com/melbit-michaelw/fca4e290438f060f079f3dcc1232a3c4
Gist of terraform apply after unwrapping the secret_id: https://gist.github.com/melbit-michaelw/02f2010884b69daf3b78c578f3ff8f07
Expected Behavior
If the wrapped secret_id is still valid in Vault (based on successfully being able to look up the secret_id_accessor value), then no new secret_id should be created.
Potentially a flag to control whether a new secret_id should be created based on whether the wrapped secret_id_accessor is still valid could be introduced. This would enable the current behaviour as an option (i.e. regenerate a secret-id if it has been unwrapped or can no longer be unwrapped).
A second flag to control whether to delete the old secret-id when creating a new one might also make sense (current behaviour is to completely ignore the old secret-id, so it is left as valid, which seems like a possible security issue).
Actual Behavior
A new secret-id is created every time the wrapped ttl expires, regardless of whether the old one is still active. This introduces the appearance of config drift into automated pipelines.
Additionally, the old secret-id is 'abandoned' as part of this process, and remains valid in Vault.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform apply
terraform apply
and observe that it wants to create a fresh secret-id.References
Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
As background, our intended usage of this functionality is to create a new wrapped secret_id which is passed to a server instance via a template in terraform that is executed as user-data (whether that server is in aws, vsphere, azure, ...) and unwrapped by that server.
Consequentially, having a new secret_id be recreated on every terraform execution is not desirable.
Please let me know if you need any additional information.
The text was updated successfully, but these errors were encountered: