The vault_gcp_auth_backend_role resource does not apply bound_labels to the vault auth method.
Earlier this week while debugging an issue I tried to authenticate to my vault from a VM that did not have the the bound_label that I had defined in my terraform configuration... To my surprise my authentication was successful, this led me down the route of finding out why terraform was lying to me.
Terraform should apply the security controls that it says it does for the vault provider.
Actual Behavior
Terraform does not install the bound_labels configuration to the vault_gcp_auth_backend_role resource.
Steps to Reproduce
# Start a dev vault instance
[~]$ vault server -dev -dev-root-token-id=root
# Apply my example terraform state
[~]$ terraform init
[~]$ terraform apply
# Run a plan to show that terraform thinks that it has set the bound_labels# correctly and that "no changes are required"
[~]$ terraform plan
# Setup vault vars
[~]$ export VAULT_ADDR='http://127.0.0.1:8200'
[~]$ export VAULT_TOKEN='root'# Check the terraform created gcp auth role's config...# Note that `bound_labels` is missing
[~]$ vault read auth/gcp/role/test-role
Key Value
--- -----
add_group_aliases false
role_id 57b6301e-6368-1e1b-51e7-2b31361e8589
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
type gce
# Use the vault CLI / API to actually install a `bound_labels`
[~]$ vault write auth/gcp/role/test-role/labels add=role:dog
# Verify the manual change we just made...
[~]$ vault read auth/gcp/role/test-role
Key Value
--- -----
add_group_aliases false
bound_labels map[role:dog]
role_id 57b6301e-6368-1e1b-51e7-2b31361e8589
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies []
token_ttl 0s
token_type default
type gce
# Try to run a terraform plan and terraform will panic
[~]$ terraform plan
# https://gist.github.com/BrandonIngalls/5c8d1089aa443580dd71d3f755600a29
The text was updated successfully, but these errors were encountered:
The
vault_gcp_auth_backend_roleresource does not apply bound_labels to the vault auth method.Earlier this week while debugging an issue I tried to authenticate to my vault from a VM that did not have the the
bound_labelthat I had defined in my terraform configuration... To my surprise my authentication was successful, this led me down the route of finding out why terraform was lying to me.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Terraform should apply the security controls that it says it does for the vault provider.
Actual Behavior
Terraform does not install the
bound_labelsconfiguration to thevault_gcp_auth_backend_roleresource.Steps to Reproduce
The text was updated successfully, but these errors were encountered: