Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for namespaces #262

Merged
merged 1 commit into from
Jan 24, 2019
Merged

Support for namespaces #262

merged 1 commit into from
Jan 24, 2019

Conversation

sergeytrasko
Copy link
Contributor

PR for #175

@DawtCom
Copy link

DawtCom commented Jan 7, 2019

Any ideas when this pull request will be merged?

@chrishoffman chrishoffman merged commit 0694fc2 into hashicorp:master Jan 24, 2019
@chrishoffman
Copy link
Contributor

Thanks!

@chrishoffman chrishoffman mentioned this pull request Jan 24, 2019
Closed
@toddmichael
Copy link

Should this work or is there still a missing piece? I built from master and tried, but it fails with permission denied

Fails with Terraform

$ ec terraform apply

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
...
...
vault_mount.transit: Creating...
  accessor:                  "" => "<computed>"
  default_lease_ttl_seconds: "" => "<computed>"
  description:               "" => "transit secrets engine (aka encryption-as-a-servie)"
  max_lease_ttl_seconds:     "" => "<computed>"
  path:                      "" => "transit"
  type:                      "" => "transit"

Error: Error applying plan:

1 error(s) occurred:

* vault_mount.transit: 1 error(s) occurred:

* vault_mount.transit: error writing to Vault: Error making API request.

URL: POST https://vault.dev.##REDACTED##/v1/sys/mounts/transit
Code: 403. Errors:

* 1 error occurred:
	* permission denied
...
...

Works with CLI

$ ec printenv VAULT_NAMESPACE
dev
$ ec vault secrets enable transit
Success! Enabled the transit secrets engine at: transit/

Saw the merge and thought perhaps I could use it as-is. Perhaps I'm being presumptuous.

@babarot
Copy link

babarot commented Jan 28, 2019

I faced the similar situation with this error.

Fails with Terraform

$ ls /root/.terraform.d/plugins/
terraform-provider-vault_v1.4.2-custom
provider "vault" {
  address   = "https://vault.dev.our_company.com:8200"
  token     = "s.xxx"
  namespace = "microservices/our_service_A"
}
data.vault_generic_secret.cert_asterisk_our_company_com_2018: Refreshing state...

Error: Error refreshing state: 1 error(s) occurred:

* data.vault_generic_secret.cert_asterisk_our_company_com_2018: 1 error(s) occurred:

* data.vault_generic_secret.cert_asterisk_our_company_com_2018: data.vault_generic_secret.cert_asterisk_our_company_com_2018: no secret found at "secret/cert_asterisk_our_company_com_2018/"

Works with CLI

$ vault read secret/cert_asterisk_our_company_com_2018
Key                 Value
---                 -----
refresh_interval    768h
crt                 xxx
pem                 xxx

@sergeytrasko
Copy link
Contributor Author

I was able to reproduce the issue - not sure how it slipped during initial testing.
The root cause is that child token that is used by Terraform was created for specified namespace. As result it had wrong policies assigned.
I will submit one more PR shortly.

@sergeytrasko sergeytrasko mentioned this pull request Jan 29, 2019
Merged
tyrannosaurus-becks pushed a commit that referenced this pull request Jan 29, 2019
Merge pull request #288 from sergeytrasko/patch-1
fd6c348 
Fix for namespaces (#262)
gpiper14 added a commit to gpiper14/terraform-provider-vault that referenced this pull request Jan 30, 2019
@gpiper14
Merge remote-tracking branch 'upstream/master' into add-identity-entity
ef7d7e2 
* upstream/master: (41 commits)
  go fmt
  fix bad merge
  add binary to .gitignore
  go fmt
  go fmt
  go fmt
  Added acceptance tests
  Fix for namespaces (hashicorp#262)
  Added Azure auth support for backend config and role.
  go fmt
  Added support for EGP and RGP (sentinel)
  Refactor tests
  Update docs
  Rename file
  Add sensitive flag to private key and bundle attributes
  Add vault_pki_secret_backend_ca_config resource
  Enforce dependencies to pass tests
  Reformat
  Add tests
  Fix resources attributes
  ...

# Conflicts:
#	vault/provider.go
#	vault/resource_identity_entity.go
#	vault/resource_identity_entity_alias.go
#	vault/resource_identity_entity_alias_test.go
#	vault/resource_identity_entity_test.go
@toddmichael
Copy link

Works like a charm. Thanks so much for implementing this. Huge win to me. Cheers.

@babarot
Copy link

babarot commented Feb 4, 2019

I was able to reproduce the issue - not sure how it slipped during initial testing.
The root cause is that child token that is used by Terraform was created for specified namespace. As result it had wrong policies assigned.
I will submit one more PR shortly.

Nice! Thank you! I'll check it later.

BTW when will these change be release?

@petems petems mentioned this pull request Mar 5, 2019
Closed
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
@sergeytrasko @chrishoffman
Support for namespaces (hashicorp#262)
1b1a319
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
@sergeytrasko
Fix for namespaces (hashicorp#262)
076d2fa 
Implementation of hashicorp#262 was buggy.
Vault token used by Terraform should be created without namespace - otherwise the token will have wrong set of policies assigned
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
Merge pull request hashicorp#288 from sergeytrasko/patch-1
15797da 
Fix for namespaces (hashicorp#262)
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
@gpiper14
Merge remote-tracking branch 'upstream/master' into add-identity-entity
72f1313 
* upstream/master: (41 commits)
  go fmt
  fix bad merge
  add binary to .gitignore
  go fmt
  go fmt
  go fmt
  Added acceptance tests
  Fix for namespaces (hashicorp#262)
  Added Azure auth support for backend config and role.
  go fmt
  Added support for EGP and RGP (sentinel)
  Refactor tests
  Update docs
  Rename file
  Add sensitive flag to private key and bundle attributes
  Add vault_pki_secret_backend_ca_config resource
  Enforce dependencies to pass tests
  Reformat
  Add tests
  Fix resources attributes
  ...

# Conflicts:
#	vault/provider.go
#	vault/resource_identity_entity.go
#	vault/resource_identity_entity_alias.go
#	vault/resource_identity_entity_alias_test.go
#	vault/resource_identity_entity_test.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrishoffman chrishoffman chrishoffman approved these changes

Assignees
No one assigned
Labels
documentation size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@sergeytrasko @DawtCom @chrishoffman @toddmichael @babarot