Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault_kubernetes_auth_backend_config tries to remove kubernetes_ca_cert field on subsequent applies #904

Closed
Chili-Man opened this issue Nov 13, 2020 · 3 comments · Fixed by #1337
Closed

vault_kubernetes_auth_backend_config tries to remove kubernetes_ca_cert field on subsequent applies #904

Chili-Man opened this issue Nov 13, 2020 · 3 comments · Fixed by #1337
Assignees
@benashz
Labels
bug
Milestone
3.3.0

Comments

@Chili-Man
Copy link

Terraform Version

Terraform v0.13.5
+ provider registry.terraform.io/hashicorp/vault v2.15.0

Affected Resource(s)

vault_kubernetes_auth_backend_config

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

##### Kubernetes authentication backend
resource "vault_auth_backend" "kubernetes" {
  type        = "kubernetes"
 }

resource "vault_kubernetes_auth_backend_config" "cluster" {
  backend         = vault_auth_backend.kubernetes.path
  kubernetes_host = "https://kubernetes.default"
}

Debug Output

Terraform will perform the following actions:

  # module.vault.vault_kubernetes_auth_backend_config.cluster will be updated in-place
  ~ resource "vault_kubernetes_auth_backend_config" "cluster" {
        backend                = "kubernetes"
        disable_iss_validation = false
        disable_local_ca_jwt   = false
        id                     = "auth/kubernetes/config"
      - kubernetes_ca_cert     = <<~EOT
            -----BEGIN CERTIFICATE-----
            MIIDBjCCAe6gAwIBAgIBATANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
            a3ViZUNBMB4XDTIwMTAyNTIyMjc1MVoXDTMwMTAyNDIyMjc1MVowFTETMBEGA1UE
            AxMKbWluaWt1YmVDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMO
            DKBT6BfinQg2LZFlZ1MYUTCmYSHgxP66dVhyhGLc3v0wpoRYym3sgnEfFC01IphE
            JbCxhGfV9/5/uzmMAyJbhgJ16xTccpuQetMltihiKt2vjFrXLaUmOpqnNzCXD4ly
            GFT7IRK6HaOqnjUscFFv5HeAn+lqufhm5cE1b0C97UMqtHAMYTSA8yWMAvzHdct1
            wyJOelCi23hKbzeo93JPdJlXaXxv5dcliBTE/wSQGYSU8LIdEi9zes9VsyVEn9Nh
            qL0KQQYwi6SRDsGK/mWbv3tih3l09PUzlz0V9TCwkt8iZt4iSDGcKWfrZ6vyV7wl
            9ZDNYqOQlSlK9GogjWMCAwEAAaNhMF8wDgYDVR0PAQH/BAQDAgKkMB0GA1UdJQQW
            MBQGCCsGAQUFBwMCBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
            BBRsf/ByY9va3vwCz3bRf4OFlY62RDANBgkqhkiG9w0BAQsFAAOCAQEAUw+PoKz/
            bGj4q4Ml+TcYLgOQQWRXT7F7ZYBmOxv/IZ7iE83sGAoy+Y2dacr/IZYAFmbH+DgU
            sIKENpAiRHlkBk8j1PEQUX0QL24e9oUDbdnnQKu0KwiwTUtMp9wk3KcP++DRH2Ql
            aJH+gfqbNzjkiL1NOMvnxUtP6j1gcIhaHfHG6iKPqzancnjWsioDS7VQMaGtMEu/
            KRUqIQEv+/DaC/bNYxhX01NK7FYBxaKk5PDW99yB8Una8cpgh0TdPkH0JK3MHI2B
            0MY8eboU54xeA99k1mWX0b9dyCx8Xn5p/r3gtg91jFXrBS87QJnNyvhadn7fQt1w
            rsqF5gNYth9k/Q==
            -----END CERTIFICATE-----
        EOT -> null
        kubernetes_host        = "https://kubernetes.default"
        pem_keys               = []
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

After creating the Kubernetes authentication backend as described in the terraform config above, if I do a subsequent terraform apply with no additional changes, it tries to remove the kubernetes_ca_cert that Vault automatically added. It should not do so and instead adopt it

Actual Behavior

It tries to remove the kubernetes_ca_cert when it should not

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. terraform apply

Important Factoids

Current work around is to add a lifecycle.ignore_changes on the kubernetes_ca_cert field
If it can't be done within the provider, then a documentation update about this would suffice
@jasonodonnell jasonodonnell added this to the 2.16.1 milestone Nov 19, 2020
@Skaronator
Copy link

Skaronator commented Feb 9, 2022
edited
Loading

This is still a issue on the latest provider version, 2.7.1 3.2.1. Maybe we can update the milestone or remove it since it seems not maintained? @jasonodonnell

I found a good workaround if you're on AWS at least. You can just set the ca_cert directly like so:

data "aws_eks_cluster" "this" {
  name = "my-cluster"
}

resource "vault_kubernetes_auth_backend_config" "example" {
  backend            = vault_auth_backend.kubernetes.path
  kubernetes_host    = "https://kubernetes.default.svc.cluster.local"
  kubernetes_ca_cert = base64decode(data.aws_eks_cluster.this.certificate_authority[0].data)
}

@benashz benashz removed this from the 2.17.0 milestone Feb 9, 2022
@benashz
Copy link
Contributor

benashz commented Feb 9, 2022

Hi @Skaronator, it looks like the issue is in the latest provider version 3.2.1. We can take a look at this issue as part of the upcoming 3.3.0 release.

@benashz benashz added this to the 3.3.0 milestone Feb 9, 2022
@benashz benashz self-assigned this Feb 9, 2022
@Skaronator
Copy link

Hi, oh yeah, I meant 3.2.1. 2.7.1 is the Kubernetes provider, got a bit confused.

$ t version
Terraform v1.1.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/kubernetes v2.7.1
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/vault v3.2.1

Thanks

@benashz benashz mentioned this issue Feb 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benashz benashz

Labels
bug
Projects
None yet
Milestone
3.3.0
Development

Successfully merging a pull request may close this issue.

Fix persistent diff for kubernetes_ca_cert in k8s-auth-config hashicorp/terraform-provider-vault
4 participants
@Chili-Man @jasonodonnell @Skaronator @benashz