Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"patch" a kv2? #1005

Open
tony-kerz opened this issue Mar 17, 2021 · 5 comments
Open

"patch" a kv2? #1005

tony-kerz opened this issue Mar 17, 2021 · 5 comments

Comments

@tony-kerz
Copy link

Terraform Version

0.14.7

Affected Resource(s)

  • vault_generic_secret
  • vault_generic_endpoint

Terraform Configuration Files

i have two situations where i'm looking for kv2-patch behavior,
to avoid clobbering some portion of a secret:

(a) two different areas of code are both wanting to write to the same path
(b) a human and some code are both wanting to write to the same path

i've tried both vault-generic-secret and vault-generic-endpoint and they both seem to be clobbering whatever was there,
is there some magic either of these behave like patch?

Expected Behavior

would love to see patch behavior

Actual Behavior

every write overwrites previous values

Steps to Reproduce

hand write something in vault, try to patch it using either of the two resources mentioned above

Important Factoids

kv2 in play
@MAN98
Copy link

MAN98 commented Mar 19, 2021

hi @tony-kerz - I had the same scenario. What I have as a workaround for this is I use the data source for "vault_generic_secret" to get the current data value then merge with the KV pair I want to add/patch. Hope the code snippet below helps:

data "vault_generic_secret" "mysecret" {
  path = "secret/mysecret"
}

resource "vault_generic_secret" "merge_new_kvpair" {
  path = "secret/mysecret"

  data_json = jsonencode(merge(data.vault_generic_secret.mysecret.data, { "NewKey" = "NewValue" }))
}

@tony-kerz
Copy link
Author

tony-kerz commented Mar 20, 2021
edited
Loading

@MAN98 yes, i tried the same thing, and it works ok, but an issue that i forgot to mention is that like data, even patch only works if the secret is already there. i have some groovy code that looks like this to effect an "upsert":

  def status = sh script: "vault kv get ${_path}", returnStatus: true
  if (status) {
    // assume path does-not exist so use put
    //
    sh "vault kv put ${_path} ${toks.last()}=${value}"
  } else {
    // assume path does exist so use patch
    //
    sh "vault kv patch ${_path} ${toks.last()}=${value}"
  }

what would be awesome would be building something like the above into the provider which could be activated with an "upsert" option flag 😎

@gcoupelant
Copy link

I have the same issue, I had to create a external data source with a small bash script to check if a secret exists first.
That would be nice if the vault_generic_secret data had some default value if the secret doesn't exist.

@hskrtich hskrtich mentioned this issue Nov 6, 2023
Closed
@edupo
Copy link

edupo commented Feb 9, 2024
edited
Loading

Are there any news about this?

@umutzd
Copy link

umutzd commented Jan 1, 2025
edited
Loading

i needed to create kvv2 secrets in bulk through terraform without creating new versions everytime terraform gets invoked and it's interesting to have a resource like this: what is the point of terraform state if it generates a new version of the secret everytime we run terraform apply? when you use kvv2, everytime you invoke terraform, it applies a modification.

seems like kvv2 can't be automated through terraform directly (for people who use atlantis to apply terraform)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@tony-kerz @edupo @gcoupelant @umutzd @MAN98