Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removing azure_groups from vault_azure_secret_backend_role does not update the role in Vault #1619

Open
alexmunda opened this issue Sep 28, 2022 · 2 comments
Open

Removing azure_groups from vault_azure_secret_backend_role does not update the role in Vault #1619

alexmunda opened this issue Sep 28, 2022 · 2 comments

Comments

@alexmunda
Copy link

Terraform Version

v0.13.7

Affected Resource(s)

Please list the resources as a list, for example:

  • vault_azure_secret_backend_role

Terraform Configuration Files

resource "vault_azure_secret_backend" "azure" {
  path = "/azure/path"

  tenant_id       = var.tenant_id
  subscription_id = var.subscription_id

  client_id     = var.client_id
  client_secret = var.client_secret
}

resource "vault_azure_secret_backend_role" "az_role" {
  backend = vault_azure_secret_backend.azure.path
  role    = "my-azure-role"

  azure_roles {
    role_name = "Contributor"
    scope     = "/providers/Microsoft.Management/managementGroups/foo"
  }

- azure_groups {
     - group_name = "foo-group" -> null
     - object_id  = "11111111-1111-1111-1111-111111111111" -> null
  }
}

Expected Behavior

The azure_groups property should have been removed from the role in Vault.

Actual Behavior

The plan showed the azure_groups would be removed, but after apply, the azure_groups property was still present on the Vault role with the original value.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply (with the azure_groups on the role)
  2. Remove the azure_groups
  3. terraform apply
  4. View the role in Vault, it will still contain the azure_groups
@jmyers82
Copy link

jmyers82 commented Feb 1, 2023

So, this caused a huge headache for a while for me. I added an azure_groups to my backend role and then opted not to use it, so I removed it from the terraform and it applied successfully as mentioned above. Then I removed the group from Azure AD groups and thought all was well. My next run I got the following error:

│ Error: error reading from Vault: context deadline exceeded
│ 
│   with data.vault_azure_access_credentials.get_creds,
│   on versions.tf line 62, in data "vault_azure_access_credentials" "get_creds":
│   62: data "vault_azure_access_credentials" "get_creds" {
│

This error didnt tell me a whole lot and I spent a good amount of time trying to figure it out. Finally I came back to the removal of the group. As mentioned above, removing the group from the TF code does NOT remove it from vault backend role and so it was still looking for the group and since I had deleted the group in Azure AD it was timing out but not indicating as such for that reason. I had to do the following to fix all of this... simply adding the group back in AD was not the fix as one might think.

  1. Create the group in Azure AD again by the same name as previously used.
  2. Remove the vault_azure_secret_backend_role 's that are failing, ALL of them for me! terraform state rm ....
  3. Add the azure_groups code BACK to the backend role, you are stuck with it at this point tile TF fixes this issue.
  4. Re plan and apply to add back the roles WITH the group still in the code.
  5. Move on with life knowing you have a group in AD that wont be used.

@eklesel
Copy link

eklesel commented Jan 3, 2025

Currently seeing this as well.
Terraform Version: 1.9.2
Vault Provider: 4.5.0

We've seen it happen with azure_roles, I removed the azure_roles block which is reflected correctly in the Plan. After apply, the roles are still present and another plan shows the same changes.

Checking the logs from our Vault instance (1.17.2), I see the following log (w/ response) when updating. Clearly in the request.data parameter, azure_roles is not present, as they've been removed from the vault_azure_secret_backend_role resource.

{
    "auth": {
    // ...
    },
    "request": {
        "client_id": "4147a2fb-37ce-1669-7af8-e4594b262f24",
        "client_token": "hmac-sha256:3c5d7a7afd2327599bf312a09a496d3068950998aee579f7f4d4b3bab7609e00",
        "client_token_accessor": "hmac-sha256:d81b0e24d0766383e7aa58187b30aa76ffa64b289ae5865718bc514053ab88ad",
        "data": {
            "azure_groups": "hmac-sha256:0ac45c396106839399d8113bfa674eac93f44728a491e2106066d0545494ae0f",
            "max_ttl": "hmac-sha256:d72661fb34f770ee9ce65e1f744744f5422a33a19f21210b8459c99c7ffe36ae",
            "permanently_delete": false,
            "ttl": "hmac-sha256:d72661fb34f770ee9ce65e1f744744f5422a33a19f21210b8459c99c7ffe36ae"
        },
        "id": "0beafa33-b7ea-032f-d6fb-10c0958917fd",
        "mount_accessor": "azure_89df08d1",
        "mount_class": "secret",
        "mount_point": "azure/",
        "mount_running_version": "v0.19.2+builtin",
        "mount_type": "azure",
        "namespace": {
            "id": "root"
        },
        "operation": "update",
        "path": "azure/roles/acr-push",
        "remote_address": "10.7.240.200",
        "remote_port": 52960
    },
    "response": {
        "mount_accessor": "azure_89df08d1",
        "mount_class": "secret",
        "mount_point": "azure/",
        "mount_running_plugin_version": "v0.19.2+builtin",
        "mount_type": "azure"
    },
    "time": "2025-01-03T11:18:21.018642167Z",
    "type": "response"
}

But then the subsequent read post-apply returns azure_roles within the role config when it was supposed to have been deleted:

{
    "auth": {
    // ...
    },
    "request": {
        "client_id": "4147a2fb-37ce-1669-7af8-e4594b262f24",
        "client_token": "hmac-sha256:3c5d7a7afd2327599bf312a09a496d3068950998aee579f7f4d4b3bab7609e00",
        "client_token_accessor": "hmac-sha256:d81b0e24d0766383e7aa58187b30aa76ffa64b289ae5865718bc514053ab88ad",
        "id": "47c77e54-316c-49cd-543b-79feb38b4477",
        "mount_accessor": "azure_89df08d1",
        "mount_class": "secret",
        "mount_point": "azure/",
        "mount_running_version": "v0.19.2+builtin",
        "mount_type": "azure",
        "namespace": {
            "id": "root"
        },
        "operation": "read",
        "path": "azure/roles/acr-push",
        "remote_address": "10.7.240.200",
        "remote_port": 52960
    },
    "response": {
        "data": {
            "application_object_id": "hmac-sha256:ec87445f0ac1023e17a2053e3e16f9ed8c194db64f70a9a0eff4bb6d67b35051",
            "azure_groups": [
                {
                    "group_name": "hmac-sha256:c5119aefdcb8bf4f60f91914323c6832f7bc7750a8c962453c3ade63144e9d25",
                    "object_id": "hmac-sha256:699ec199db9cf768f563a5b6128632a59ea504b413224d41235d51d973fcc6a1"
                }
            ],
            "azure_roles": [
                {
                    "role_name": "hmac-sha256:d614ae42c5fc63aff7545b601e7edf97b60567c91898a68f2f576ed1921b2d4e",
                    "role_id": "hmac-sha256:e0983a73ed344c56e8357d3c45de8a6b3ff21ad9561a87b89d98967f3060b14e",
                    "scope": "hmac-sha256:eb4c58823efd94d68d7f2a7e812ecd040f8eb9ef047d5a2a3412ce71c618fbb6"
                },
                {
                    "role_name": "hmac-sha256:8942ccf2ab527497833a4726559ce9fe5c7e448bad9326ff5bf2ae96c56ae6bf",
                    "role_id": "hmac-sha256:3fabd6df43223c3a364884a97e60ace047515b3f89b53981e9df46926edaefc2",
                    "scope": "hmac-sha256:eb4c58823efd94d68d7f2a7e812ecd040f8eb9ef047d5a2a3412ce71c618fbb6"
                },
                {
                    "role_name": "hmac-sha256:d614ae42c5fc63aff7545b601e7edf97b60567c91898a68f2f576ed1921b2d4e",
                    "role_id": "hmac-sha256:e0983a73ed344c56e8357d3c45de8a6b3ff21ad9561a87b89d98967f3060b14e",
                    "scope": "hmac-sha256:efb05ba8122ac46c5ee708a4a7e1bb7db328cf350558af928a30a8c8d1d65399"
                },
                {
                    "role_name": "hmac-sha256:8942ccf2ab527497833a4726559ce9fe5c7e448bad9326ff5bf2ae96c56ae6bf",
                    "role_id": "hmac-sha256:3fabd6df43223c3a364884a97e60ace047515b3f89b53981e9df46926edaefc2",
                    "scope": "hmac-sha256:efb05ba8122ac46c5ee708a4a7e1bb7db328cf350558af928a30a8c8d1d65399"
                }
            ],
            "max_ttl": 3600,
            "permanently_delete": false,
            "persist_app": false,
            "sign_in_audience": "hmac-sha256:ec87445f0ac1023e17a2053e3e16f9ed8c194db64f70a9a0eff4bb6d67b35051",
            "tags": null,
            "ttl": 3600
        },
        "mount_accessor": "azure_89df08d1",
        "mount_class": "secret",
        "mount_point": "azure/",
        "mount_running_plugin_version": "v0.19.2+builtin",
        "mount_type": "azure"
    },
    "time": "2025-01-03T11:18:21.025289181Z",
    "type": "response"
}

Therefore is this potentially a bug in Vault itself rather than the provider? Unless the provider isn't calling the Vault API properly and the provider is supposed to specify which config parameters to delete. Not familiar with the internals at all so can't say for sure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexmunda @jmyers82 @eklesel