Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Support allow_empty_principals on vault_ssh_secret_backend_role #2340

Closed
Sayrus opened this issue Oct 11, 2024 · 11 comments · Fixed by #2354
Closed

[Enhancement]: Support allow_empty_principals on vault_ssh_secret_backend_role #2340

Sayrus opened this issue Oct 11, 2024 · 11 comments · Fixed by #2354
Labels
enhancement

Comments

@Sayrus
Copy link

Sayrus commented Oct 11, 2024

Description

hashicorp/vault#28466 introduces a breaking change (Vault 1.18, backported to 1.17) for SSH Backend by disallowing empty roles by default. Unfortunately, it is currently not possible to set allow_empty_principals from Terraform.

Sign done without principals return:

empty valid principals not allowed by role

Affected Resource(s) and/or Data Source(s)

  • vault_ssh_secret_backend_role

Potential Terraform Configuration

resource "vault_ssh_secret_backend_role" {
  # ...
  allow_empty_principals = true # defaults to false
}

References

hashicorp/vault#28466

Would you like to implement a fix?

None
@cloudplumber2000
Copy link

Came here after issues search for the same thing. Would be very nice to have in the next release.

@fairclothjm fairclothjm mentioned this issue Nov 6, 2024
Merged
@lauracraciun90
Copy link

Hi @fairclothjm, I was wondering when the new version of the provider will be available please? I've noticed the allow_empty_principals field is not yet available and unfortunately, this has been causing us issues. Also, is there any workaround that we can put in place at all until the flag is released?
Many thanks! :)

@fairclothjm
Copy link
Contributor

Hi @lauracraciun90 ! I am sorry you are having issues. We try to do a release in the middle of each month. We are planning to do one within the week.

Unfortunately, I don't have any workarounds at this time.

@lauracraciun90
Copy link

Hi @fairclothjm, thanks very much indeed for your reply :) That's good to know - will wait for the new release to become available in the next few days.
That's ok, no problem at all. May thanks for your help!

@fairclothjm
Copy link
Contributor

@lauracraciun90 https://github.com/hashicorp/terraform-provider-vault/releases/tag/v4.5.0 😄

@lauracraciun90
Copy link

Hi @fairclothjm thanks very much for the update! :)

I've upgraded the vault provider to version 4.50 and tried to incorporate the flag in our setup, however, it still doesn't fix the problem for us.

Should the field be used within the vault_ssh_secret_backend_role resource? If so, it looks like the argument is not supported by terraform and I'm getting an "unsupported argument" error.

I've also tried to add the flag to the API call to Vault, however, this doesn't work either, and I'm still getting the empty service principals error.

Please could you give me some more info on this if possible? Many thanks!

@Sayrus
Copy link
Author

Sayrus commented Nov 29, 2024

Hi @fairclothjm thanks very much for the update! :)

I've upgraded the vault provider to version 4.50 and tried to incorporate the flag in our setup, however, it still doesn't fix the problem for us.

Should the field be used within the vault_ssh_secret_backend_role resource? If so, it looks like the argument is not supported by terraform and I'm getting an "unsupported argument" error.

I've also tried to add the flag to the API call to Vault, however, this doesn't work either, and I'm still getting the empty service principals error.

Please could you give me some more info on this if possible? Many thanks!

We've been using the following command as a workaround before the attribute was available:
vault write <backend>/roles/<role> allow_empty_principals=true <other options currently on the backend needs to be added here>

I just tried 4.5.0 and the field is available, however it isn't documented (here):

resource "vault_ssh_secret_backend_role" "host" {
  // ...
  allow_empty_principals  = true
}

Note that without an additional rule, this will create a permanent drift as the field is not returned when fetching the object.

@lauracraciun90
Copy link

Hi @Sayrus, many thanks for your reply, I really appreciate it :)

I've re-tried to upgrade to version 4.5.0 of the vault provider and set the allow_empty_principals = true as per your example, however, the terraform smoke test still fails with the unsupported argument error below.

Error: Unsupported argument An argument named "allow_empty_principals" is not expected here.
I'm unsure what else to try at this point aside from disabling the tests?

@Sayrus
Copy link
Author

Sayrus commented Dec 2, 2024

@lauracraciun90 Unfortunately that sounds like an issue with the tests or a lockfile not updated to reflect the upgrade to 4.5.0. As it sounds like a custom setup, I won´t be able to provide a workaround to make that part work.

@lauracraciun90
Copy link

Hi @Sayrus, I've just checked the lockfile for the environment whereby the tests ran and sure enough, I missed to update the vault provider version to 4.5.0. It was using version 3.20.0, hence the error.

The tests are passing now and the empty valid principals not allowed by role error has been rectified too.

Thanks ever so much for your help, I really appreciate it! :)

@fairclothjm
Copy link
Contributor

Glad it got resolved! Thanks for calling out the missing docs! I have a PR up to update the docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

secret/ssh: add support for allow_empty_principals on roles hashicorp/terraform-provider-vault
4 participants
@fairclothjm @Sayrus @lauracraciun90 @cloudplumber2000