Allow for vault_aws_access_credentials in automation workflows.

[jdeprin]

Current Terraform Version

Terraform v0.12.24
+ provider.aws v2.58.0
+ provider.null v2.1.2
+ provider.vault v2.10.0
...

Use-cases

Using the data resource vault_aws_access_credentials should be supported when using Terraform in automation. Currently the data resource is not refreshed between a plan and apply. After a plan the dynamic user is removed however it still referenced in the plan file causing an apply to fail.

Attempted Solutions

1. terraform apply -refresh=true - Not applicable as the plan file is given directly.
2. terraform refresh -target=data.vault_aws_access_credentials.my_vault_creds - causes an apply failure Error: Saved plan is stale

Proposal

Add a lifecycle hook to refresh this data and create a new dynamic user.

References

https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/dynamic-aws-creds

[rrijkse]

Same thing is true for things like the eks cluster auth resource.

data "aws_eks_cluster_auth" "cluster_auth" { name = cluster }

Something that would support any of these types of data sources would be great!

[pierresebastien]

Does the new ephemeral features could be used for such use case ? If yes, I suppose that the feature should be implemented in the Vault provider

[crw]

@pierresebastien it would be worth checking on this or reporting this issue in the vault provider repository. See for example hashicorp/terraform-provider-vault#2373