Understanding the deprecation of client_auth argument

[sebastienbonami]

Hi, in the docs of the latest version (3.15.2 as of today), we can read the following statement about the client_auth argument:

At present there is little reason to set this, because Terraform does not support the TLS certificate authentication mechanism. *Deprecated, use auth_login_cert instead.

The thing is, I don't see auth_login_cert being an alternative to client_auth so I'm trying to figure this out. auth_login_cert is for presenting a certificate for the cert authentication engine. client_auth is for presenting a certificate for the tcp listener as far as I understand.

Actually, client_auth is certainly needed if the tls_require_and_verify_client_cert parameter of the tcp listener is enabled, and it's not deprecated as far as I know.

So why deprecating the client_auth argument?

Thanks for the help.

[fairclothjm]

@sebastienbonami Thanks for reporting! I don't have the context as to why the deprecation was announced. We are going to reevaluate this deprecation. Related to #2130

[avanschie]

Hi, I just stumbled upon this issue. I'm using a proxy to provide zero trust access to vault - there I need to present the TLS certificates to the proxy, i.e., I rely on client_auth. auth_login_cert doesn't look like an alternative and the removal of client_auth would break my setup!