Breaking change in v2.12.1

[stuartpurgavie]

Terraform Version

0.12.29

Affected Resource(s)

• data.vault_aws_access_credentials

Terraform Configuration Files

provider "aws" {}

provider "vault" {
  address = "https://vault.domain.com"
  token   = "${var.route53_vault_token}"
}

data "vault_aws_access_credentials" "route53_creds" {
  backend = "team-repo-prod-aws"
  role    = "route53_aws_domain_com_deploy"
}

provider "aws" {
  alias      = "route53"
  access_key = "${data.vault_aws_access_credentials.route53_creds.access_key}"
  secret_key = "${data.vault_aws_access_credentials.route53_creds.secret_key}"
}

Debug Output

Error: Error refreshing state: 1 error(s) occurred:

* data.vault_aws_access_credentials.route53_creds: 1 error(s) occurred:

* data.vault_aws_access_credentials.route53_creds: data.vault_aws_access_credentials.route53_creds: error reading from Vault: Error making API request.

URL: GET https://vault.lllint.com/v1/team-repo-prod-aws/config/root
Code: 403. Errors:

* 1 error occurred:
	* permission denied

Expected Behavior

Vault policy for this role should not require access to the root configuration endpoint.

Actual Behavior

Terraform requires a new Vault permission unexpectedly.

Steps to Reproduce

1. terraform apply

Attached policy used to be:

// Allow token to create creds against the aws Account
path "team-repo-prod-aws/creds/route53_aws_domain_com_deploy" {
  capabilities = ["read"]
}

Now needs to be updated to:

// Allow token to create creds against the aws Account
path "team-repo-prod-aws/creds/route53_aws_domain_com_deploy" {
  capabilities = ["read"]
}

// Breaking change in Terraform Vault provider v2.12.1 now requires this permission
path "team-repo-prod-aws/config/root" {
  capabilities = ["read"]
}

Important Factoids

• This moves the provider away from the principle of least privilege. Either a new data resource should be required, or the existing resource should only check the endpoint if the region data is specifically referenced.
• If additional permissions or paths are required, from a maintenance perspective you may want to consider bumping the MINOR number in semver instead of the PATCH number, as it is likely to create a breaking change, not in the provider, but in the end user's deployment environment.

References

N/A

[vauchok]

The same for me, but with 405:

Error: Error refreshing state: 3 errors occurred:
	* data.vault_aws_access_credentials.creds: 1 error occurred:
	* data.vault_aws_access_credentials.creds: data.vault_aws_access_credentials.creds: error reading from Vault: Error making API request.

URL: GET https://xxx/v1/aws/sso/config/root
Code: 405. Errors:

* 1 error occurred:
	* unsupported operation

Thanks @WDouglasWest
He reviewed the merge and found the issue

[davesade]

Similar here as well:

Error: Error refreshing state: 1 error occurred:
	* data.vault_aws_access_credentials.aws: 1 error occurred:
	* data.vault_aws_access_credentials.aws: data.vault_aws_access_credentials.aws: error reading from Vault: Error making API request.

URL: GET https://xxxxxxx.:443/v1/aws/ssc/config/root
Code: 405. Errors:

* 1 error occurred:
	* unsupported operation

With version 2.12.0 it still works as expected.

[catsby]

Thanks for the report! We're looking into this now and hope to update the provider today (Friday, July 31st 2020). That update may be simply reverting this change, but I don't know for sure at this time. Thank you again for reporting and your patience.

[kalafut]

Fixed in #837

[catsby]

Additional follow-up: The breaking change that was introduced in v2.12.1 was reverted in #837 and released in v2.12.2. Apologies for the trouble!