Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interpolation causes all vault approles to be deleted and recreated. #17909

Closed
lvets opened this issue Apr 21, 2018 · 2 comments
Closed

Interpolation causes all vault approles to be deleted and recreated. #17909

lvets opened this issue Apr 21, 2018 · 2 comments

Comments

@lvets
Copy link

lvets commented Apr 21, 2018

Terraform Version

Terraform v0.11.7
+ provider.template v1.0.0
+ provider.vault v1.1.0

Terraform Configuration Files

Configuration files can be found at: https://github.com/lvets/vault-test

Debug Output

https://gist.github.com/lvets/02bc683f76d44b05ae034ba6dc6551ed

Expected Behavior

When I add a new service to the services variable in variables.tf, terraform will delete all vault approles & recreate them. However, this means that all previous approle role-ids will stop working.

Actual Behavior

I would suspect that terraform would only add the new approles for the new service and leave the existing ones alone.

Steps to Reproduce

  1. Start a local dev vault instance: vault server -dev
  2. Enable the AppRole backend, vault auth-enable approle
  3. Update vault.tf with the token that you get from the local dev vault instance.
  4. terraform plan + terraform apply
  5. Add a new service in variables.tf.
  6. terraform plan will show that it wants to delete all previous existing approles & recreate them.
@jbardin
Copy link
Member

jbardin commented Apr 25, 2018

Hi @lvets,

Sorry this is tripping you up. If you look at the output, you'll notice that it's not recreating all resources, only those with an index of [4] and up.

The change you're making is to a map, which is an unordered data structure, and then creating a lists of the keys in parts of the configuration using keys(var.services). Since new-service would be at index 4 in the sorted list of keys, it means that values interpolated from var.services in each resource with an index > 4 must also change.

If you were only using the length of var.services in count values, then you could add keys incrementally by ensuring that they are lexically sorted, though removal of items hits the same limitation.

We might be able to allow more precise modification of indexed resources in the future, but shifting the indexes of lists of resources in this manner isn't likely to work.

We have a similar issue at #17179, where there is some discussion about other iteration methods, and plans are already in the works for config language enhancements that will allow for these new constructs.

I'm going to close this one out, since everything is working as expected, and we can track enhancements through the existing issues.

@jbardin jbardin closed this as completed Apr 25, 2018
@ghost
Copy link

ghost commented Apr 3, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbardin @lvets