bug: metadata functionality has broken kv_secret_v2 resource

[lrstanley]

Noticing an issue with the kv_secret_v2 resource where API calls to Vault are being mangled due to the recently added metadata functionality.

Versions

• Terraform: 1.3.1
• Provider: v3.12.0

Affected Resource(s)

• kv_secret_v2

Terraform Configuration Files

resource "vault_kv_secret_v2" "workspace_id" {
  for_each = local.workspace_ids
  provider = vault.infra-prod
  mount    = "cloud-metadata"
  name     = "aws/account/${each.key}/bootstrap-workspace-id"

  data_json = jsonencode({
    value       = each.value
    description = "TRUNCATED"
    }
  )
}

Debug Output

I don't have the debug output handy, but this should be sufficient as well as the below explanation:

Error: Error making API request. URL: GET https://vault.truncated.com/v1/cloud-metametadata/data/aws/account/TRUNCATED/bootstrap-workspace-id Code: 403. Errors: * 1 error occurred: * permission denied
with vault_kv_secret_v2.workspace_id["TRUNCATED"]
on vault.tf line 1, in resource "vault_kv_secret_v2" "workspace_id":
resource "vault_kv_secret_v2" "workspace_id" {

Expected Behavior

Resource to write/update the values correctly. This used to work, and the only change is the provider version.

Actual Behavior

It looks as though the API url that is getting generated has been mangled and is not correctly using the values that we have input.

Steps to Reproduce

Use a secret engine or secret path that includes the word data.

Important Factoids

It looks as though this bug was introduced in PR #1687 (see this line), where the provider attempts to generate the metadata URL by simply doing a string replacement of the data-path that was generated for reads. The problem with this is that the path can contain "data" (or "/data", "data/", whichever it's matching), and this is what looks to mangle the generated URL.

The above logic should be changed to explicitly generate the metadata URL rather than relying on the previously generated one (for data).

References

• PR 1687