Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Bug]: vault_kv_secret (v1) doesn't refresh data_json and doesn't detect drift #2143

Closed
joey-squid opened this issue Feb 15, 2024 · 2 comments
Closed

[Bug]: vault_kv_secret (v1) doesn't refresh data_json and doesn't detect drift #2143

joey-squid opened this issue Feb 15, 2024 · 2 comments
Labels
bug

Comments

@joey-squid
Copy link

Terraform Core Version

v1.6.2, v1.7.3

Terraform Vault Provider Version

v3.25.0

Vault Server Version

v1.15.5 (on HCP)

Affected Resource(s)

vault_kv_secret

Expected Behavior

Expected the change to be detected as drift and a plan to be in place to correct it back to joey1.

Actual Behavior

vault_kv_secret.test_secrets: Refreshing state... [id=joey/supersecret]

No changes. Your infrastructure matches the configuration.

I have also provided the full output of terraform state pull as a snippet, below. Note the discrepancy between data and data_json.

Relevant Error/Panic Output Snippet

{
  "version": 4,
  "terraform_version": "1.7.3",
  "serial": 4,
  "lineage": "83627fd8-5369-2b3a-747b-1500de8377de",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "vault_kv_secret",
      "name": "test_secrets",
      "provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "data": {
              "value": "joey2"
            },
            "data_json": "{\"value\":\"joey1\"}",
            "id": "joey/supersecret",
            "namespace": null,
            "path": "joey/supersecret"
          },
          "sensitive_attributes": [],
          "private": "bnVsbA=="
        }
      ]
    }
  ],
  "check_results": null
}

Terraform Configuration Files

provider "vault" {
  address   = "REDACTED"
  namespace = "admin"
}

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Steps to Reproduce

Created a resource:

resource "vault_kv_secret" "test_secrets" {
  path = "joey/supersecret"
  data_json = jsonencode({
    value : "joey1",
  })
}

Ran Terraform, then changed the secret to joey2 in the Vault UI. Ran terraform refresh, then terraform plan.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None
@joey-squid joey-squid added the bug label Feb 15, 2024
@joey-squid
Copy link
Author

I'm no expert but I think this might be as simple as the following patch:

diff --git a/vault/resource_kv_secret.go b/vault/resource_kv_secret.go
index 0d666d6f..1e10c6b2 100644
--- a/vault/resource_kv_secret.go
+++ b/vault/resource_kv_secret.go
@@ -108,6 +108,15 @@ func kvSecretRead(_ context.Context, d *schema.ResourceData, meta interface{}) d
 		return diag.FromErr(err)
 	}
 
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return diag.Errorf("error marshaling JSON for %q: %s", path, err)
+	}
+
+	if err := d.Set(consts.FieldDataJSON, string(jsonData)); err != nil {
+		return diag.FromErr(err)
+	}
+
 	return nil
 }

@joey-squid joey-squid changed the title [Bug]: vault_kv_secret (v1) doesn't refresh data_json and therefore doesn't detect drift [Bug]: vault_kv_secret (v1) doesn't refresh data_json and doesn't detect drift Feb 15, 2024
@joey-squid joey-squid mentioned this issue Feb 15, 2024
Closed
2 tasks
@fairclothjm
Copy link
Contributor

Closed by #2207

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Serialize data_json as well as data on read of kvv1 joey-squid/terraform-provider-vault
2 participants
@fairclothjm @joey-squid