-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest version (1.6.0) breaks the vault_aws_secret_backend_role resource #349
Comments
Hi @atrepca ! Thanks for opening this ticket. I can't duplicate this locally but I suspect it has to do with the version of Vault I'm testing against. What version of Vault are you on? |
Actually, I found that I can duplicate a failure on version 11.6 of Vault. Does #329 fix this for you? |
Ugg, had an old Vault server, upgraded from |
Thanks @atrepca ! Actually, though, we definitely want the code to maintain backwards compatibility so in a perfect world it would work for both of us. Going to leave this open until we can get into that state. |
Hmmmmmm, actually, in coding up a fix, I may be incorrect, but it looks like if I support previous versions of Vault, that's different from supporting previous versions of the schema. The Terraform path for deprecating and replacing attributes includes adding a deprecation warning, and mapping uses of the old value to the new value that's replacing it. That's how the code is currently, so it's working in that respect. If I instead break from that and preserve old styles of providing attributes, that will cause both versions to work but I won't be following a proper deprecation path. I think you were right in the first place. I think we should follow normal Terraform provider paradigms and continue to support the current version of Vault. Those wanting to point at past versions of Vault can stick with past versions of the Terraform Vault Provider. I think there's no more work here to be done. |
@tyrannosaurus-becks Is there some kind of version compatibility matrix available? As I came across this issue after testing the latest
As a point of principle, I'd also consider that a breaking change, as it's changing the API that existing TF code conforms to... However that is an aside...
This is unfortunate, as it's taken what should've been a simple "Bump the Terraform provider version and profit" change to a "First, upgrade the Vault server to this latest version before you can do anything..." |
Hi @fatmcgav , Generally we're trying to keep the current version of the Terraform Vault Provider in tune with the current version of Vault. When the Vault API changes, we generally can't support the current Vault API while also supporting past Vault APIs and following best practices around deprecations and removals. It's definitely a trade-off. We do err on the side of following best practices and keeping up with current Vault. Definitely would recommend not setting the provider to auto-update versions unless you're keeping up with present Vault as well. Apologies for the inconvenience! |
I'm still a bit confused. I understand the need for following the best practices, but I'd like to understand what this means in terms of upgrading. Let's say I'm on Vault 1.0 and terraform-provider-vault 1.6 and I want to create a In other words, if I wanted to have parity between the provider and the Vault API, would I have to wait a minimum of two releases, or can it happen on the next one? I hope that made sense. |
Hi @patoarvizu ! Best practices for deprecations, removals, and renames are here. Best practices for versioning are here. We follow both wherever possible. |
Summary
The latest version of the provider - 1.6.0 - breaks the
vault_aws_secret_backend_role
resource; using the previous version - 1.5.0 - works as expected.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Tested using the example from the docs:
Debug Output
Important Factoids
Installing version 1.5.0 of the provider and using the code below works fine:
The text was updated successfully, but these errors were encountered: