Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle out-of-band approle deletion #2142

Merged
merged 4 commits into from
Feb 14, 2024
Merged

Handle out-of-band approle deletion #2142

merged 4 commits into from
Feb 14, 2024

Conversation

vinay-gopalan
Copy link
Contributor

@vinay-gopalan vinay-gopalan commented Feb 14, 2024
edited
Loading

Cleans up the AppRole Secret ID resource from TF state when a 500 error is returned from the Vault server upon an out-of-band deletion of the AppRole. Previously, all subsequent runs of TF would fail with the error. Ideally we should remove the non-existent secret ID from state and allow the TFVP to recreate the role and secret ID.

Closes #1683 #1666

Checklist

  • Added CHANGELOG entry (only for user-facing changes)
  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'
=== RUN   TestAccAppRoleAuthBackendRoleSecretID_basic
--- PASS: TestAccAppRoleAuthBackendRoleSecretID_basic (6.44s)
PASS

@vinay-gopalan vinay-gopalan marked this pull request as ready for review February 14, 2024 22:19
@github-actions github-actions bot added size/L and removed size/M labels Feb 14, 2024
@vinay-gopalan vinay-gopalan requested a review from a team February 14, 2024 22:19
vinay-gopalan
vinay-gopalan commented Feb 14, 2024
View reviewed changes
vault/resource_approle_auth_backend_role_secret_id_test.go
@@ -37,6 +37,18 @@ func TestAccAppRoleAuthBackendRoleSecretID_basic(t *testing.T) {
resource.TestCheckResourceAttrSet(secretIDResource, "accessor"),
),
},
{
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed that this test will fail on main and successfully apply and pass with the fixes in this PR

fairclothjm
fairclothjm reviewed Feb 14, 2024
View reviewed changes
vault/resource_approle_auth_backend_role_secret_id.go
@@ -388,3 +415,7 @@ func approleAuthBackendRoleSecretIDParseID(id string) (backend, role, accessor s

return
}

func isAppRoleDoesNotExistError(err error, role string) bool {
return util.Is500(err) && strings.Contains(err.Error(), fmt.Sprintf("role \"%s\" does not exist", role))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I was thinking this week about these types of scenarios and we probably don't always handle them correctly like this.

fairclothjm
fairclothjm approved these changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fairclothjm fairclothjm added this to the 3.26.0 milestone Feb 14, 2024
@vinay-gopalan vinay-gopalan merged commit e8197cf into main Feb 14, 2024
12 checks passed
@vinay-gopalan vinay-gopalan deleted the VAULT-24123/handle-approle-out-of-band-deletion branch February 14, 2024 23:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
4.0.0
Development

Successfully merging this pull request may close these issues.

Provider becomes stuck if a managed approle + secret ID is deleted
2 participants
@vinay-gopalan @fairclothjm