Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hcp_vault_cluster_admin_token issues with app.terraform.io remote backend #125

Open
wilkosz opened this issue May 18, 2021 · 7 comments
Open
Labels
bug Something isn't working

Comments

@wilkosz
Copy link

wilkosz commented May 18, 2021

Terraform Version and Provider Version

Terraform version: 14 or 15
HCP provider version: 0.6.0
Terraform Cloud

Affected Resource(s)

  • hcp_vault_cluster_admin_token

Terraform Configuration Files

Any build using Terraform remote backend. (HVN and Vault are newly created with no configuration other than being made public)

data "hcp_vault_cluster" "main" {
  cluster_id = var.hvn.vault_id
}
resource "hcp_vault_cluster_admin_token" "main" {
  cluster_id = var.hvn.vault_id
}
provider "vault" {
  address   = "https://${data.hcp_vault_cluster.main.vault_public_endpoint_url}:8200"
  token     = hcp_vault_cluster_admin_token.main.token
  namespace = "admin"
}
resource "vault_mount" "db" {
  path = "database"
  type = "database"
}
 backend "remote" {
    hostname     = "app.terraform.io"
    organization = "dochub"

    workspaces {
      name = "dochub-testing"
    }
  }

Debug Output

Error: no vault token found

  on ../modules/hvn/providers.tf line 14, in provider "vault":
  14: provider "vault" {
  1. terraform apply

Expected Behavior

Any behaviour resulting in execution plan creation

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create
 <= read (data resources)

Terraform will perform the following actions:

Important Factoids

This is only an issue with backend remote. Locally, and s3 backend both work as desired when HCP_CLIENT_ID and HCP_CLIENT_SECRET are present.
Also note that hcp_vault_cluster data resource returns the vault_public_endpoint_url.
Manually adding the environment variable VAULT_TOKEN on Terraform cloud does fix the issue, but doesn't scale.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@wilkosz wilkosz added the bug Something isn't working label May 18, 2021
@bcmdarroch
Copy link
Contributor

Hi @wilkosz! Thanks for adding this issue. I'll do some investigation and keep you posted.

@wilkosz
Copy link
Author

wilkosz commented May 18, 2021

@bcmdarroch I done some discovery on this and it is not terraform version dependant it when using remote app.terraform.io

 backend "remote" {
    hostname     = "app.terraform.io"
    organization = "dochub"

    workspaces {
      name = "dochub-testing"
    }
  }

@wilkosz wilkosz changed the title hcp_vault_cluster_admin_token issues with Terraform 14.x hcp_vault_cluster_admin_token issues with app.terraform.io remote backend May 18, 2021
@bcmdarroch
Copy link
Contributor

I think this might be an issue of the admin token timing out when using remote. The admin token is really only intended for bootstrapping and should be replaced by a more secure long-term auth solution in cases like this. We'll be working on updating our best practices in the admin token guide which will provide more in-depth guidance.

@wilkosz
Copy link
Author

wilkosz commented Jun 23, 2021

@bcmdarroch not sure if it is a timeout issue. If the token is set as an environment variable for the first run, then removed, it behaves as intended.

@Bluesboy
Copy link

@wilkosz Thanks! That worked for me.

@iniinikoski
Copy link

@wilkosz did you find out anything more about this...? In addition to this, I've bumped into a fleet of issues when working on both HCP provider and Vault provider the same time... As provider's don't understand dependencies for example, the Vault provider would be tried to be initialised with a token which does not exist yet...

Expecting Hashicorp to really build a proper suggestion on how to do the bootstrapping properly and secure way - also with Terraform Cloud.

@bcmdarroch
Copy link
Contributor

Updating with the following guidance from our official Vault docs. It is recommended that the admin token only be used during initial setup of the Vault cluster. We do not have TFC-specific guidance at this time, so I will leave this issue open.

A good practice is to limit the use of the admin token and configure your preferred auth method(s) for regular use. The auth methods you choose to enable will be based on the who (person) or what (machine) will access your HCP Vault cluster. It is not uncommon to have multiple auth methods enabled.
source: https://developer.hashicorp.com/vault/tutorials/cloud-ops/hcp-vault-namespace-considerations#hcp-vault-admin-namespace

The Manage Authentication Methods guide walks through how to set up proper authentication once your cluster has been bootstrapped with the admin token.

aidan-mundy added a commit that referenced this issue Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants