New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vault Init input validation is too strict (1.12.0) #17764
Comments
Hi, @acidprime. The Vault team is very cautious about introducing breaking changes only to major versions. Admittedly, it has happened in the past. Vault does not strictly follow semver and 1.12.0 is actually considered a major version. I dug into |
Yeah that makes sense to me too If those values are non-zero it makes sense validation would fail |
It seems like this might have been resolved, so I'm going to close it. If that's wrong, feel free to re-open! |
Describe the bug
Vault 1.12.0 added support to validate operator init input. However Its breaking a community terraform module and supported server side behavior.
Refs
Vault PR adding validation
Terraform Community Module
This is due to the fact the author relied on passing in
0
to therecovery_
* params and then them being ignored by vault when secrets were specified as non zero. This is confusing in the code as the error does not match the expected state as defined.This is NOT inline with the vault server code
vault/http/sys_init.go
Lines 154 to 158 in dd891bc
Which implicitly allows you to pass
0
currently.To Reproduce
Steps to reproduce the behavior:
terraform apply
Expected behavior
The provider specifiying
0
for recovery keys and >0
for secret keys should pass validation.Based on semver this is a breaking change to the API, while I understand the need for validation I would say passing
0
to both params should negate that check given the server side code supporting that configuration. Further I think this scenario e.g.0
for the params was missed in the go tests, and if its was an expected behavior then it should be in the go tests for linked PR. Instead the PR/tests only assume a scenario where you incorrectly pass both params in with values instead of one with 0 and one with >0 value . Most importantly its not inline with the actual server code referenced above which should be the source of truth here for validation.Environment:
1.12.0
:1.12.0
:Docker , but its not probably not relevant to this bug.
Vault server configuration file(s):
Additional context
I have also filed a bug on the community provider here rickardgranberg/terraform-provider-vaultoperator#7
However strictly speaking again, this is a breaking change in the API on invalid semver bump so I think vault should likely fix it. The validation while good, should not fail to validate something that would not produce an invalid configuration e.g.
0
for recovery keys.Even if you expect the provider author to fix it, it is actually not that easy to fix for the though too:
You can see the terraform vault provider code in question here
This is essentially by design in the terraform provider code as calling Get will implicitly return a
0
and not saynil
, that would work here withomitempty
if the upstream vault api module supported it. However even that won't work as vault doesn't useomitempty
for the init request type.From the terraform provider docs for
Get
vault/api/sys_init.go
Lines 58 to 59 in 746b089
The text was updated successfully, but these errors were encountered: