Vault Provider Args token should not be mandatory

[arpanrec]

What happened?

Vault Provider Args token should not be mandatory, as we have other authentication methods.
in node_modules/@pulumi/vault/provider.d.ts

    /**
     * Token to use to authenticate to Vault.
     */
    token: pulumi.Input<string>;

Example

const vaultSource = new vault.Provider(`vault-${resourceUniqueIdPrefix}`, {
        address: process.env.VAULT_ADDR || '',
        token: 'bug', // not needed but it's marked mandatory in the type definition
        clientAuth: {
            certFile: path.join(vaultCertDir, 'client_certificate.pem'),
            keyFile: path.join(vaultCertDir, 'client_private_key.pem'),
        },
        caCertFile: path.join(vaultCertDir, 'root_ca_certificate.pem'),
        authLogin: {
            path: 'auth/approle/login',
            parameters: {
                role_id: process.env.VAULT_APPROLE_ROLE_ID || '',
                secret_id: process.env.VAULT_APPROLE_SECRET_ID || '',
            },
        },
    });

Output of pulumi about

❯ pulumi about
CLI
Version 3.116.0
Go Version go1.22.2
Go Compiler gc

Host
OS arch
Version "rolling"
Arch x86_64

Backend
Name pulumi.com
URL https://app.pulumi.com
User Unknown
Organizations
Token type personal

Additional context

It is not mandatory in terraform vault provider.
https://registry.terraform.io/providers/hashicorp/vault/latest/docs#token

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[guineveresaenger]

Hey @arpanrec - thank you for reporting this issue. We'll take a look as soon as we can.

[guineveresaenger]

Hi @arpanrec - I took a quick peek upstream and it appears from the schema that token is in fact Required - the documentation is incorrect.

Can you tell us a bit more in which way this presents as a blocker to you? Does declaring token: '' provide a reasonable workaround?

[guineveresaenger]

Note that I opened hashicorp/terraform-provider-vault#2237 upstream.

[arpanrec]

@guineveresaenger , as you can see in the code example above I have done exactly that,
token: 'bug', and yes, it's NOT a blocker.

But I have never looked at the upstream source code of terraform-vault-provider. I just saw Terraform docs and I saw it's marked optional.

I can see you have done all the research already hashicorp/terraform-provider-vault#2237 here. Thanks

[guineveresaenger]

@arpanrec - All right, so I've gotten some more context here.

First off, the current workaround for this issue is, as you discovered, passing an empty string to token.

Upstream has made the choice to allow for the schema to say Required but as the field has a DefaultFunc on it (this is the confusing choice), the fallback behavior is always an empty string. They've decided to document this as Optional in the documentation.

On our end, we do need to support this kind of behavior better, so I've filed pulumi/pulumi-terraform-bridge#1978 to follow up.

I'm leaving this issue open and will close when the workaround is no longer necessary. Thanks again for the find!

[arpanrec]

Yes, I agree, I should have checked the source code in Terraform vault provider first, as the conflict is in the source code vs terraform docs. my bad.

Off-Topic: Any way loving pulumi in big terraform to pulumi rewrite in TS. Keep it up.