Skip to content

unknown type <nil> for cidr_list in response for SecretID after upgrade to 1.9.0+ent #13226

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#13235
Closed
unknown type <nil> for cidr_list in response for SecretID after upgrade to 1.9.0+ent#13226
#13235
Labels
auth/approleecosystem
@rgevaert

Description

@rgevaert
rgevaert
opened on Nov 19, 2021

Describe the bug

After upgrading from 1.8.3 to 1.9.0 I can't apply my terraform configuration anymore. Terraform (plan) fails with:

vault_approle_auth_backend_role_secret_id.id: Refreshing state... [id=...]
╷
│ Error: unknown type <nil> for cidr_list in response for SecretID "..."
│ 
│   with vault_approle_auth_backend_role_secret_id.id,
│   on auth_approles.tf line 30, in resource "vault_approle_auth_backend_role_secret_id" "id":
│   30: resource "vault_approle_auth_backend_role_secret_id" "id" {
│

Running the same config against 1.8.3 the plan works as expected. I upgraded to the latest terraform and vault terraform provider to exclude any issues on that point.

This is the redacted terraform code:

resource "vault_approle_auth_backend_role" "backups" {
  backend        = vault_auth_backend.approle.path
  role_name      = "vault-backups"
  token_policies = [...]
}

resource "vault_approle_auth_backend_role_secret_id" "id" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.backups.role_name
}

1.9.0+ent and 1.8.3 cluster show this:

❯ vault read auth/approle/role/vault-backups

Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [...]
token_ttl                  0s
token_type                 default

❯ vault write auth/approle/role/vault-backups/secret-id-accessor/lookup secret_id_accessor=....
Key                   Value
---                   -----
cidr_list             <nil>
creation_time         202...
expiration_time       ...
last_updated_time     202...
metadata              map[]
secret_id_accessor    <snip>
secret_id_num_uses    0
secret_id_ttl         0s
token_bound_cidrs     []

Environment:

  • Vault Server Version (retrieve with vault status): 1.9.0
  • Vault CLI Version (retrieve with vault version): 1.9.0
  • Terraform version: 1.0.11, (first tried with 1.0.6, then upgraded)
  • Vault terraform provider: 3.0.0 (first tried with v2.23.0, then upgraded to latest)

Additional context

I saw in the release notes upgrade that talks about cidr_list and how it is stored... #12868
There is also this: hashicorp/terraform-provider-vault#1175

Metadata

Assignees

No one assigned

    Labels

    auth/approleecosystem

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions