Consul Provider token rotation issue

[askmike1]

Terraform Version

Tested with 0.12.31 & 1.1.7

Affected Resource(s)

• consul_key_prefix

Terraform Configuration Files

provider "consul" {
  version = "~> 2.14"
  address    = "https://<consul_url>"
  datacenter = "<consul_datacenter>"
}

resource "consul_key_prefix" "subnet_nums" {
  token = "<token>"
  path_prefix = "terraform/path/path/"
  subkey {
    path  = "nums"
    value  = "val"
  }
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

When token changes it should pick up the new one

Actual Behavior

It tries to use whatever token is in the state file and thus fails as it no longer exists

Steps to Reproduce

1. terraform init
2. terraform plan
3. terraform apply
4. Delete old consul token and replace with new one (alternatively, just update the state file to change the token to some bogus value)
5. terraform plan
   Output:

Error: Failed to list Consul keys under prefix 'terraform/path/path/': Unexpected response code: 403

Important Factoids

N/A

References

N/A

[remilapeyre]

Hi @askmike1, thanks for opening this issue.

Sadly the issue here lies in how Terraform interact with providers, when reading a resource the provider only gets the current state as input, not the current user-configuration: https://github.com/hashicorp/terraform/blob/e6dbb7faf0407f6f98a451bbe8b0eb5fc160b4ec/docs/plugin-protocol/tfplugin6.2.proto#L249-L254.

The token argument in the consul_key_prefix resource has been here for 8 years, before this kind of issue was well understood.

The best way forward is to use the token argument in the provider configuration: https://registry.terraform.io/providers/hashicorp/consul/latest/docs#token, that way the client will always use the token you are expecting.

I will probably mark the token attributes and other similar attributes as deprecated and remove them in a major release, they have too much drawbacks and complicated needlessly the design of the provider.