resource/ssh_secret_backend_ca: detect misconfigured resource and remove from state #856
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
vault_ssh_secret_backend_ca
resource depends on a SSH secret backend mounted atpath
. Ifgenerate_signing_key
is used (which is the default) this resource generates the signing key pair internally at creation time.If the SSH secret engine gets replaced (meaning recreated, at the same path), the generated keys are lost but the
backend_ca
resource does not detect this because the path has not changed. In follow up state refreshes, the resource throws an error from Vault that the keys are not present:(See #846)
Unfortunately due to how Terraform works, because the
path
value does not change, thevault_ssh_secret_backend_ca
does not get marked for update when the SSH resource is changed. Vault requires paths to be unique, but does not offer unique IDs for relationships, or at least the provider doesn't utilize them.This PR does not completely fix this problem, however it improves error handling in the
vault_ssh_secret_backend_ca
resource such that if the"keys haven't been configured yet"
error message is received, it removes the resource from state so that a futureterraform plan
can recreate it.Improves, but does not really "fix", #846