unknown type <nil> for cidr_list in response for SecretID after upgrade to 1.9.0+ent

[rgevaert]

Describe the bug

After upgrading from 1.8.3 to 1.9.0 I can't apply my terraform configuration anymore. Terraform (plan) fails with:

vault_approle_auth_backend_role_secret_id.id: Refreshing state... [id=...]
╷
│ Error: unknown type <nil> for cidr_list in response for SecretID "..."
│ 
│   with vault_approle_auth_backend_role_secret_id.id,
│   on auth_approles.tf line 30, in resource "vault_approle_auth_backend_role_secret_id" "id":
│   30: resource "vault_approle_auth_backend_role_secret_id" "id" {
│ 

Running the same config against 1.8.3 the plan works as expected. I upgraded to the latest terraform and vault terraform provider to exclude any issues on that point.

This is the redacted terraform code:

resource "vault_approle_auth_backend_role" "backups" {
  backend        = vault_auth_backend.approle.path
  role_name      = "vault-backups"
  token_policies = [...]
}

resource "vault_approle_auth_backend_role_secret_id" "id" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.backups.role_name
}

1.9.0+ent and 1.8.3 cluster show this:

❯ vault read auth/approle/role/vault-backups

Key                        Value
---                        -----
bind_secret_id             true
local_secret_ids           false
secret_id_bound_cidrs      <nil>
secret_id_num_uses         0
secret_id_ttl              0s
token_bound_cidrs          []
token_explicit_max_ttl     0s
token_max_ttl              0s
token_no_default_policy    false
token_num_uses             0
token_period               0s
token_policies             [...]
token_ttl                  0s
token_type                 default

❯ vault write auth/approle/role/vault-backups/secret-id-accessor/lookup secret_id_accessor=....
Key                   Value
---                   -----
cidr_list             <nil>
creation_time         202...
expiration_time       ...
last_updated_time     202...
metadata              map[]
secret_id_accessor    <snip>
secret_id_num_uses    0
secret_id_ttl         0s
token_bound_cidrs     []

Environment:

• Vault Server Version (retrieve with vault status): 1.9.0
• Vault CLI Version (retrieve with vault version): 1.9.0
• Terraform version: 1.0.11, (first tried with 1.0.6, then upgraded)
• Vault terraform provider: 3.0.0 (first tried with v2.23.0, then upgraded to latest)

Additional context

I saw in the release notes upgrade that talks about cidr_list and how it is stored... #12868
There is also this: hashicorp/terraform-provider-vault#1175

[hsimon-hashicorp]

Hi there @rgevaert! The 3.0.0 version of the Terraform Vault Provider does remove some deprecated fields, that might be causing your errors. Can you let me know if you're using any of these fields, and if not, I'll escalate to our engineers. Thanks!

https://registry.terraform.io/providers/hashicorp/vault/latest/docs/guides/version_3_upgrade#resource-vault_approle_auth_backend_role

The following deprecated fields have been removed:
bound_cidr_list - use secret_id_bound_cidrs instead.
policies - use token_policies instead.
period - use token_period instead.

[rgevaert]

Hi Heather, the code above is the code I have and I am not using deprecated fields. FWIW I also created a ticket in Hashicorp support system. We are using enterprise version :-)

[hsimon-hashicorp]

@rgevaert ... darnit! I was hoping it was an easy fix. :) Please feel free to email me your support ticket number (my email is the first part of my GitHub username, at hashicorp dot com). Thanks a lot. :)

[benashz]

@hsimon-hashicorp this is an issue with the Terraform Vault Provider. Should be fixed in the related PR.

[ncabatoff]

@benashz As the reporter notes, it looks like something changed in approle's secret-id-accessor/lookup endpoint between 1.8 and 1.9: what was previously an empty list [] for cidr_list is now a nil. I'm in favour of TVP treating those as equivalent, if it can do so consistently everywhere. That said, I'm pretty sure we didn't intend to change this behaviour in Vault, and it could impact other clients than TVP, so I don't think we should view this issue as "fixed" by your PR.

[benashz]

@ncabatoff okay that makes sense.

[benashz]

@hsimon-hashicorp please disregard my previous comment about this being a TFVP issue. @ncabatoff explains the root cause above.

[benashz]

@rgevaert we released terraform-provider-vault v3.0.1 today, which should allow you to successfully provision vault-1.9.0.

[rgevaert]

Thanks @benashz, much appreciated. I'll check it out tomorrow!

[rgevaert]

@benashz and @ncabatoff thanks. I can confirm the pipelines are 🟢 again!.