Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add provider support for connecting to Vault via Unix Domain Socket (UDS) #1879

Open
111a5ab1 opened this issue May 31, 2023 · 2 comments
Open

Add provider support for connecting to Vault via Unix Domain Socket (UDS) #1879

111a5ab1 opened this issue May 31, 2023 · 2 comments

Comments

@111a5ab1
Copy link

111a5ab1 commented May 31, 2023
edited

Support for server Unix Domain Socket ("UDS") Listener was added to Vault v1.13.

The latest version of Vault provider/Terraform does not appear to support connecting via UDS. It would be great to have this functionality added.

Terraform Version

$ terraform -v
Terraform v1.4.6
on linux_arm64
+ provider registry.terraform.io/hashicorp/vault v3.15.2

Terraform Configuration File

# main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">=3.15.2"
    }
  }
}

provider "vault" {
}

resource "vault_mount" "example" {
  path = "dummy"
  type = "generic"
}

Debug Output

Terraform Debug Output

Expected Behavior

Provider is able to communicate with Vault server via the Unix socket.

Actual Behavior

Connection fails:

Error: failed to configure Vault API: attempting to specify unix:// address with non-transport transport
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on main.tf line 10, in provider "vault":
│   10: provider "vault" {

Steps to Reproduce

  1. Create Vault server configuration file with UDS listener:

    # vault_inmem.hcl

listener "unix" {
  address = "vault.sock"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = true
}

storage "inmem" {}

  2. Run Vault server:

    $ vault server -config vault_inmem.hcl

  3. Confirm connectivity via UDS:

    $ export VAULT_ADDR="unix://vault.sock"
$ vault status

Key                Value
---                -----
Seal Type          shamir
Initialized        false
Sealed             true
Total Shares       0
Threshold          0
Unseal Progress    0/0
Unseal Nonce       n/a
Version            1.13.2
Build Date         2023-04-25T13:02:50Z
Storage Type       inmem
HA Enabled         false

  4. Initialise Vault:

    $ VAULT_INIT=$(vault operator init -key-shares=1 -key-threshold=1 -format=table)
$ VAULT_UNSEAL=$(printf "${VAULT_INIT}" | grep "Unseal" | awk '{print $NF; }')
$ vault operator unseal "${VAULT_UNSEAL}"
$ export VAULT_TOKEN=$(printf "${VAULT_INIT}" | grep "Root" | awk '{print $NF; }')

  5. Create main.tf file with the following contents:

    # main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">=3.15.2"
    }
  }
}

provider "vault" {
}

resource "vault_mount" "example" {
  path = "dummy"
  type = "generic"
}

  6. Initialise Terraform:

    $ terraform init

  7. Attempt plan and observe fails:

    $ terraform plan

Error: failed to configure Vault API: attempting to specify unix:// address with non-transport transport
│ 
│   with provider["registry.terraform.io/hashicorp/vault"],
│   on main.tf line 10, in provider "vault":
│   10: provider "vault" {

  8. However, switching to TCP works as expected:

    $ export VAULT_ADDR="http://127.0.0.1:8200"
$ terraform plan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  + create

Terraform will perform the following actions:

  # vault_mount.example will be created
  + resource "vault_mount" "example" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "dummy"
      + seal_wrap                    = (known after apply)
      + type                         = "generic"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

References
@111a5ab1
Copy link
Author

111a5ab1 commented Mar 17, 2024
edited

It has been nearly a year since submitting this issue; so I decided to test this again to see if just maybe support was added in more recent versions. Seems a plan works, but fails on apply with same non-transport transport error message.

$ vault --version
Vault v1.16.0-rc3 (6d31a8d27ac89b0383e9c82a869941ff60b20850), built 2024-03-11T16:34:23Z

$ terraform --version
Terraform v1.8.0-beta1
on linux_amd64
+ provider registry.terraform.io/hashicorp/vault v4.0.0

plan works:

$ terraform plan

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_mount.example will be created
  + resource "vault_mount" "example" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "dummy"
      + seal_wrap                    = (known after apply)
      + type                         = "generic"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

apply fails:

$ terraform apply

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_mount.example will be created
  + resource "vault_mount" "example" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "dummy"
      + seal_wrap                    = (known after apply)
      + type                         = "generic"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_mount.example: Creating...
╷
│ Error: failed to configure Vault API: attempting to specify unix:// address with non-transport transport
│ 
│   with vault_mount.example,
│   on main.tf line 15, in resource "vault_mount" "example":
│   15: resource "vault_mount" "example" {
│ 
╵

@fairclothjm
Copy link
Contributor

@111a5ab1 Hello, thanks for bringing this to our attention. Unfortunately, given our current bandwidth, we don't have plans to add this feature to TFVP at this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@111a5ab1 @fairclothjm