Search code examples
terraformhashicorp-vaultvaulthashicorp

Unable to add member to vault group with terraform

I'm here because I'm a beginner with terraform and I need some help.

I'm able to create policy and group with terraform on vault :

provider "vault" {
    address = var.vault_address
    token   = var.vault_token
}


resource "vault_policy" "kv_test_policy" {
  name   = var.kv_test_policy
  policy = file("kv_test_policy.hcl")
}

resource "vault_identity_group" "internal" {
  name     = var.vault_group
  type     = var.vault_group_type
  policies = [vault_policy.kv_test_policy.name]
}

With this variables.tf files :

variable "kv_vault_name" {
  type        = string
  default     = "kv_test"
  description = "KV name."
}

variable "kv_test_policy" {
  type        = string
  default     = "kv_test_policy"
  description = "kv_test_policy."
}

variable "vault_group" {
  type = string
  default = "kv_test_group"
  description = "KV test group."
}

variable "vault_group_type" {
  type = string
  default = "internal"
  description = "KV test group type."
}

variable "vault_address" {
  type        = string
  default     = "XXX"
  description = "Vault address."
          
}

variable "vault_token" {
  type        = string
  default     = "XXX"
  description = "Vault token."
}

With my policy in a hcl file and it works.

I already have some entities on my vault and I would like to add a member to my new group. So I try that :

resource "vault_identity_group_member_entity_ids" "test" {
  member_entity_ids = [var.vault_member]
  group_id = var.vault_group

}

And I add in variables.tf :

variable "vault_member" {
  type        = string
  default     = "XXX" # Tried with the email and the ID
  description = "Vault member id."
  }

And the output is :

│ Error: entity not found: "/identity/group/id/kv_test_group"
│ 
│   with vault_identity_group_member_entity_ids.test,
│   on main.tf line 18, in resource "vault_identity_group_member_entity_ids" "test":
│   18: resource "vault_identity_group_member_entity_ids" "test" {

The kv_test_group is well present on my vault...

I think this isn't the good way to do that. There is someone to show me how I can do that ?

Thanks !

Solution

  • After reading the doc, groupd_id argument is expecting the group id (obviously...) with the form like : xxxxxxxx-2xx9-4xx9-bxx8-xxxxxxxxxxxx You are providing the group name, which is different.

    I suggest you try :

        data "vault_identity_group" "vlt_grp" {
      group_name = var.vault_group
    }

    resource "vault_identity_group_member_entity_ids" "test" {
      member_entity_ids = [var.vault_member]
      group_id = data.vault_identity_group.vlt_grp.group_id
    }

    You are getting the group object via the name in your variable and retreiving the group ID from it.

    Let me know if it helps you