IdentityEntityAlias created and subsequently not found, maybe race condition

Hi,

I’m currently configuring an Enterprise vault to have entities based on our external LDAP, which is then fed into namespace groups for access. This is working and the functionality is fine.

However 80% of terraform applies result in an error, such as below:

vault_identity_entity_alias.pid_upper_alias["UPPER"]: Creating...
2021-11-11T14:41:27.049Z [INFO]  Starting apply for vault_identity_entity_alias.pid_upper_alias["UPPER"]
2021-11-11T14:41:27.050Z [DEBUG] vault_identity_entity_alias.pid_upper_alias["UPPER"]: applying the planned Create change
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Vault API Request Details:
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: ---[ REQUEST ]---------------------------------------
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: PUT /v1/identity/entity-alias HTTP/1.1
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Host: <removedbyauthor>:8200
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: User-Agent: Go-http-client/1.1
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Content-Length: 114
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Namespace: <removedbyauthor>
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Request: true
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Token: <removedbyauthor>
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Accept-Encoding: gzip
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: {
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "canonical_id": "be8b8f76-2438-47b6-56a0-fcd4b31604f8",
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "mount_accessor": "auth_ldap_63bb7380",
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "name": "UPPER"
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: }
2021-11-11T14:41:27.055Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: -----------------------------------------------------
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Vault API Response Details:
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: ---[ RESPONSE ]--------------------------------------
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: HTTP/2.0 200 OK
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Content-Length: 257
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Cache-Control: no-store
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Content-Type: application/json
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Date: Thu, 11 Nov 2021 14:40:59 GMT
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: {
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "request_id": "6454920a-fc6a-c101-5301-8873bfa3839e",
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "lease_id": "",
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "renewable": false,
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "lease_duration": 0,
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "data": {
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:   "canonical_id": "be8b8f76-2438-47b6-56a0-fcd4b31604f8",
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:   "id": "65fd8570-a867-3738-9d16-27cb7fc8a3e6"
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  },
2021-11-11T14:41:27.185Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "wrap_info": null,
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "warnings": null,
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "auth": null
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: }
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: -----------------------------------------------------
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Wrote IdentityEntityAlias "UPPER"
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Reading IdentityEntityAlias 65fd8570-a867-3738-9d16-27cb7fc8a3e6 from "/identity/entity-alias/id/65fd8570-a867-3738-9d16-27cb7fc8a3e6"
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Vault API Request Details:
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: ---[ REQUEST ]---------------------------------------
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: GET /v1/identity/entity-alias/id/65fd8570-a867-3738-9d16-27cb7fc8a3e6 HTTP/1.1
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Host: <removedbyauthor>:8200
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: User-Agent: Go-http-client/1.1
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Namespace: <removedbyauthor>
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Request: true
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: X-Vault-Token: <removedbyauthor>
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Accept-Encoding: gzip
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.186Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: -----------------------------------------------------
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Vault API Response Details:
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: ---[ RESPONSE ]--------------------------------------
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: HTTP/2.0 404 Not Found
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Content-Length: 14
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Cache-Control: no-store
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Content-Type: application/json
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: Date: Thu, 11 Nov 2021 14:40:59 GMT
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: {
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4:  "errors": []
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: }
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: -----------------------------------------------------
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [DEBUG] Read IdentityEntityAlias 65fd8570-a867-3738-9d16-27cb7fc8a3e6
2021-11-11T14:41:27.188Z [DEBUG] provider.terraform-provider-vault_v2.24.1_x4: 2021/11/11 14:41:27 [WARN] IdentityEntityAlias "65fd8570-a867-3738-9d16-27cb7fc8a3e6" not found, removing from state
2021/11/11 14:41:27 [DEBUG] POST https://<removedbyauthor>-state?ID=5a262b2d-0340-1898-98fc-d0c26696b4f5
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to
│ vault_identity_entity_alias.pid_upper_alias["UPPER"], provider
│ "provider[\"registry.terraform.io/hashicorp/vault\"].base" produced an
│ unexpected new value: Root resource was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵

The resource is actually created within the vault but the id is then removed from state leaving it orphaned and non-managed. On subsequent terraform apply runs this can work (providing I manually delete the alias each time on error).

I’m assuming this is a race condition and terraform attempts to read the alias before Vault has finished applying it.

Has anyone had this issue before?

Thanks.

I’d set it up by hand once to make sure it works as expected, then implement that code into Terraform. If post those commands we can help you here, otherwise my advice would be to post in the Terraform section.

The way we have this implemented is to setup the LDAP in the root namespace, then map the namespace name to the LDAP group name in the namespaces vault__, the group within the namespace defines what role they get, admin, user, read-only, default, etc.

Hi Aram,

Apologies if it wasn’t clear. The functionality works as expected once implemented.

The issue here is that the provisioning via the provider is not stable and often leads to a 404 even though the resource is created.