We are using Terraform for Cisco ACI and it’s working fine when credentials are defined in variable file. Once we replaced the credentials with Vault KV it fails to refesh all the states and plan outputs are not correct. This is simillar to when there is a problem with the connection between Terraform and ACI controller.
Can you explain which of the vault data sources you’re using and what the error is?
I am using “vault_kv_secret_v2”. In the attached plan outputs we can see there is no difference between TF State and Infrastructure with the local credentials. With Vault credentilals TF Plan suggesting to add and destroy resources. This behaviour is simillar to when there is a problem with the connection to Cisco ACI Controllers.
Curiously, I had a similar surprise using the
vault_kv_secret_v2 data source, as well as some of the other ones (
kv_subkeys_v2 for example). In my case, the secret was definitely there and correct, but not passed or interpreted properly to terraform.
This on the other hand may be expected behaviour. At the moment, your secrets are part of the state. When they are consumed as data, they might be removed or their value changed , and some of these changes may be destructive.
The behaviour is simillar to when there is problem with the connection between TF and Cisco ACI. Not sure Vault is degrading the TF performance and fails to refresh all the states.