From bb408f8b4a25b16f691d61884fde8597343ffc1a Mon Sep 17 00:00:00 2001 From: John Dietz Date: Tue, 29 Aug 2023 16:54:00 -0400 Subject: [PATCH] fix: issue-1776 - adjustment to accommodate new users with the password reset issue (#554) * managing user endpoint lifecycle differently for password * fix: accommodate brand new user circumstance with 1776 fix * chore: dedupe from merge --- aws-github/atlantis.yaml | 2 +- aws-github/terraform/users/modules/user/main.tf | 9 ++++++--- aws-gitlab/atlantis.yaml | 2 +- aws-gitlab/terraform/users/modules/user/main.tf | 9 ++++++--- civo-github/atlantis.yaml | 2 +- .../terraform/users/modules/user/github/main.tf | 9 ++++++--- civo-gitlab/atlantis.yaml | 2 +- civo-gitlab/terraform/users/modules/user/main.tf | 9 ++++++--- digitalocean-github/atlantis.yaml | 2 +- .../terraform/users/modules/user/github/main.tf | 9 ++++++--- digitalocean-gitlab/atlantis.yaml | 2 +- .../terraform/users/modules/user/main.tf | 9 ++++++--- gcp-github/atlantis.yaml | 2 +- .../terraform/users/modules/user/github/main.tf | 11 ++++++++--- gcp-gitlab/atlantis.yaml | 2 +- gcp-gitlab/terraform/users/modules/user/main.tf | 9 ++++++--- k3d-github/atlantis.yaml | 2 +- k3d-gitlab/atlantis.yaml | 2 +- vultr-github/atlantis.yaml | 2 +- .../terraform/users/modules/user/github/main.tf | 9 ++++++--- vultr-gitlab/atlantis.yaml | 2 +- vultr-gitlab/terraform/users/modules/user/main.tf | 9 ++++++--- 22 files changed, 74 insertions(+), 42 deletions(-) diff --git a/aws-github/atlantis.yaml b/aws-github/atlantis.yaml index 14760ca3c..8b633375c 100644 --- a/aws-github/atlantis.yaml +++ b/aws-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/aws-github/terraform/users/modules/user/main.tf b/aws-github/terraform/users/modules/user/main.tf index aec63b263..47ae13175 100644 --- a/aws-github/terraform/users/modules/user/main.tf +++ b/aws-github/terraform/users/modules/user/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/aws-gitlab/atlantis.yaml b/aws-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/aws-gitlab/atlantis.yaml +++ b/aws-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/aws-gitlab/terraform/users/modules/user/main.tf b/aws-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/aws-gitlab/terraform/users/modules/user/main.tf +++ b/aws-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/civo-github/atlantis.yaml b/civo-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/civo-github/atlantis.yaml +++ b/civo-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/civo-github/terraform/users/modules/user/github/main.tf b/civo-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/civo-github/terraform/users/modules/user/github/main.tf +++ b/civo-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/civo-gitlab/atlantis.yaml b/civo-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/civo-gitlab/atlantis.yaml +++ b/civo-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/civo-gitlab/terraform/users/modules/user/main.tf b/civo-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/civo-gitlab/terraform/users/modules/user/main.tf +++ b/civo-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/digitalocean-github/atlantis.yaml b/digitalocean-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/digitalocean-github/atlantis.yaml +++ b/digitalocean-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/digitalocean-github/terraform/users/modules/user/github/main.tf b/digitalocean-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/digitalocean-github/terraform/users/modules/user/github/main.tf +++ b/digitalocean-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/digitalocean-gitlab/atlantis.yaml b/digitalocean-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/digitalocean-gitlab/atlantis.yaml +++ b/digitalocean-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/digitalocean-gitlab/terraform/users/modules/user/main.tf b/digitalocean-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/digitalocean-gitlab/terraform/users/modules/user/main.tf +++ b/digitalocean-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/gcp-github/atlantis.yaml b/gcp-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/gcp-github/atlantis.yaml +++ b/gcp-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/gcp-github/terraform/users/modules/user/github/main.tf b/gcp-github/terraform/users/modules/user/github/main.tf index aec63b263..278ae38a5 100644 --- a/gcp-github/terraform/users/modules/user/github/main.tf +++ b/gcp-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,15 +44,19 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } + + resource "vault_generic_secret" "user" { path = "users/${var.username}" diff --git a/gcp-gitlab/atlantis.yaml b/gcp-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/gcp-gitlab/atlantis.yaml +++ b/gcp-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/gcp-gitlab/terraform/users/modules/user/main.tf b/gcp-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/gcp-gitlab/terraform/users/modules/user/main.tf +++ b/gcp-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/k3d-github/atlantis.yaml b/k3d-github/atlantis.yaml index 527f06b77..8d492d8c8 100644 --- a/k3d-github/atlantis.yaml +++ b/k3d-github/atlantis.yaml @@ -10,7 +10,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/k3d-gitlab/atlantis.yaml b/k3d-gitlab/atlantis.yaml index 527f06b77..8d492d8c8 100644 --- a/k3d-gitlab/atlantis.yaml +++ b/k3d-gitlab/atlantis.yaml @@ -10,7 +10,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-github/atlantis.yaml b/vultr-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/vultr-github/atlantis.yaml +++ b/vultr-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-github/terraform/users/modules/user/github/main.tf b/vultr-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/vultr-github/terraform/users/modules/user/github/main.tf +++ b/vultr-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/vultr-gitlab/atlantis.yaml b/vultr-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/vultr-gitlab/atlantis.yaml +++ b/vultr-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-gitlab/terraform/users/modules/user/main.tf b/vultr-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/vultr-gitlab/terraform/users/modules/user/main.tf +++ b/vultr-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) }