fix: issue-1776 - adjustment to accommodate new users with the password reset issue (#554)

* managing user endpoint lifecycle differently for password

* fix: accommodate brand new user circumstance with 1776 fix

* chore: dedupe from merge

Author: johndietz

aws-github/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

aws-github/terraform/users/modules/user/main.tf

@@ -25,6 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

aws-gitlab/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

aws-gitlab/terraform/users/modules/user/main.tf

@@ -34,6 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

civo-github/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

civo-github/terraform/users/modules/user/github/main.tf

@@ -25,6 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

civo-gitlab/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

civo-gitlab/terraform/users/modules/user/main.tf

@@ -34,6 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

digitalocean-github/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

digitalocean-github/terraform/users/modules/user/github/main.tf

@@ -25,6 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

digitalocean-gitlab/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

digitalocean-gitlab/terraform/users/modules/user/main.tf

@@ -34,6 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

gcp-github/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

gcp-github/terraform/users/modules/user/github/main.tf

@@ -25,6 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -43,15 +44,19 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }
 
+
+
 resource "vault_generic_secret" "user" {
   path = "users/${var.username}"
 

gcp-gitlab/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

gcp-gitlab/terraform/users/modules/user/main.tf

@@ -34,6 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

k3d-github/atlantis.yaml

@@ -10,7 +10,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

k3d-gitlab/atlantis.yaml

@@ -10,7 +10,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

vultr-github/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

vultr-github/terraform/users/modules/user/github/main.tf

@@ -25,6 +25,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }

vultr-gitlab/atlantis.yaml

@@ -15,7 +15,7 @@ projects:
     terraform_version: 1.3.8
     autoplan:
       enabled: true
-      when_modified: ['**/*.tf', '*.tf*']
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
   - dir: terraform/vault
     terraform_version: 1.3.8
     autoplan:

vultr-gitlab/terraform/users/modules/user/main.tf

@@ -34,6 +34,7 @@ resource "random_password" "password" {
 }
 
 resource "vault_generic_endpoint" "user" {
+  depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition
   path                 = "auth/userpass/users/${var.username}"
   ignore_absent_fields = true
 
@@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" {
     ignore_changes=[data_json]
   }
 
-  # note: this resource only manages the user's initial password and has a lifecycle policy to
-  # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
   data_json = jsonencode(
     {
-      password  = var.initial_password != "" ? var.initial_password : random_password.password.result
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
     }
   )
 }