[Problem] rancher2_bootstrap resource token_update set to true exposes preceded token while generating new

[ek24014]

Rancher Server Setup

• Rancher version: 2.9.1
• Installation option (Docker install/Helm Chart): Installed and managed via terraform

Information about the Cluster

• Kubernetes version: 1.28.5
• Cluster Type (Local/Downstream): local

Provider Information

• Rancher v2 Terraform Provider version in use: 4.3.0
• Terraform version in use: 1.5.5

Describe the bug

rancher2_bootstarp resource has an attribute token_update which generates a new token during terraform apply run.
Example code:

resource "rancher2_bootstrap" "admin" {
provider = rancher2.rancher_bootstrap

initial_password = "<INSTALL_PASSWORD>"
password = "blahblah"
token_update = true
password = "random-generated"
telemetry = false
}

Apply results in removing original token and generating new token in Rancher, while still exposing the original (no longer existing token) as rancher2_bootstrap.admin.token

This is an issue while attempting to store the token in the keyvault as a secret. The value it is trying to store is unusable as well as it results in terraform error:

`Error: Provider produced inconsistent final plan
When expanding the plan for azurerm_key_vault_secret.rancher_admin_token to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for .value: inconsistent values for sensitive attribute.

This is a bug in the provider, which should be reported in the provider's own issue tracker. `

[matttrach]

When talking to Rancher v2.9x you should be using Terraform provider v5x. Please try using v5.1.0?
We test on Terraform v1.5.7, if possible try using that version?

Here is the Terraform provider to Rancher matrix:
Rancher v2.7.x = Terraform Rancher2 Provider v3.x in branch release/v3
Rancher v2.8.x = Terraform Rancher2 Provider v4.x in branch release/v4
Rancher v2.9.x = Terraform Rancher2 Provider v5.x in branch release/v5
Rancher v2.10.x = Terraform Rancher2 Provider v6.x in branch master

[black444]

I have similar situation with Rancher 2.8.5, terraform rancher2 provider 4.4.0, terraform 1.5.7.
Simple plan:

provider "rancher2" {
  alias = "bootstrap"

  api_url   = var.rancher2_url
  bootstrap = true
}

provider "rancher2" {
  alias = "admin"

  api_url   = var.rancher2_url
  token_key = rancher2_bootstrap.admin.token
}

resource "rancher2_bootstrap" "admin" {
  provider   = rancher2.bootstrap

  initial_password = var.rancher2_bootstrap_password
  password         = var.rancher2_admin_password

  token_ttl = 600
  token_update = true
}

resource "rancher2_setting" "auth_token_max_ttl_minutes" {
  provider = rancher2.admin

  name = "auth-token-max-ttl-minutes"
  value = "0"
}

I set token_ttl to 600 (10 minutes) for faster testing. The first bootstrap works fine. However, when the token expires, terraform apply stops working and returns the following error:

Error: Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=Unauthorized 401: must authenticate]

This is odd, because when I log in as admin user and navigate to Account & API Keys I can see new token with description Terraform bootstrap admin session.

[ek24014]

@matttrach We have updated rancher provider to v5.1.0 but are limited to updating terraform to above 1.5.5. The issue still exists. Also, to add as mentioned by above post, we looked at the token_update to mitigate the new introduced expiration limit of rancher token. However, while token_update set to true can rotate the token if the existing token is active but in case it expires that blocks the whole pipeline and the only solution is to alter the terraform state which is impractical. Using oidc would have been a much better solution.

[samjustus]

sure-9924

[bigkevmcd]

@ek24014 I am looking at addressing this bug if possible.

Would it be possible to get the output of... TF_LOG=debug terraform apply ?

That would help confirm that the reproduction case I have is the same problem.