Problem:
During a terraform plan, Terraform Vault Provider (TFVP) returns the following error on the vault provider block.
Error: could not determine the Vault server version, err=Error making API request.
│
│ Namespace: namespace1
│ URL: GET http://127.0.0.1:8200/v1/sys/seal-status
│ Code: 404. Errors:
│
│ * no handler for route "namespace1/sys/seal-status". route entry not found.
│
│ with provider["registry.terraform.io/hashicorp/vault"].namespace1,
│ on main.tf line 9, in provider "vault":
│ 9: provider "vault" {
Symptoms:
This error occurs when making use of provider aliases within the Vault Terraform provider block using hardcoded namespaces or referencing a namespace resource path.
Example:
provider "vault" {
alias = "namespace1"
namespace = vault_namespace.namespace1.path
}
resource "vault_namespace" "namespace1" {
path = "namespace1"
}
This error can also occur after an upgrade of the terraform vault provider versions to 3.15.1, 3.16.0 - 3.19.0 and no changes have been made to the configuration.
Cause:
This issue may be caused by changes with the Terraform Vault Provider on how namespaces can be derived by the token that is being used.
Solution:
This issue is fixed in Vault Provider Version 3.20.0.
If you are unable to upgrade the Vault Provider to 3.20.0, a few workarounds do exist.
1. Pin back the Vault provider to the 3.15.0version.
terraform {
required_providers {
vault = {
version = "3.15.0"
}
}
}
2. Set the namespace in the provider block to use the fully qualified namespace path_fq in the provider block.
provider "vault" {
alias = "namespace1"
namespace = vault_namespace.namespace1.path_fq
}
3. Set namespaces on the resource level instead of the provider level as recommended in the documentation.