Introduction
Problem
Running terraform import vault_identity_group.groups ... fails with:
VAULT_GID="****194f-****-****-****-****c5b0" export VAULT_NAMESPACE=test terraform import vault_identity_group.groups $VAULT_GID
vault_identity_group.groups: Importing from ID "****194f-****-****-****-****c5b0"... vault_identity_group.groups: Import prepared! Prepared vault_identity_group for import vault_identity_group.groups: Refreshing state... [id=****194f-****-****-****-****c5b0] ╷ │ Error: failed to lookup token, err=Error making API request. │ │ Namespace: test │ URL: GET https://vault.hashicorp.cloud:8200/v1/auth/token/lookup-self │ Code: 403. Errors: │ │ * 1 error occurred: │ * permission denied
In the above example, terraform import is used to import an identity group which resides in a Vault Namespace called test. Please note that the import fails with error permissions denied
The group id used is obtained from Vault.
Prerequisites
- Vault Enterprise
- Terraform
- Vault Provider for Terraform
- Vault Namespaces
Cause
Instead of using the VAULT_NAMESPACE variable the TERRAFORM_VAULT_NAMESPACE_IMPORT variable should be used. When the VAULT_NAMESPACE variable is used, Terraform attempts to authenticate using the wrong Vault Namespace.
Solution
Please find a working example using the TERRAFORM_VAULT_NAMESPACE_IMPORT variable below:
VAULT_GID="****194f-****-****-****-****c5b0" export TERRAFORM_VAULT_NAMESPACE_IMPORT=test terraform import vault_identity_group.groups $VAULT_GID
vault_identity_group.groups: Importing from ID "****194f-****-****-****-****c5b0"... vault_identity_group.groups: Import prepared! Prepared vault_identity_group for import vault_identity_group.groups: Refreshing state... [id=****194f-****-****-****-****c5b0] Import successful!
The resources that were imported are shown above. These resources are now in your Terraform state.
Outcome
Successful import from a Vault Namespace using the Terraform Vault Provider.