Missing strict ordering: vault_mount must happen before vault_generic_secret (at least for PKI backend) about terraform-provider-vault HOT 6 CLOSED

The problem is that TF has no way to know that your second resource depends on the first. One option would be to reference the mount's path in defining the secret's path definition. For example,
path = "${vault_mount.team5_k8s_apiserver.path}/root/generate/internal"

By doing so you tell Terraform that the second resource requires the first, and they should be done serially.

Alternatively you could use depends_on to specify the relationship w/o using interpolation in the path. Personally, I'd prefer the interpolation route. Doing so allows you to change it in one location, should you want to, rather than tracking them down. Ultimately either way you're letting Terraform know that resource B needs resource A and that is the critical information it needs to make the decision.

from terraform-provider-vault.

Thanks for filing this! I just bumped into it myself. @therealbill your answer is spot-on - I'm applying the dependency-ordering-via-interpolation workaround to my config right now.

It still would be nice if Terraform could sort out these implicit dependencies between certain kinds of resources. I believe that would require a new core <-> provider API. It's definitely worth considering. I'll chat with the TF core folks about it at some point. 💭 👍

from terraform-provider-vault.

@andrejvanderzee @phinze https://www.terraform.io/intro/getting-started/dependencies.html#implicit-and-explicit-dependencies

from terraform-provider-vault.

Ah thanks @syndbg I had forgotten we call dependencies created via interpolation "implicit dependencies". I guess the potential feature I was referring to was more like "automatic dependencies" whereby Terraform would recognize that resources of a certain type need to always follow resources of another type given certain matching attributes. Just me musing on potential core functionality. 😄

In the meantime - using interpolation to draw "implicit dependencies" is the way to go!

from terraform-provider-vault.

Yep, it would be easier for use, but overall increase the complexity of the code greatly.

from terraform-provider-vault.

Terraform itself is responsible for managing the dependency graph. If one resource references an attribute of another, that resource will be created first e.g:

resource "vault_generic_secret" "team5_k8s_apiserver_ca" {
  path = "${vault_mount.team5_k8s_apiserver.path}/root/generate/internal"

  data_json = <<EOT
{
  "common_name": "xxx.io"
}
EOT
}

Closing this out as it is not a provider issue.

from terraform-provider-vault.