VAULT-35838: advance deprecation of duplicate HCL attributes to pending removal stage#31215
Merged
Conversation
github-actions
Bot
added
the
hashicorp-contributed-pr
|
CI Results: |
|
Build Results: |
yhyakuna
reviewed
Jul 8, 2025
Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com>
miagilepner
previously approved these changes
Jul 16, 2025
|
|
||
| // allowHclDuplicatesEnvVar is an environment variable that allows Vault to revert back to accepting HCL files with | ||
| // duplicate attributes. It's temporary until we finish the deprecation process, at which point this will be removed | ||
| const allowHclDuplicatesEnvVar = "VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTES" |
Collaborator
There was a problem hiding this comment.
nit: can this code be shared so it isn't repeated here and in api/cliconfig/hcl_dup_attr_depreciation.go?
Contributor
Author
There was a problem hiding this comment.
I didn't want to make this an exported function in the api package, as we offer backwards-compatibility guarantees on those functions, that's why this same function is repeated twice in api (and ofc because we can't share unexported functions between packages like api and api/cliconfig, even tho they are part of the same api module). The third copy of this function in the vault module is needed for the same reason, and I also didn't want to introduce a dependency from api to vault.
stevendpclark
previously approved these changes
Jul 23, 2025
brewgator
suggested changes
Jul 23, 2025
Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
stevendpclark
approved these changes
Jul 23, 2025
brewgator
approved these changes
Jul 23, 2025
Erfankam
pushed a commit
to Erfankam/vault
that referenced
this pull request
Sep 1, 2025
…ng removal stage (hashicorp#31215) * HCL dup attr deprecation: pending removal * correct docs * add changelog * better error message for possible common errors * Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> * Update website/content/partials/deprecation/duplicate-hcl-attributes.mdx Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com> --------- Co-authored-by: Yoko Hyakuna <yoko@hashicorp.com> Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This is a follow up to #30386, which went into Vault v1.20 (and backported to v1.1.6) and started to print warnings whenever Vault parsed any HCL with duplicate attributes, as well as returning some API warnings when creating policies with those duplicate attributes in their HCL definition.
Continuing to follow our deprecation process, this PR changes those warnings to be actual errors, preventing the parsing of HCL files containing duplicate attributes in Vault v1.21.x. The previous "log-only" behavior of v1.20.x can be restored in v1.21.x by setting the
VAULT_ALLOW_PENDING_REMOVAL_DUPLICATE_HCL_ATTRIBUTEStotrue.I'm also rectifying the deprecation notice for duplicate attributes, which was incorrectly added directly to the "pending removal" stage in #30512. As for updating it to the proper "pending removal" on v1.21.x, that will have to wait until October when we cut a branch for v1.21.x.
Also, something important to highlight is that HCL allows defining multiple blocks of the same type, putting each definition into its own object in an array with the type name, like how we expect retry_join to be used. However, the HCL library without the patch preventing duplicate attributes would also allow that same behavior to concatenate explicit list assignment. For example, a similar example to what I used in #30386
would previously result in
capabilities = ["read", "write"](unlike what I previously thought, the "overwrite" behavior doesn't apply to lists), while with the patch this is forbidden. I think this outcome is still in line with the goal of reducing the potential for confusion, so I'm keeping this restriction on "implicit list concatenation via attribute assignments", and also added some improved error messages for cases where I think customers could run into this issue, instructing them to use the block syntax instead, like we already have in our docs forretry_join.Jira: VAULT-35838
ADR: VLT-006: Deprecate and remove duplicate attributes in HCL files in Vault
TODO only if you're a HashiCorp employee
backport/label that matches the desired release branch. Note that in the CE repo, the latest release branch will look likebackport/x.x.x, but older release branches will bebackport/ent/x.x.x+ent.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.
PCI review checklist
Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.