Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Enhancement]: Support "password_authentication" for PostgreSQL backend #2315

Closed
Pigment-RomainLoisel opened this issue Aug 12, 2024 · 1 comment · Fixed by #2371
Closed

Comments

@Pigment-RomainLoisel
Copy link

Description

Capability to send password digest instead of cleartext has been added last year but it seems there is no associated parameter for backend config in the terraform provider (or I couldn't find it).

Affected Resource(s) and/or Data Source(s)

No response

Potential Terraform Configuration

No response

References

hashicorp/vault#19616

Would you like to implement a fix?

None

@jSherz
Copy link

jSherz commented Aug 20, 2024

One workaround:

resource "vault_mount" "database_engine" {
  // ...
}

resource "vault_database_secret_backend_connection" "host" {
  // ...
}

resource "vault_generic_endpoint" "set_password_authentication" {
  path = "${vault_mount.database_engine.path}/config/${vault_database_secret_backend_connection.host.name}"

  disable_read   = true
  disable_delete = true

  # This Terraform resource sends a POST request, but the Vault API merges the
  # following property with the existing configuration.
  data_json = jsonencode({
    password_authentication = "scram-sha-256"
  })

  depends_on = [
    vault_database_secret_backend_connection.host
  ]

  lifecycle {
    replace_triggered_by = [vault_database_secret_backend_connection.host]
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants