From be293827100808b605562748d147f907d529479d Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Fri, 26 May 2023 13:18:45 -0700 Subject: [PATCH 1/7] add rotate root test --- ...database_secret_backend_connection_test.go | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 6011b9082..41175b2b8 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -767,6 +767,64 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { }) } +// This test makes sure that the DB connection resource is still +// operational even when an external rotate root call is made to update +// its credentials +func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { + MaybeSkipDBTests(t, dbEnginePostgres) + + values := testutil.SkipTestEnvUnset(t, "POSTGRES_ROTATE_URL") + connURL := values[0] + parsedURL, err := url.Parse(connURL) + if err != nil { + t.Fatal(err) + } + + username := parsedURL.User.Username() + password, _ := parsedURL.User.Password() + maxConnLifetime := "200" + backend := acctest.RandomWithPrefix("tf-test-db") + pluginName := dbEnginePostgres.DefaultPluginName() + name := acctest.RandomWithPrefix("db") + userTempl := "{{.DisplayName}}" + maxOpenConnections := "16" + updatedMaxOpenConnections := "20" + maxIdleConnections := "8" + updatedMaxIdleConnections := "12" + + resource.Test(t, resource.TestCase{ + Providers: testProviders, + PreCheck: func() { testutil.TestAccPreCheck(t) }, + CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy, + Steps: []resource.TestStep{ + { + Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, userTempl, username, password, maxOpenConnections, maxIdleConnections, maxConnLifetime, parsedURL), + Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), + ), + }, + { + PreConfig: func() { + client := testProvider.Meta().(*provider.ProviderMeta).GetClient() + rotateRootPath := fmt.Sprintf("%s/rotate-root/%s", backend, name) + _, err := client.Logical().Write(rotateRootPath, nil) + if err != nil { + t.Error(err) + } + }, + // confirm that there is no change in password and yet plan was clean + // ensure an update is called to the connection by passing in an updated field + Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, userTempl, username, password, updatedMaxOpenConnections, updatedMaxIdleConnections, maxConnLifetime, parsedURL), + Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), + ), + }, + }, + }) +} + func TestAccDatabaseSecretBackendConnection_elasticsearch(t *testing.T) { MaybeSkipDBTests(t, dbEngineElasticSearch) @@ -1476,7 +1534,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = vault_mount.db.path name = "%s" allowed_roles = ["dev", "prod"] - root_rotation_statements = ["FOOBAR"] + root_rotation_statements = [""] postgresql { connection_url = "%s" From 417cecd14464b58d584bb706659c4c93db7e2a1a Mon Sep 17 00:00:00 2001 From: Vinay Gopalan Date: Fri, 26 May 2023 13:50:24 -0700 Subject: [PATCH 2/7] add in fix for external password rotation --- ...urce_database_secret_backend_connection.go | 11 +++- ...database_secret_backend_connection_test.go | 54 ++++++++++++------- 2 files changed, 43 insertions(+), 22 deletions(-) diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go index 8bbfe6dea..4add20a19 100644 --- a/vault/resource_database_secret_backend_connection.go +++ b/vault/resource_database_secret_backend_connection.go @@ -19,6 +19,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" "github.com/hashicorp/vault/api" + "github.com/hashicorp/terraform-provider-vault/internal/consts" "github.com/hashicorp/terraform-provider-vault/internal/provider" "github.com/hashicorp/terraform-provider-vault/util" ) @@ -1510,8 +1511,14 @@ func setDatabaseConnectionDataWithUserPass(d *schema.ResourceData, prefix string data["username"] = d.Get(prefix + "username") - if v, ok := d.GetOk(prefix + "password"); ok { - data["password"] = v.(string) + // Vault does not return the password in the API. If the root credentials have been rotated, sending + // the old password in the update request would break the connection config. Thus we only send it, + // if it actually changed to still support updating it for non-rotated cases. + passwordKey := prefix + consts.FieldPassword + if v, ok := d.GetOk(passwordKey); ok { + if d.IsNewResource() || d.HasChange(passwordKey) { + data["password"] = v.(string) + } } } diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 41175b2b8..6e244e867 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -773,32 +773,21 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { MaybeSkipDBTests(t, dbEnginePostgres) - values := testutil.SkipTestEnvUnset(t, "POSTGRES_ROTATE_URL") - connURL := values[0] - parsedURL, err := url.Parse(connURL) - if err != nil { - t.Fatal(err) - } - - username := parsedURL.User.Username() - password, _ := parsedURL.User.Password() - maxConnLifetime := "200" + username := "postgres" + password := "NotSecurePassword1" backend := acctest.RandomWithPrefix("tf-test-db") pluginName := dbEnginePostgres.DefaultPluginName() name := acctest.RandomWithPrefix("db") - userTempl := "{{.DisplayName}}" maxOpenConnections := "16" updatedMaxOpenConnections := "20" - maxIdleConnections := "8" - updatedMaxIdleConnections := "12" resource.Test(t, resource.TestCase{ - Providers: testProviders, - PreCheck: func() { testutil.TestAccPreCheck(t) }, - CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy, + ProviderFactories: providerFactories, + PreCheck: func() { testutil.TestAccPreCheck(t) }, + CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy, Steps: []resource.TestStep{ { - Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, userTempl, username, password, maxOpenConnections, maxIdleConnections, maxConnLifetime, parsedURL), + Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, username, password, maxOpenConnections), Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), @@ -808,14 +797,15 @@ func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { PreConfig: func() { client := testProvider.Meta().(*provider.ProviderMeta).GetClient() rotateRootPath := fmt.Sprintf("%s/rotate-root/%s", backend, name) - _, err := client.Logical().Write(rotateRootPath, nil) + resp, err := client.Logical().Write(rotateRootPath, nil) + t.Log(resp) if err != nil { t.Error(err) } }, // confirm that there is no change in password and yet plan was clean // ensure an update is called to the connection by passing in an updated field - Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, userTempl, username, password, updatedMaxOpenConnections, updatedMaxIdleConnections, maxConnLifetime, parsedURL), + Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, username, password, updatedMaxOpenConnections), Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), @@ -1534,7 +1524,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = vault_mount.db.path name = "%s" allowed_roles = ["dev", "prod"] - root_rotation_statements = [""] + root_rotation_statements = ["FOOBAR"] postgresql { connection_url = "%s" @@ -1550,6 +1540,30 @@ resource "vault_database_secret_backend_connection" "test" { `, path, name, parsedURL.String(), openConn, idleConn, maxConnLifetime, username, password, userTempl) } +func testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, path, username, password, openConn string) string { + return fmt.Sprintf(` +resource "vault_mount" "db" { + path = "%s" + type = "database" +} + +resource "vault_database_secret_backend_connection" "test" { + backend = vault_mount.db.path + name = "%s" + allowed_roles = ["dev", "prod"] + root_rotation_statements = [""] + + postgresql { + connection_url = "postgresql://{{username}}:{{password}}@localhost:5432/postgres?sslmode=disable" + max_open_connections = "%s" + username = "%s" + password = "%s" + disable_escaping = true + } +} +`, path, name, openConn, username, password) +} + func testAccDatabaseSecretBackendConnectionConfig_postgresql_reset_optional_values(name, path string, parsedURL *url.URL) string { return fmt.Sprintf(` resource "vault_mount" "db" { From 90227615c0164115feb66c8dba40dd42c85f9b0a Mon Sep 17 00:00:00 2001 From: Raymond Ho Date: Wed, 31 May 2023 10:42:16 -0700 Subject: [PATCH 3/7] fix test, remove empty string from root_rotation_statements that prevented root password from rotating --- docker-compose.yaml | 8 ++++++++ vault/resource_database_secret_backend_connection.go | 2 +- vault/resource_database_secret_backend_connection_test.go | 8 ++++---- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 2144d0d13..f76aec431 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -56,3 +56,11 @@ services: - LDAP_ADMIN_PASSWORD=adminpassword - LDAP_USERS=alice,bob,foo - LDAP_PASSWORDS=password1,password2,password3 + + postgres: + image: postgres + ports: + - '5432:5432' + environment: + POSTGRES_PASSWORD: secret + POSTGRES_DB: database \ No newline at end of file diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go index 4add20a19..313d2e1fb 100644 --- a/vault/resource_database_secret_backend_connection.go +++ b/vault/resource_database_secret_backend_connection.go @@ -1517,7 +1517,7 @@ func setDatabaseConnectionDataWithUserPass(d *schema.ResourceData, prefix string passwordKey := prefix + consts.FieldPassword if v, ok := d.GetOk(passwordKey); ok { if d.IsNewResource() || d.HasChange(passwordKey) { - data["password"] = v.(string) + data[consts.FieldPassword] = v.(string) } } } diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 6e244e867..a654328a4 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -770,11 +770,12 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { // This test makes sure that the DB connection resource is still // operational even when an external rotate root call is made to update // its credentials +// Prerequisites: run the Postgres container found in docker-compose.yaml func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { MaybeSkipDBTests(t, dbEnginePostgres) username := "postgres" - password := "NotSecurePassword1" + password := "secret" backend := acctest.RandomWithPrefix("tf-test-db") pluginName := dbEnginePostgres.DefaultPluginName() name := acctest.RandomWithPrefix("db") @@ -797,8 +798,7 @@ func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { PreConfig: func() { client := testProvider.Meta().(*provider.ProviderMeta).GetClient() rotateRootPath := fmt.Sprintf("%s/rotate-root/%s", backend, name) - resp, err := client.Logical().Write(rotateRootPath, nil) - t.Log(resp) + _, err := client.Logical().Write(rotateRootPath, nil) if err != nil { t.Error(err) } @@ -1551,7 +1551,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = vault_mount.db.path name = "%s" allowed_roles = ["dev", "prod"] - root_rotation_statements = [""] + root_rotation_statements = [] postgresql { connection_url = "postgresql://{{username}}:{{password}}@localhost:5432/postgres?sslmode=disable" From 76aec3409c93fc78f4b5d8d2b0d055af454a377b Mon Sep 17 00:00:00 2001 From: Raymond Ho Date: Wed, 31 May 2023 11:42:17 -0700 Subject: [PATCH 4/7] set environment variable for POSTGRES_HOST --- .github/workflows/build.yml | 1 + testutil/testutil.go | 5 +++++ ..._database_secret_backend_connection_test.go | 18 +++++++++++------- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 92f42a59c..930ac4d1b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -147,6 +147,7 @@ jobs: MONGODB_URL: "mongodb://root:mongodb@mongo:27017/admin?ssl=false" MSSQL_URL: "sqlserver://sa:${{ secrets.MSSQL_SA_PASSWORD }}@mssql:1433" POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable" + POSTGRES_HOST: "postgres:5432" COUCHBASE_HOST: couchbase COUCHBASE_USERNAME: Administrator COUCHBASE_PASSWORD: password diff --git a/testutil/testutil.go b/testutil/testutil.go index 915aba057..3634fcf19 100644 --- a/testutil/testutil.go +++ b/testutil/testutil.go @@ -109,6 +109,11 @@ func GetTestAWSCreds(t *testing.T) (string, string) { return v[0], v[1] } +func GetTestPostgresCreds(t *testing.T) (url, host string) { + v := SkipTestEnvUnset(t, "POSTGRES_URL", "POSTGRES_HOST") + return v[0], v[1] +} + func GetTestAWSRegion(t *testing.T) string { v := SkipTestEnvUnset(t, "AWS_DEFAULT_REGION") return v[0] diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index a654328a4..aa1340987 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -770,12 +770,16 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { // This test makes sure that the DB connection resource is still // operational even when an external rotate root call is made to update // its credentials -// Prerequisites: run the Postgres container found in docker-compose.yaml +// Prerequisites: +// 1. run the Postgres container found in docker-compose.yaml +// 2. export POSTGRES_HOST=localhost:5432 && export POSTGRES_URL=whatever +// Note: this test updates the credentials, so a container restart will be required for reruns. func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { MaybeSkipDBTests(t, dbEnginePostgres) - username := "postgres" password := "secret" + _, postgresHost := testutil.GetTestPostgresCreds(t) + backend := acctest.RandomWithPrefix("tf-test-db") pluginName := dbEnginePostgres.DefaultPluginName() name := acctest.RandomWithPrefix("db") @@ -788,7 +792,7 @@ func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy, Steps: []resource.TestStep{ { - Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, username, password, maxOpenConnections), + Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, postgresHost, username, password, maxOpenConnections), Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), @@ -805,7 +809,7 @@ func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { }, // confirm that there is no change in password and yet plan was clean // ensure an update is called to the connection by passing in an updated field - Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, username, password, updatedMaxOpenConnections), + Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, postgresHost, username, password, updatedMaxOpenConnections), Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), @@ -1540,7 +1544,7 @@ resource "vault_database_secret_backend_connection" "test" { `, path, name, parsedURL.String(), openConn, idleConn, maxConnLifetime, username, password, userTempl) } -func testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, path, username, password, openConn string) string { +func testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, path, postgresHost, username, password, openConn string) string { return fmt.Sprintf(` resource "vault_mount" "db" { path = "%s" @@ -1554,14 +1558,14 @@ resource "vault_database_secret_backend_connection" "test" { root_rotation_statements = [] postgresql { - connection_url = "postgresql://{{username}}:{{password}}@localhost:5432/postgres?sslmode=disable" + connection_url = "postgresql://{{username}}:{{password}}@%s/postgres?sslmode=disable" max_open_connections = "%s" username = "%s" password = "%s" disable_escaping = true } } -`, path, name, openConn, username, password) +`, path, name, postgresHost, openConn, username, password) } func testAccDatabaseSecretBackendConnectionConfig_postgresql_reset_optional_values(name, path string, parsedURL *url.URL) string { From f63cde4dfc308739daf488a61d48ae5e37ef659e Mon Sep 17 00:00:00 2001 From: Raymond Ho Date: Tue, 6 Jun 2023 13:31:07 -0700 Subject: [PATCH 5/7] use existing mysql test to verify password didn't get overwritten --- .github/workflows/build.yml | 1 - docker-compose.yaml | 10 +--- testutil/testutil.go | 5 -- ...database_secret_backend_connection_test.go | 58 ++----------------- 4 files changed, 5 insertions(+), 69 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 930ac4d1b..92f42a59c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -147,7 +147,6 @@ jobs: MONGODB_URL: "mongodb://root:mongodb@mongo:27017/admin?ssl=false" MSSQL_URL: "sqlserver://sa:${{ secrets.MSSQL_SA_PASSWORD }}@mssql:1433" POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable" - POSTGRES_HOST: "postgres:5432" COUCHBASE_HOST: couchbase COUCHBASE_USERNAME: Administrator COUCHBASE_PASSWORD: password diff --git a/docker-compose.yaml b/docker-compose.yaml index f76aec431..67fd85275 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -55,12 +55,4 @@ services: - LDAP_ADMIN_USERNAME=admin - LDAP_ADMIN_PASSWORD=adminpassword - LDAP_USERS=alice,bob,foo - - LDAP_PASSWORDS=password1,password2,password3 - - postgres: - image: postgres - ports: - - '5432:5432' - environment: - POSTGRES_PASSWORD: secret - POSTGRES_DB: database \ No newline at end of file + - LDAP_PASSWORDS=password1,password2,password3 \ No newline at end of file diff --git a/testutil/testutil.go b/testutil/testutil.go index 3634fcf19..915aba057 100644 --- a/testutil/testutil.go +++ b/testutil/testutil.go @@ -109,11 +109,6 @@ func GetTestAWSCreds(t *testing.T) (string, string) { return v[0], v[1] } -func GetTestPostgresCreds(t *testing.T) (url, host string) { - v := SkipTestEnvUnset(t, "POSTGRES_URL", "POSTGRES_HOST") - return v[0], v[1] -} - func GetTestAWSRegion(t *testing.T) string { v := SkipTestEnvUnset(t, "AWS_DEFAULT_REGION") return v[0] diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index aa1340987..77b797fe4 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -643,7 +643,7 @@ func TestAccDatabaseSecretBackendConnectionTemplatedUpdateExcludePassword_mysql( ), }, { - Config: testAccDatabaseSecretBackendConnectionConfigTemplated_mysql(name, backend, testConnURL, secondaryRootUsername, secondaryRootPassword, 10), + Config: testAccDatabaseSecretBackendConnectionConfigTemplated_mysql(name, backend, testConnURL, secondaryRootUsername, secondaryRootPassword, 15), PreConfig: func() { path := fmt.Sprintf("%s/rotate-root/%s", backend, name) client := testProvider.Meta().(*provider.ProviderMeta).GetClient() @@ -661,7 +661,9 @@ func TestAccDatabaseSecretBackendConnectionTemplatedUpdateExcludePassword_mysql( resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.1", "prod"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "verify_connection", "true"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.connection_url", testConnURL), - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.max_connection_lifetime", "10"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.max_connection_lifetime", "15"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.username", secondaryRootUsername), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.password", secondaryRootPassword), ), }, }, @@ -767,58 +769,6 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { }) } -// This test makes sure that the DB connection resource is still -// operational even when an external rotate root call is made to update -// its credentials -// Prerequisites: -// 1. run the Postgres container found in docker-compose.yaml -// 2. export POSTGRES_HOST=localhost:5432 && export POSTGRES_URL=whatever -// Note: this test updates the credentials, so a container restart will be required for reruns. -func TestAccDatabaseSecretBackendConnection_externalRotateRoot(t *testing.T) { - MaybeSkipDBTests(t, dbEnginePostgres) - username := "postgres" - password := "secret" - _, postgresHost := testutil.GetTestPostgresCreds(t) - - backend := acctest.RandomWithPrefix("tf-test-db") - pluginName := dbEnginePostgres.DefaultPluginName() - name := acctest.RandomWithPrefix("db") - maxOpenConnections := "16" - updatedMaxOpenConnections := "20" - - resource.Test(t, resource.TestCase{ - ProviderFactories: providerFactories, - PreCheck: func() { testutil.TestAccPreCheck(t) }, - CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy, - Steps: []resource.TestStep{ - { - Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, postgresHost, username, password, maxOpenConnections), - Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), - ), - }, - { - PreConfig: func() { - client := testProvider.Meta().(*provider.ProviderMeta).GetClient() - rotateRootPath := fmt.Sprintf("%s/rotate-root/%s", backend, name) - _, err := client.Logical().Write(rotateRootPath, nil) - if err != nil { - t.Error(err) - } - }, - // confirm that there is no change in password and yet plan was clean - // ensure an update is called to the connection by passing in an updated field - Config: testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, backend, postgresHost, username, password, updatedMaxOpenConnections), - Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username), - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.password", password), - ), - }, - }, - }) -} - func TestAccDatabaseSecretBackendConnection_elasticsearch(t *testing.T) { MaybeSkipDBTests(t, dbEngineElasticSearch) From 524393bd6f39a4be5e126c42c4b9be1ec148e80a Mon Sep 17 00:00:00 2001 From: Raymond Ho Date: Tue, 6 Jun 2023 13:31:46 -0700 Subject: [PATCH 6/7] remove unneeded config --- ...database_secret_backend_connection_test.go | 24 ------------------- 1 file changed, 24 deletions(-) diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 77b797fe4..23a049c3f 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -1494,30 +1494,6 @@ resource "vault_database_secret_backend_connection" "test" { `, path, name, parsedURL.String(), openConn, idleConn, maxConnLifetime, username, password, userTempl) } -func testAccDatabaseSecretBackendConnectionConfig_PostgresRotateRoot(name, path, postgresHost, username, password, openConn string) string { - return fmt.Sprintf(` -resource "vault_mount" "db" { - path = "%s" - type = "database" -} - -resource "vault_database_secret_backend_connection" "test" { - backend = vault_mount.db.path - name = "%s" - allowed_roles = ["dev", "prod"] - root_rotation_statements = [] - - postgresql { - connection_url = "postgresql://{{username}}:{{password}}@%s/postgres?sslmode=disable" - max_open_connections = "%s" - username = "%s" - password = "%s" - disable_escaping = true - } -} -`, path, name, postgresHost, openConn, username, password) -} - func testAccDatabaseSecretBackendConnectionConfig_postgresql_reset_optional_values(name, path string, parsedURL *url.URL) string { return fmt.Sprintf(` resource "vault_mount" "db" { From 9911f9ace842a6a345c99e54463e3c7effdead91 Mon Sep 17 00:00:00 2001 From: Raymond Ho Date: Tue, 6 Jun 2023 13:32:30 -0700 Subject: [PATCH 7/7] add new line back in docker-compose.yaml --- docker-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 67fd85275..2144d0d13 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -55,4 +55,4 @@ services: - LDAP_ADMIN_USERNAME=admin - LDAP_ADMIN_PASSWORD=adminpassword - LDAP_USERS=alice,bob,foo - - LDAP_PASSWORDS=password1,password2,password3 \ No newline at end of file + - LDAP_PASSWORDS=password1,password2,password3