diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go index bc2969950..e18f32338 100644 --- a/vault/resource_database_secret_backend_connection.go +++ b/vault/resource_database_secret_backend_connection.go @@ -51,6 +51,14 @@ func databaseSecretBackendConnectionResource() *schema.Resource { Type: schema.TypeString, }, }, + "root_rotation_statements": { + Type: schema.TypeList, + Optional: true, + Description: "A list of database statements to be executed to rotate the root user's credentials.", + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, "data": { Type: schema.TypeMap, Optional: true, @@ -441,6 +449,10 @@ func databaseSecretBackendConnectionCreate(d *schema.ResourceData, meta interfac data["allowed_roles"] = strings.Join(roles, ",") } + if v, ok := d.GetOkExists("root_rotation_statements"); ok { + data["root_rotation_statements"] = v + } + if m, ok := d.GetOkExists("data"); ok { for k, v := range m.(map[string]interface{}) { data[k] = v.(string) @@ -584,6 +596,7 @@ func databaseSecretBackendConnectionRead(d *schema.ResourceData, meta interface{ d.Set("allowed_roles", roles) d.Set("backend", backend) d.Set("name", name) + d.Set("root_rotation_statements", resp.Data["root_credentials_rotate_statements"]) if v, ok := resp.Data["verify_connection"]; ok { d.Set("verify_connection", v.(bool)) } @@ -616,6 +629,10 @@ func databaseSecretBackendConnectionUpdate(d *schema.ResourceData, meta interfac data["allowed_roles"] = strings.Join(roles, ",") } + if v, ok := d.GetOkExists("root_rotation_statements"); ok { + data["root_rotation_statements"] = v + } + if m, ok := d.GetOkExists("data"); ok { for k, v := range m.(map[string]interface{}) { data[k] = v.(string) diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 546c23686..d7028d3a1 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -31,6 +31,8 @@ func TestAccDatabaseSecretBackendConnection_import(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.max_open_connections", "2"), @@ -71,6 +73,8 @@ func TestAccDatabaseSecretBackendConnection_cassandra(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "cassandra.0.hosts.#", "1"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "cassandra.0.hosts.0", host), @@ -109,6 +113,8 @@ func TestAccDatabaseSecretBackendConnection_mongodb(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mongodb.0.connection_url", connURL), ), @@ -137,6 +143,8 @@ func TestAccDatabaseSecretBackendConnection_mssql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mssql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mssql.0.max_open_connections", "2"), @@ -169,6 +177,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"), @@ -186,6 +196,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_rds.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_rds.0.max_open_connections", "2"), @@ -201,6 +213,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_aurora.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_aurora.0.max_open_connections", "2"), @@ -216,6 +230,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_legacy.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_legacy.0.max_open_connections", "2"), @@ -248,6 +264,8 @@ func TestAccDatabaseSecretBackendConnectionUpdate_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"), @@ -264,6 +282,8 @@ func TestAccDatabaseSecretBackendConnectionUpdate_mysql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"), @@ -296,6 +316,8 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) { resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.connection_url", connURL), resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.max_open_connections", "2"), @@ -336,6 +358,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] cassandra { hosts = ["%s"] @@ -358,6 +381,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mongodb { connection_url = "%s" @@ -377,6 +401,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mssql { connection_url = "%s" @@ -396,6 +421,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mysql { connection_url = "%s" @@ -419,6 +445,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mysql { connection_url = "%s" @@ -443,6 +470,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mysql_rds { connection_url = "%s" @@ -462,6 +490,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mysql_aurora { connection_url = "%s" @@ -481,6 +510,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] mysql_legacy { connection_url = "%s" @@ -500,6 +530,7 @@ resource "vault_database_secret_backend_connection" "test" { backend = "${vault_mount.db.path}" name = "%s" allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] postgresql { connection_url = "%s" diff --git a/website/docs/r/database_secret_backend_connection.md b/website/docs/r/database_secret_backend_connection.md index 051f2bf90..f5e57d2ba 100644 --- a/website/docs/r/database_secret_backend_connection.md +++ b/website/docs/r/database_secret_backend_connection.md @@ -51,6 +51,8 @@ The following arguments are supported: * `allowed_roles` - (Optional) A list of roles that are allowed to use this connection. +* `root_rotation_statements` - (Optional) A list of database statements to be executed to rotate the root user's credentials. + * `cassandra` - (Optional) A nested block containing configuration options for Cassandra connections. * `mongodb` - (Optional) A nested block containing configuration options for MongoDB connections.