db: add fields for skip auto rotation of static roles (hashicorp#2386)

* db: add fields for skip auto rotation of static roles * add static role support for role-level field * add config-level field and tests * update comments * update env var * fix test * remove config-level field * bump Vault build matrix versions * changelog
Bartosz-lab · Feb 10, 2025 · 0430fcd · 0430fcd
1 parent f84ff08
commit 0430fcd
Show file tree

Hide file tree

Showing 7 changed files with 128 additions and 14 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -65,9 +65,9 @@ jobs:
         image:
         - "vault-enterprise:1.14.13-ent"
         - "vault-enterprise:1.15.16-ent"
-        - "vault-enterprise:1.16.14-ent"
-        - "vault-enterprise:1.17.10-ent"
-        - "vault-enterprise:1.18.3-ent"
+        - "vault-enterprise:1.16.15-ent"
+        - "vault-enterprise:1.17.11-ent"
+        - "vault-enterprise:1.18.4-ent"
         - "vault:latest"
     services:
       vault:
@@ -208,10 +208,12 @@ jobs:
           # POSTGRES_URL is the standard root conn URL for Vault
           POSTGRES_URL: "postgres://postgres:secret@postgres:5432/database?sslmode=disable"
           # POSTGRES_URL_TEST is used by the TFVP test to connect directly to
-          # the postgres container. Note: the host is "localhost" because the
-          # TFVP tests do not run in the same docker network.
+          # the postgres container so that it can create static users.
+          # Note: the host is "localhost" because the TFVP tests do not run in
+          # the same docker network.
           POSTGRES_URL_TEST: "postgres://postgres:secret@localhost:5432/database?sslmode=disable"
-          # POSTGRES_URL_ROOTLESS is used by Vault to connect to the postgres container.
+          # POSTGRES_URL_ROOTLESS is used by Vault to connect to the postgres
+          # container for "rootless" static roles".
           POSTGRES_URL_ROOTLESS: "postgres://{{username}}:{{password}}@postgres:5432/database?sslmode=disable"
           COUCHBASE_HOST: couchbase
           COUCHBASE_USERNAME: Administrator

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ FEATURES:
 * Add support for certificate revocation with `revoke_with_key` in `vault_pki_secret_backend_cert` ([#2242](https://github.com/hashicorp/terraform-provider-vault/pull/2242))
 * Add support for signature_bits field to `vault_pki_secret_backend_role`, `vault_pki_secret_backend_root_cert`, `vault_pki_secret_backend_root_sign_intermediate` and `vault_pki_secret_backend_intermediate_cert_request` ([#2401])(https://github.com/hashicorp/terraform-provider-vault/pull/2401)
 * Add support for key_usage and serial_number to `vault_pki_secret_backend_intermediate_cert_request` ([#2404])(https://github.com/hashicorp/terraform-provider-vault/pull/2404)
+* Add support for `skip_import_rotation` in `vault_database_secret_backend_static_role`. Requires Vault Enterprise 1.18.5+ ([#2386](https://github.com/hashicorp/terraform-provider-vault/pull/2386)).
 
 BUGS:
 

diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
@@ -196,6 +196,7 @@ func (i *dbEngine) PluginPrefixes() ([]string, error) {
 	return append([]string{defaultPrefix}, i.pluginAliases...), nil
 }
 
+// getDatabaseSchema returns the database-specific schema
 func getDatabaseSchema(typ schema.ValueType) schemaMap {
 	var dbEngineTypes []string
 	for _, e := range dbEngines {

diff --git a/vault/resource_database_secret_backend_static_role.go b/vault/resource_database_secret_backend_static_role.go
@@ -6,12 +6,13 @@ package vault
 import (
 	"context"
 	"fmt"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-provider-vault/internal/consts"
 	"log"
 	"regexp"
 	"strings"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-provider-vault/internal/consts"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/hashicorp/terraform-provider-vault/internal/provider"
@@ -99,6 +100,11 @@ func databaseSecretBackendStaticRoleResource() *schema.Resource {
 				Description: "The password corresponding to the username in the database. " +
 					"Required when using the Rootless Password Rotation workflow for static roles.",
 			},
+			consts.FieldSkipImportRotation: {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Description: "Skip rotation of the password on import.",
+			},
 		},
 	}
 }
@@ -142,6 +148,9 @@ func databaseSecretBackendStaticRoleWrite(ctx context.Context, d *schema.Resourc
 		if v, ok := d.GetOk(consts.FieldSelfManagedPassword); ok && v != "" {
 			data[consts.FieldSelfManagedPassword] = v
 		}
+		if v, ok := d.Get(consts.FieldSkipImportRotation).(bool); ok {
+			data[consts.FieldSkipImportRotation] = v
+		}
 	}
 
 	log.Printf("[DEBUG] Creating static role %q on database backend %q", name, backend)
@@ -211,6 +220,12 @@ func databaseSecretBackendStaticRoleRead(ctx context.Context, d *schema.Resource
 		}
 	}
 
+	if provider.IsAPISupported(meta, provider.VaultVersion118) && provider.IsEnterpriseSupported(meta) {
+		if err := d.Set(consts.FieldSkipImportRotation, role.Data[consts.FieldSkipImportRotation]); err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	for _, k := range staticRoleFields {
 		if v, ok := role.Data[k]; ok {
 			if err := d.Set(k, v); err != nil {

diff --git a/vault/resource_database_secret_backend_static_role_test.go b/vault/resource_database_secret_backend_static_role_test.go
@@ -7,6 +7,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"net/url"
 	"os"
 	"testing"
 
@@ -153,9 +154,12 @@ func TestAccDatabaseSecretBackendStaticRole_rotationSchedule(t *testing.T) {
 
 // TestAccDatabaseSecretBackendStaticRole_Rootless tests the
 // Rootless Config and Rotation flow for Static Roles.
+//
 // To run locally you will need to set the following env vars:
 //   - POSTGRES_URL_TEST
 //   - POSTGRES_URL_ROOTLESS
+//
+// See .github/workflows/build.yml for details.
 func TestAccDatabaseSecretBackendStaticRole_Rootless(t *testing.T) {
 	connURLTestRoot := testutil.SkipTestEnvUnset(t, "POSTGRES_URL_TEST")[0]
 	connURL := testutil.SkipTestEnvUnset(t, "POSTGRES_URL_ROOTLESS")[0]
@@ -166,12 +170,6 @@ func TestAccDatabaseSecretBackendStaticRole_Rootless(t *testing.T) {
 	name := acctest.RandomWithPrefix("staticrole")
 	resourceName := "vault_database_secret_backend_static_role.test"
 
-	testRoleStaticCreate := `
-CREATE ROLE "{{name}}" WITH
-  LOGIN
-  PASSWORD '{{password}}';
-`
-
 	// create static database user
 	testutil.CreateTestPGUser(t, connURLTestRoot, username, "testpassword", testRoleStaticCreate)
 
@@ -203,6 +201,55 @@ CREATE ROLE "{{name}}" WITH
 	})
 }
 
+// TestAccDatabaseSecretBackendStaticRole_SkipImportRotation tests the skip
+// auto import Rotation configuration.
+//
+// To run locally you will need to set the following env vars:
+//   - POSTGRES_URL
+//   - POSTGRES_URL_TEST
+//
+// See .github/workflows/build.yml for details.
+func TestAccDatabaseSecretBackendStaticRole_SkipImportRotation(t *testing.T) {
+	connURLTestRoot := testutil.SkipTestEnvUnset(t, "POSTGRES_URL_TEST")[0]
+	connURL := testutil.SkipTestEnvUnset(t, "POSTGRES_URL")[0]
+
+	parsedURL, err := url.Parse(connURLTestRoot)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	vaultAdminUser := parsedURL.User.Username()
+
+	backend := acctest.RandomWithPrefix("tf-test-db")
+	staticUsername := acctest.RandomWithPrefix("user")
+	dbName := acctest.RandomWithPrefix("db")
+	roleName := acctest.RandomWithPrefix("staticrole")
+	resourceName := "vault_database_secret_backend_static_role.test"
+
+	// create static database user
+	testutil.CreateTestPGUser(t, connURLTestRoot, staticUsername, "testpassword", testRoleStaticCreate)
+
+	resource.Test(t, resource.TestCase{
+		ProviderFactories: providerFactories,
+		PreCheck: func() {
+			testutil.TestEntPreCheck(t)
+			SkipIfAPIVersionLT(t, testProvider.Meta(), provider.VaultVersion118)
+		},
+		CheckDestroy: testAccDatabaseSecretBackendStaticRoleCheckDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDatabaseSecretBackendStaticRoleConfig_skipImportRotation(roleName, staticUsername, dbName, backend, connURL, vaultAdminUser),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "name", roleName),
+					resource.TestCheckResourceAttr(resourceName, "username", staticUsername),
+					resource.TestCheckResourceAttr(resourceName, "skip_import_rotation", "true"),
+				),
+			},
+			testutil.GetImportTestStep(resourceName, false, nil, ""),
+		},
+	})
+}
+
 func testAccDatabaseSecretBackendStaticRoleCheckDestroy(s *terraform.State) error {
 	for _, rs := range s.RootModule().Resources {
 		if rs.Type != "vault_database_secret_backend_static_role" {
@@ -371,6 +418,35 @@ resource "vault_database_secret_backend_static_role" "test" {
 `, path, db, connURL, name, username)
 }
 
+func testAccDatabaseSecretBackendStaticRoleConfig_skipImportRotation(roleName, staticUsername, db, path, connURL, vaultAdminUser string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "db" {
+  path = "%s"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "test" {
+  backend = vault_mount.db.path
+  name = "%s"
+  allowed_roles = ["*"]
+
+  postgresql {
+	connection_url = "%s"
+	username = "%s"
+  }
+}
+
+resource "vault_database_secret_backend_static_role" "test" {
+  backend = vault_mount.db.path
+  db_name = vault_database_secret_backend_connection.test.name
+  name = "%s"
+  username = "%s"
+  skip_import_rotation = true
+  rotation_period = 3600
+}
+`, path, db, connURL, vaultAdminUser, roleName, staticUsername)
+}
+
 func testAccDatabaseSecretBackendStaticRoleConfig_rootlessConfig(name, username, db, path, connURL, smPassword string) string {
 	return fmt.Sprintf(`
 resource "vault_mount" "db" {
@@ -399,3 +475,9 @@ resource "vault_database_secret_backend_static_role" "test" {
 }
 `, path, db, connURL, name, username, smPassword)
 }
+
+var testRoleStaticCreate = `
+CREATE ROLE "{{name}}" WITH
+  LOGIN
+  PASSWORD '{{password}}';
+`
diff --git a/vault/resource_database_secrets_mount.go b/vault/resource_database_secrets_mount.go
@@ -119,6 +119,8 @@ func databaseSecretsMountResource() *schema.Resource {
 	}
 }
 
+// getDatabaseSecretsMountSchema is used to define the schema for
+// vault_database_secrets_mount
 func getDatabaseSecretsMountSchema() schemaMap {
 	s := getMountSchema("type")
 	for k, v := range getDatabaseSchema(schema.TypeList) {
@@ -150,6 +152,12 @@ func addCommonDatabaseSchema(s *schema.Schema) {
 	}
 }
 
+// getCommonDatabaseSchema is used to define the common schema for both
+// database resources:
+//   - vault_database_secrets_mount
+//   - vault_database_secret_backend_connection
+//
+// New fields on the DB /config endpoint should be added here.
 func getCommonDatabaseSchema() schemaMap {
 	return schemaMap{
 		"name": {
@@ -207,6 +215,8 @@ func getCommonDatabaseSchema() schemaMap {
 	}
 }
 
+// setCommonDatabaseSchema is used to define the schema for
+// vault_database_secret_backend_connection
 func setCommonDatabaseSchema(s schemaMap) schemaMap {
 	for k, v := range getCommonDatabaseSchema() {
 		s[k] = v

diff --git a/website/docs/r/database_secret_backend_static_role.md b/website/docs/r/database_secret_backend_static_role.md
@@ -73,6 +73,9 @@ The following arguments are supported:
   Required when using the Rootless Password Rotation workflow for static roles. Only enabled for
   select DB engines (Postgres). Requires Vault 1.18+ Enterprise.
 
+* `skip_import_rotation` - (Optional) If set to true, Vault will skip the
+  initial secret rotation on import. Requires Vault 1.18+ Enterprise.
+
 * `rotation_period` - The amount of time Vault should wait before rotating the password, in seconds.
   Mutually exclusive with `rotation_schedule`.