Merge pull request #530 from hamishforbes/master

Add root_rotation_statements to vault_database_secret_backend_connection
hashicorp · Oct 9, 2019 · 38aeeaa · 38aeeaa
2 parents 007da5d + cad06ec
commit 38aeeaa
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 0 deletions.
diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
@@ -51,6 +51,14 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					Type: schema.TypeString,
 				},
 			},
+			"root_rotation_statements": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "A list of database statements to be executed to rotate the root user's credentials.",
+				Elem: &schema.Schema{
+					Type: schema.TypeString,
+				},
+			},
 			"data": {
 				Type:        schema.TypeMap,
 				Optional:    true,
@@ -441,6 +449,10 @@ func databaseSecretBackendConnectionCreate(d *schema.ResourceData, meta interfac
 		data["allowed_roles"] = strings.Join(roles, ",")
 	}
 
+	if v, ok := d.GetOkExists("root_rotation_statements"); ok {
+		data["root_rotation_statements"] = v
+	}
+
 	if m, ok := d.GetOkExists("data"); ok {
 		for k, v := range m.(map[string]interface{}) {
 			data[k] = v.(string)
@@ -584,6 +596,7 @@ func databaseSecretBackendConnectionRead(d *schema.ResourceData, meta interface{
 	d.Set("allowed_roles", roles)
 	d.Set("backend", backend)
 	d.Set("name", name)
+	d.Set("root_rotation_statements", resp.Data["root_credentials_rotate_statements"])
 	if v, ok := resp.Data["verify_connection"]; ok {
 		d.Set("verify_connection", v.(bool))
 	}
@@ -616,6 +629,10 @@ func databaseSecretBackendConnectionUpdate(d *schema.ResourceData, meta interfac
 		data["allowed_roles"] = strings.Join(roles, ",")
 	}
 
+	if v, ok := d.GetOkExists("root_rotation_statements"); ok {
+		data["root_rotation_statements"] = v
+	}
+
 	if m, ok := d.GetOkExists("data"); ok {
 		for k, v := range m.(map[string]interface{}) {
 			data[k] = v.(string)

diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go
@@ -31,6 +31,8 @@ func TestAccDatabaseSecretBackendConnection_import(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.max_open_connections", "2"),
@@ -71,6 +73,8 @@ func TestAccDatabaseSecretBackendConnection_cassandra(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "cassandra.0.hosts.#", "1"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "cassandra.0.hosts.0", host),
@@ -109,6 +113,8 @@ func TestAccDatabaseSecretBackendConnection_mongodb(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mongodb.0.connection_url", connURL),
 				),
@@ -137,6 +143,8 @@ func TestAccDatabaseSecretBackendConnection_mssql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mssql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mssql.0.max_open_connections", "2"),
@@ -169,6 +177,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"),
@@ -186,6 +196,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_rds.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_rds.0.max_open_connections", "2"),
@@ -201,6 +213,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_aurora.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_aurora.0.max_open_connections", "2"),
@@ -216,6 +230,8 @@ func TestAccDatabaseSecretBackendConnection_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_legacy.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql_legacy.0.max_open_connections", "2"),
@@ -248,6 +264,8 @@ func TestAccDatabaseSecretBackendConnectionUpdate_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"),
@@ -264,6 +282,8 @@ func TestAccDatabaseSecretBackendConnectionUpdate_mysql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "mysql.0.max_open_connections", "2"),
@@ -296,6 +316,8 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) {
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.#", "1"),
+					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "root_rotation_statements.0", "FOOBAR"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "verify_connection", "true"),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.connection_url", connURL),
 					resource.TestCheckResourceAttr("vault_database_secret_backend_connection.test", "postgresql.0.max_open_connections", "2"),
@@ -336,6 +358,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   cassandra {
     hosts = ["%s"]
@@ -358,6 +381,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mongodb {
     connection_url = "%s"
@@ -377,6 +401,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mssql {
 	  connection_url = "%s"
@@ -396,6 +421,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mysql {
 	  connection_url = "%s"
@@ -419,6 +445,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mysql {
 	  connection_url = "%s"
@@ -443,6 +470,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mysql_rds {
 	  connection_url = "%s"
@@ -462,6 +490,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mysql_aurora {
 	  connection_url = "%s"
@@ -481,6 +510,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   mysql_legacy {
 	  connection_url = "%s"
@@ -500,6 +530,7 @@ resource "vault_database_secret_backend_connection" "test" {
   backend = "${vault_mount.db.path}"
   name = "%s"
   allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
 
   postgresql {
 	  connection_url = "%s"

diff --git a/website/docs/r/database_secret_backend_connection.md b/website/docs/r/database_secret_backend_connection.md
@@ -51,6 +51,8 @@ The following arguments are supported:
 * `allowed_roles` - (Optional) A list of roles that are allowed to use this
   connection.
 
+* `root_rotation_statements` - (Optional) A list of database statements to be executed to rotate the root user's credentials.
+
 * `cassandra` - (Optional) A nested block containing configuration options for Cassandra connections.
 
 * `mongodb` - (Optional) A nested block containing configuration options for MongoDB connections.