Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add credential_type and credential_config to static roles for DBs #2384

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add credential_type and credential_config to static roles for DBs #2384

wants to merge 1 commit into from
+211 −0

Conversation

catouc
Copy link

@catouc catouc commented Dec 19, 2024
edited by fairclothjm
Loading

Description

An attempt to add credential_type and credential_config as fields to the static roles in database engines.

This is to enable support for using rsa_public_key on Snowflake secret engines which is currently not possible on static roles.

Closes #1585.
Closes #1992

Checklist

  • Added CHANGELOG entry (only for user-facing changes)
  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

pboeschen@LL16KDB44 terraform-provider-vault main> RUNS_IN_CONTAINER=true make testacc TESTARGS='-run=TestAccDatabaseSecretBackendStaticRole.* -v'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -run=TestAccDatabaseSecretBackendStaticRole.* -v -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/codegen	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/sync	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/testutil	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/util	(cached) [no tests to run]
testing: warning: no tests to run
PASS
ok  	github.com/hashicorp/terraform-provider-vault/util/mountutil	(cached) [no tests to run]
=== RUN   TestAccDatabaseSecretBackendStaticRole_import
--- PASS: TestAccDatabaseSecretBackendStaticRole_import (1.76s)
=== RUN   TestAccDatabaseSecretBackendStaticRole_credentialType
--- PASS: TestAccDatabaseSecretBackendStaticRole_credentialType (1.43s)
=== RUN   TestAccDatabaseSecretBackendStaticRole_credentialConfig
--- PASS: TestAccDatabaseSecretBackendStaticRole_credentialConfig (2.46s)
=== RUN   TestAccDatabaseSecretBackendStaticRole_rotationPeriod
--- PASS: TestAccDatabaseSecretBackendStaticRole_rotationPeriod (2.45s)
=== RUN   TestAccDatabaseSecretBackendStaticRole_rotationSchedule
    resource_database_secret_backend_static_role_test.go:197: Vault server version "1.18.2"
--- PASS: TestAccDatabaseSecretBackendStaticRole_rotationSchedule (2.47s)
=== RUN   TestAccDatabaseSecretBackendStaticRole_Rootless
    resource_database_secret_backend_static_role_test.go:234: "POSTGRES_URL_TEST" must be set
--- SKIP: TestAccDatabaseSecretBackendStaticRole_Rootless (0.00s)
PASS
ok  	github.com/hashicorp/terraform-provider-vault/vault	10.614s

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

@catouc catouc requested a review from a team as a code owner December 19, 2024 09:33
@catouc catouc requested a review from JMGoldsmith December 19, 2024 09:33
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Dec 19, 2024
edited
Loading

CLA assistant check
All committers have signed the CLA.

@catouc catouc force-pushed the main branch 2 times, most recently from ea109b6 to a2ac1e7 Compare December 19, 2024 12:58
@catouc
Copy link
Author

catouc commented Dec 19, 2024
edited
Loading

Unsure what "all supported Vault versions" are so I ran my tests against 1.18.2 locally. https://registry.terraform.io/providers/hashicorp/vault/latest/docs does not list any supported versions. Nor in the README from what I can tell.

@catouc catouc changed the title Draft: Add credential_type and credential_config to static roles for DBs Add credential_type and credential_config to static roles for DBs Dec 27, 2024
@Temurson
Copy link

Temurson commented Jan 24, 2025
edited
Loading

My organization would benefit greatly from this feature. As was pointed out on the issue #1585, switching from password to rsa_private_key credential_type will soon be a requirement for Snowflake DB.
@catouc really appreciate your contribution!
@JMGoldsmith I am also happy to contribute in any way to get this feature in!

fairclothjm
fairclothjm reviewed Jan 29, 2025
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @catouc! Looking good so far. If you can kindly address the comments we can get this PR merged.

@fairclothjm fairclothjm mentioned this pull request Jan 29, 2025
Closed
@fairclothjm fairclothjm added this to the 4.7.0 milestone Jan 29, 2025
@catouc catouc force-pushed the main branch 3 times, most recently from d1bf505 to 3079c1c Compare January 30, 2025 08:51
@catouc
Copy link
Author

catouc commented Jan 30, 2025

Thanks @catouc! Looking good so far. If you can kindly address the comments we can get this PR merged.

All addressed, also rewrote the commit msg to be a bit more in line with the rest of the repositories changes.

@catouc
Copy link
Author

catouc commented Feb 3, 2025

Gonna link #2399 into here since this issue seems to be getting more traction with Snowflakes deprecation of password auth.

fairclothjm
fairclothjm reviewed Feb 3, 2025
View reviewed changes
@catouc
Copy link
Author

catouc commented Feb 5, 2025

Moved the changelog to the correct part.

@catouc
Add support for alternative credentials for static DB roles
eb59e2a 
This adds two new fields:
* credential_type
* credential_config

To `vault_database_secret_backend_static_role`.
@catouc
Copy link
Author

catouc commented Feb 17, 2025

@fairclothjm maybe we can review this now before I have fix even more merge conflicts? :) Thanks for the help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm left review comments

@JMGoldsmith JMGoldsmith Awaiting requested review from JMGoldsmith JMGoldsmith is a code owner automatically assigned from hashicorp/vault

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.7.0
Development

Successfully merging this pull request may close these issues.

terraform cannot provision snowflake secret engine role with credential_type="rsa_public_key"
3 participants
@catouc @Temurson @fairclothjm