Suggestion: Database Engine config, root credentials rotation

[jlsan92]

trafficstars

This is a suggestion, not a bug nor problem.

As recommended in Vault official docs for DB Engine

If the plugin supports rotating the root credentials, we highly recommended you perform that action after configuring the plugin. This will change the password of the user configured in this step. The new password will not be viewable by users.

It would be amazing if the TF provider supported this. I think no new resource is needed but instead a slight modification to the vault_database_secret_backend_connection resource, optional, boolean rotate_root_credentials

Example:

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = "${vault_mount.db.path}"
  name          = "postgres"
  allowed_roles = ["dev", "prod"]

  postgresql {
    connection_url = "postgres://username:password@host:port/database"
    
    rotate_root_credentials = true
  }
}

This will basically make a call to this endpoint if the config is created successfully

Wdyt?

[dekimsey]

While I would like this feature myself, I did notice it's been an outstanding request in #202. Which also happens to have a work-around ;)

[NegativeFeedback]

correct me if I am wrong but that workaround will cause any further applys to fail due to terraform not knowing about the rotated creds?

[shayd3]

@NegativeFeedback This is exactly the issue I'm running into. I'm really unsure how to handle the rotation in terraform