terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Cassandra database engine didn't recognize skip_verification and tls_server_name parameter

Open mouglou opened this issue 2 years ago • 2 comments

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

$ terraform --version Terraform v1.0.10

Affected Resource(s)

Please list the resources as a list, for example:

  • vault_database_secret_backend_connection

Terraform Configuration Files

resource "vault_database_secret_backend_connection" "yugabyte" {
  backend = "yugabyte"
  name    = "test_yugabyte"
  allowed_roles =  [ "yugabyte_app" ]   

  cassandra {
    hosts            = [var.yugabyte_host]
    tls_server_name = [var.yugabyte_host]
    username         = var.yugabyte_username
    password         = var.yugabyte_password
    connect_timeout  = 30
    tls              = true
    insecure_tls     = true
    protocol_version = 4 
    pem_bundle       = data.vault_generic_secret.yugabyte_cluster_certificate.data["yugabyte_cert"] 
    skip_verification = true 
  }
}

Debug Output

Terraform output file

Expected Behavior

What should have happened? The provider should be able to take these parameters, tls_server_name and skip_verification as they are available in the Vault CLI https://www.vaultproject.io/api-docs/secret/databases/cassandra#configure-connection

Actual Behavior

What actually happened? Terraform fail because parameters are not recognized. So we can't create the connection.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Update the different variable with your own parameter
  2. terraform apply

So my question is, can the support of these parameters can be add to the provider ?

Thanks ! Mouglou

mouglou avatar Jul 06 '22 15:07 mouglou

To give you some additional informations, we want to connect Vault with YugabyteDB (the CQL engine of Yugabyte in this case). By not settings the "skip_verification" to true, Vault try to connect to YugabyteDB, and fail by running this command which doesn't exist on YugabyteDB

URL: PUT https://vault.domain.local/v1/yugabyte/config/test_ybcql
Code: 400. Errors:
 
* error creating database object: failed to initialize: error verifying connection: error validating connection info: Invalid SQL Statement. syntax error, unexpected LIST, expecting end_of_file
LIST ALL
^^^^
 (ql error -11)

Because YugabyteDB have some commands that differ from Cassandra, it fail on this one. But once the "connection" is create, create a role and generate credentials is working fine. That why the "skip_verification" let us integrate Vault and YugabyteDB.

So yes the best solution should be that Vault had a native integration with YugabyteDB, but it should be more difficult to implement !

mouglou avatar Jul 06 '22 19:07 mouglou

Hello ! Any updates ? Yugabyte integration still stuck without theses parameters. Thanks !

mouglou avatar Jul 27 '22 20:07 mouglou