terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

RSA key pair support to static database roles

Open abarabash-sift opened this issue 2 years ago • 5 comments

Description

This PR updates the vault_database_secret_backend_static_role resource by allowing to set the credential_type field in Vault for the static database roles. Therefore enabling rsa_private_key support for them.

The changes are similar to https://github.com/hashicorp/terraform-provider-vault/pull/1901 but for the static role.

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

abarabash-sift avatar Aug 25 '23 15:08 abarabash-sift

CLA assistant check
All committers have signed the CLA.

hashicorp-cla avatar Aug 25 '23 15:08 hashicorp-cla

Tests:

$ docker-compose up -d vault mysql
[+] Building 0.0s (0/0)
[+] Running 2/2
 ✔ Container terraform-provider-vault-vault-1  Started                                                                                                                                   0.4s
 ✔ Container terraform-provider-vault-mysql-1  Started                                                                                                                                   0.4s
$ source ./.test-env
$ export MONGODB_ATLAS_CA_CERT=/Users/abarabash/certs/myCA.pem
$ export MONGODB_ATLAS_CA_KEY=/Users/abarabash/certs/myCA-dec.key
$ export MONGODB_ATLAS_PRIVATE_KEY=xxx
$ export MONGODB_ATLAS_PROJECT_ID=xxx
$ export MONGODB_ATLAS_PUBLIC_KEY=xxx

$ TESTARGS="--run DatabaseSecretBackendStaticRole" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test --run DatabaseSecretBackendStaticRole -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/generated	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/codegen	0.356s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/decode	0.252s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/datasources/transform/encode	0.462s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/alphabet	0.669s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/role	0.635s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/template	0.698s [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/generated/resources/transform/transformation	0.258s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	0.441s [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	0.230s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/testutil	0.398s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/util	0.562s [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/vault	9.493s

abarabash-sift avatar Aug 25 '23 17:08 abarabash-sift

Thank you for working on this! @abarabash-sift Unfortunately, Vault currently doesn't support x509 client certificate authentication for static roles, only dynamic. I will create a ticket to track this. Thank you again!

Zlaticanin avatar Sep 28 '23 18:09 Zlaticanin

@Zlaticanin I'm sorry, I got the naming wrong here, it's not for x509, but for the RSA Private Keys. I'm trying to achieve a similar behavior in Terraform as I can do with the vault CLI:

vault secrets enable -path=snowflake database

vault write snowflake/config/snowflake \
    plugin_name=snowflake-database-plugin \
    allowed_roles="*" \
    connection_url="{{username}}:{{password}}@snowflake.url" \
    username="xxx" \
    password="xxx"

vault write snowflake/static-roles/vault-test-user \
    db_name=xxx \
    username="vault_test_user" \
    rotation_period="24h" \
    rotation_statements="ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}';" \
    credential_type="rsa_private_key" \
    credential_config=format=pkcs8 \
    credential_config=key_bits=2048

It's been a while since I opened the PR, so I will work towards resolving the conflicts.

abarabash-sift avatar Oct 12 '23 22:10 abarabash-sift

Here is the terraform example on how we use it:

resource "vault_database_secret_backend_static_role" "snowflake_managed_static_user" {
  backend = vault_mount.snowflake.path
  credential_config = {
    format   = "pkcs8"
    key_bits = "2048"
  }
  credential_type = "rsa_private_key"
  db_name         = vault_database_secret_backend_connection.snowflake.name
  name            = "some-user"
  rotation_period = 604800
  rotation_statements = [
    "ALTER USER {{name}} SET RSA_PUBLIC_KEY='{{public_key}}';"
  ]
  username = "some_user"
}

abarabash-sift avatar Oct 12 '23 22:10 abarabash-sift