terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[Bug]: vault_database_secret_backend_static_role removes Labels in MongoDB database user

Open lantoli opened this issue 11 months ago • 0 comments

Terraform Core Version

1.7.4

Terraform Vault Provider Version

3.25.0

Vault Server Version

1.15.6

Affected Resource(s)

vault_database_secret_backend_static_role

Expected Behavior

password is updated for MongoDB dabase user, e.g. using a TF resource mongodbatlas_database_user, but Labels are not changed.

Actual Behavior

MongoDB database user Labels are removed.

This probably happens because Atlas API is called incorrectly and an empty array is passed instead of not passing the Label field: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Database-Users/operation/updateDatabaseUser

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

1 - CREATE SECRET

resource "vault_mount" "db" { path = "mongodbatlas" type = "database" }

2 - CREATE DB CONNECTION (Vault)

resource "vault_database_secret_backend_connection" "atlas" { backend = vault_mount.db.path name = "atlas" allowed_roles = ["*"]

mongodbatlas { public_key = "redacted" private_key = "redacted" project_id = "redacted"

} }

3 - RANDOM PASSWORD

resource "random_password" "secret" { length = 16 special = true override_special = "!#$%&*()-_=+[]{}<>:?" }

4 - CREATE ATLAS-USER

resource "mongodbatlas_database_user" "static_user" { username = "myuse" password = random_password.secret.result project_id = "redacted" auth_database_name = "admin"

roles { role_name = "readAnyDatabase" database_name = "admin" }

labels { key = "My Key" value = "My Value" }

scopes { name = "darotest" type = "CLUSTER" }

}

5 - STORE USER CREDENTIALS IN VAULT

resource "vault_database_secret_backend_static_role" "app_user" { backend = vault_mount.db.path name = mongodbatlas_database_user.static_user.username db_name = vault_database_secret_backend_connection.atlas.name username = mongodbatlas_database_user.static_user.username rotation_period = 600 }

Steps to Reproduce

  • Run TF file with 1-4, don't have 5 yet
  • run Atlas MongoDB CLI command and see that the response includes label "My Key": atlas dbusers describe myuse --projectId redacted_project_id --output=json
  • add resource 5 and terraform apply
  • run Atlas CLI command again and see that the labels are removed in the response.
  • also if something is change in mongodbatlas_database_user, e.g. remove a role, it will detect a change in the resource including that it needs to add the labels, as they were removed by vault_database_secret_backend_static_role, probably when calling incorrectly to Altas API.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

lantoli avatar Mar 04 '24 17:03 lantoli