terraform-provider-vault icon indicating copy to clipboard operation
terraform-provider-vault copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Terraform does not accept password_policy argument

Open ghost opened this issue 4 years ago • 2 comments
trafficstars

This issue was originally opened by @olafz as hashicorp/terraform#27943. It was migrated here as a result of the provider split. The original body of the issue is below.

Vaults supports a password policy to be defined with a Database Secrets Engine. However, it cannot be defined via Terraform.

A password policy is used when generating passwords for this database. If not specified, vault will use a default policy defined (20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character).

Terraform Version

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/vault v2.18.0

Terraform Configuration Files

The simplest configuration to re-produce:

resource "vault_password_policy" "mysql" {
  name   = "mysql"
  policy = file("${path.module}/mysql-password-policy.hcl")
}

resource "vault_mount" "mysql" {
  path = "mysql/secrets"
  type = "database"
}

resource "vault_database_secret_backend_connection" "cluster" {
  backend                  = vault_mount.mysql.path
  name                     = "cluster"
  verify_connection        = true
  root_rotation_statements = [ "ALTER USER '{{username}}'@'%' IDENTIFIED BY '{{password}}'" ]
  allowed_roles            = [ "..." ]
  password_policy = vault_password_policy.mysql.name

  mysql {
    connection_url = "{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
  }

  data = {
    username        = "username"
    password        = "password"
  }
}

Debug Output

Error: Unsupported argument
    password_policy = vault_password_policy.mysql.name

An argument named "password_policy" is not expected here.

Crash Output

N/A

Expected Behavior

I would expect that password_policy would be an accepted argument, as described here. It's at the same level as (for example) root_rotation_statements, allowed_roles and those arguments are accepted.

Actual Behavior

The password_policy is not accepted. The error is shown under "Debug Output". I tried if this change would work, but this does not make any difference. Terraform runs fine in this case, but the passwords generated do not match the custom policy but match the default instead.

  # this does apply, but password policy is not applied
  data = {
    username        = "username"
    password        = "password"
    password_policy = vault_password_policy.mysql.name
  }

Steps to Reproduce

With the configuration above (and a valid mysql-password-policy.hcl file)

  1. terraform init
  2. terraform plan

Additional Context

None

References

N/A

ghost avatar Feb 26 '21 22:02 ghost

Hey, do we have a solution for this?

viniciusgarcia-hotmart avatar Nov 30 '21 13:11 viniciusgarcia-hotmart

A workaround using null_resource, assuming $VAULT_TOKEN and $VAULT_ADDR environment variables are provided:

resource "null_resource" "apply_password_policy" {
  triggers = {
    policy_name = vault_password_policy.mysql.name
  }

  provisioner "local-exec" {
    command = <<-EOF
      curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"password_policy":"${vault_password_policy.mysql.name}"}' "$VAULT_ADDR/v1/${vault_mount.mysql.path}/config/${vault_database_secret_backend_connection.cluster.name}"
    EOF
  }
}

aleskiontherun avatar Sep 03 '22 18:09 aleskiontherun