search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
451 stars 535 forks source link

[Bug]: vault_database_secret_backend_static_role removes Labels in MongoDB database user #2171

Closed lantoli closed 4 months ago

lantoli commented 4 months ago

Terraform Core Version

1.7.4

Terraform Vault Provider Version

3.25.0

Vault Server Version

1.15.6

Affected Resource(s)

vault_database_secret_backend_static_role

Expected Behavior

password is updated for MongoDB dabase user, e.g. using a TF resource mongodbatlas_database_user, but Labels are not changed.

Actual Behavior

MongoDB database user Labels are removed.

This probably happens because Atlas API is called incorrectly and an empty array is passed instead of not passing the Label field: https://www.mongodb.com/docs/atlas/reference/api-resources-spec/v2/#tag/Database-Users/operation/updateDatabaseUser

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

1 - CREATE SECRET

resource "vault_mount" "db" { path = "mongodbatlas" type = "database" }

2 - CREATE DB CONNECTION (Vault)

resource "vault_database_secret_backend_connection" "atlas" { backend = vault_mount.db.path name = "atlas" allowed_roles = ["*"]

mongodbatlas { public_key = "redacted" private_key = "redacted" project_id = "redacted"

} }

3 - RANDOM PASSWORD

resource "random_password" "secret" { length = 16 special = true overridespecial = "!#$%&*()-=+[]{}<>:?" }

4 - CREATE ATLAS-USER

resource "mongodbatlas_database_user" "static_user" { username = "myuse" password = random_password.secret.result project_id = "redacted" auth_database_name = "admin"

roles { role_name = "readAnyDatabase" database_name = "admin" }

labels { key = "My Key" value = "My Value" }

scopes { name = "darotest" type = "CLUSTER" }

}

5 - STORE USER CREDENTIALS IN VAULT

resource "vault_database_secret_backend_static_role" "app_user" { backend = vault_mount.db.path name = mongodbatlas_database_user.static_user.username db_name = vault_database_secret_backend_connection.atlas.name username = mongodbatlas_database_user.static_user.username rotation_period = 600 }

Steps to Reproduce

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

lantoli commented 4 months ago

closing as it seems to be a problem in Atlas API