This PR updates vault_database_secret_backend_connection resource so that we can specify a password_policy.
\
One observation I would like to bubble up - there's potential for drift to be introduced if a password policy is set and applied, then subsequently removed from the configuration. In that scenario, the resource will not actually reconcile the engine's configuration to a defined default. The next plan or apply will show drift that can only be resolved by the resource if a new password policy is specified.
I modeled the existing behavior defined for other resource arguments, but I would be interested in feedback on the use of d.Get in place of d.GetOk.
Checklist
[x] Added CHANGELOG entry (only for user-facing changes)
[x] Acceptance tests where run against all supported Vault Versions
Output from acceptance testing:
Only a subset of databases have been updated as part of the PR. I passed in the verbose argument to highlight which tests were updated. Only the tests that passed have been updated; tests that are skipped have not been changed.
$ make testacc TESTARGS='-run=^TestAccDatabaseSecretBackendConnection_\(postgresql\|mysql\)' | grep -v -E "testing: warning: no tests to run|^PASS$"
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -v -count 1 -run=^TestAccDatabaseSecretBackendConnection_\(postgresql\|mysql\) -timeout 30m ./...
? github.com/hashicorp/terraform-provider-vault [no test files]
? github.com/hashicorp/terraform-provider-vault/cmd/coverage [no test files]
? github.com/hashicorp/terraform-provider-vault/cmd/generate [no test files]
? github.com/hashicorp/terraform-provider-vault/helper [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/consts [no test files]
ok github.com/hashicorp/terraform-provider-vault/codegen 0.298s [no tests to run]
? github.com/hashicorp/terraform-provider-vault/internal/identity/group [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/identity/mfa [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/pki [no test files]
? github.com/hashicorp/terraform-provider-vault/internal/sync [no test files]
? github.com/hashicorp/terraform-provider-vault/schema [no test files]
? github.com/hashicorp/terraform-provider-vault/util/mountutil [no test files]
ok github.com/hashicorp/terraform-provider-vault/internal/identity/entity 0.422s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/internal/provider 0.742s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/testutil 0.979s [no tests to run]
ok github.com/hashicorp/terraform-provider-vault/util 0.832s [no tests to run]
=== RUN TestAccDatabaseSecretBackendConnection_postgresql_import
--- PASS: TestAccDatabaseSecretBackendConnection_postgresql_import (1.15s)
=== RUN TestAccDatabaseSecretBackendConnection_mysql_cloud
resource_database_secret_backend_connection_test.go:448: "MYSQL_CLOUD_CONNECTION_URL" must be set
--- SKIP: TestAccDatabaseSecretBackendConnection_mysql_cloud (0.00s)
=== RUN TestAccDatabaseSecretBackendConnection_mysql
--- PASS: TestAccDatabaseSecretBackendConnection_mysql (2.61s)
=== RUN TestAccDatabaseSecretBackendConnection_mysql_tls
resource_database_secret_backend_connection_test.go:730: "MYSQL_CA" must be set
--- SKIP: TestAccDatabaseSecretBackendConnection_mysql_tls (0.00s)
=== RUN TestAccDatabaseSecretBackendConnection_postgresql
--- PASS: TestAccDatabaseSecretBackendConnection_postgresql (1.48s)
=== RUN TestAccDatabaseSecretBackendConnection_postgresql_cloud
resource_database_secret_backend_connection_test.go:847: "POSTGRES_CLOUD_URL" must be set
--- SKIP: TestAccDatabaseSecretBackendConnection_postgresql_cloud (0.00s)
ok github.com/hashicorp/terraform-provider-vault/vault 5.918s
Community Note
Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request
Description
This PR updates
vault_database_secret_backend_connection
resource so that we can specify apassword_policy
.\ One observation I would like to bubble up - there's potential for drift to be introduced if a password policy is set and applied, then subsequently removed from the configuration. In that scenario, the resource will not actually reconcile the engine's configuration to a defined default. The next plan or apply will show drift that can only be resolved by the resource if a new password policy is specified.
I modeled the existing behavior defined for other resource arguments, but I would be interested in feedback on the use of
d.Get
in place ofd.GetOk
.Checklist
Output from acceptance testing:
Only a subset of databases have been updated as part of the PR. I passed in the verbose argument to highlight which tests were updated. Only the tests that passed have been updated; tests that are skipped have not been changed.
Community Note