jSherz
commented
3 weeks ago One workaround:
resource "vault_mount" "database_engine" {
// ...
}
resource "vault_database_secret_backend_connection" "host" {
// ...
}
resource "vault_generic_endpoint" "set_password_authentication" {
path = "${vault_mount.database_engine.path}/config/${vault_database_secret_backend_connection.host.name}"
disable_read = true
disable_delete = true
# This Terraform resource sends a POST request, but the Vault API merges the
# following property with the existing configuration.
data_json = jsonencode({
password_authentication = "scram-sha-256"
})
depends_on = [
vault_database_secret_backend_connection.host
]
lifecycle {
replace_triggered_by = [vault_database_secret_backend_connection.host]
}
}
Description
Capability to send password digest instead of cleartext has been added last year but it seems there is no associated parameter for backend config in the terraform provider (or I couldn't find it).
Affected Resource(s) and/or Data Source(s)
No response
Potential Terraform Configuration
No response
References
https://github.com/hashicorp/vault/pull/19616
Would you like to implement a fix?
None