make connection url sensitive in vault_database_secret_backend_connection

[eedwards-sk]

Overview

Currently the connection string for vault_database_secret_backend_connection is printed in plaintext, which makes it very dangerous since its printed to logs by default and usually has root database credentials.

I run concourse in CI, so I make a concerted effort to minimize credential leaking, when possible. I can control access to state files, but this is currently out of my hands.

Terraform Version

0.11.11 vault provider: 1.4.1

Affected Resource(s)

Please list the resources as a list, for example:

• vault_database_secret_backend_connection

Expected Behavior

  + vault_database_secret_backend_connection.concourse
      id:                                <computed>
      allowed_roles.#:                   "1"
      allowed_roles.0:                   "concourse"
      backend:                           "postgres"
      name:                              "concourse"
      postgresql.#:                      "1"
      postgresql.0.connection_url:       "<sensitive>"
      postgresql.0.max_open_connections: "2"
      verify_connection:                 "true"

Actual Behavior

  + vault_database_secret_backend_connection.concourse
      id:                                <computed>
      allowed_roles.#:                   "1"
      allowed_roles.0:                   "concourse"
      backend:                           "postgres"
      name:                              "concourse"
      postgresql.#:                      "1"
      postgresql.0.connection_url:       "postgres://username-in-plaintext:password-in-plaintext@my-hostname:5432/my-db"
      postgresql.0.max_open_connections: "2"
      verify_connection:                 "true"

[cvbarros]

Hi @eedwards-sk, there is a workaround you can use until this is addressed:

Use vault_database_secret_backend_connection resource with a data block, and inside this data block you reference variables. This trick is specially handy if db_user and db_password come instead from Vault itself as generic_secret (that's how we do it and they don't leak).

variable "db_user" {}
variable "db_password" {}

locals {
  db_user       = "${var.db_user}"
  db_password     = "${var.db_password}"
}

resource "vault_database_secret_backend_connection" "mysql_aurora" {
  backend           = "${vault_mount.database_mount.path}"
  name              = "db"
  allowed_roles     = ["*"]
  verify_connection = "false"

  mysql_aurora {
    connection_url = "{{username}}:{{password}}@tcp(my-hostname)/"
  }

  data = {
    username = "${local.db_user}"
    password = "${local.db_password}"
  }
}

[eedwards-sk]

@cvbarros Thanks for the suggestion, is that data block syntax documented anywhere? I haven't encountered that before.

[cvbarros]

It's an undocumented block for vault_database_secret_backend_connection Check 03934f7a0abd89ab11aad0bd7229ed53953f72d8 or #168 . Tests and docs were missing from the original PR 😢

[marcinwyszynski]

This workaround does not seem to work for me. The template is:

resource "vault_database_secret_backend_connection" "vault-test-db" {
  backend           = "${vault_mount.database.path}"
  name              = "vault"
  allowed_roles     = ["*"]
  verify_connection = false

  postgresql {
    connection_url = "postgresql://{{username}}:{{password}}@${module.vault-test-db.address}:${module.vault-test-db.port}/${module.vault-test-db.db_name}"
  }

  data = {
    username = "${module.vault-test-db.username}"
    password = "${module.vault-test-db.password}"
  }
}

When requesting credentials, I'm getting:

Code: 500. Errors:
  * 1 error occurred:
    * pq: Could not detect default username. Please provide one explicitly

[marcinwyszynski]

I did some digging and found out that the resource template is broken - data section is only inspected on resource creation, but not on update.