Open eedwards-sk opened 5 years ago
Hi @eedwards-sk, there is a workaround you can use until this is addressed:
Use vault_database_secret_backend_connection
resource with a data
block, and inside this data block you reference variables. This trick is specially handy if db_user
and db_password
come instead from Vault itself as generic_secret
(that's how we do it and they don't leak).
variable "db_user" {}
variable "db_password" {}
locals {
db_user = "${var.db_user}"
db_password = "${var.db_password}"
}
resource "vault_database_secret_backend_connection" "mysql_aurora" {
backend = "${vault_mount.database_mount.path}"
name = "db"
allowed_roles = ["*"]
verify_connection = "false"
mysql_aurora {
connection_url = "{{username}}:{{password}}@tcp(my-hostname)/"
}
data = {
username = "${local.db_user}"
password = "${local.db_password}"
}
}
@cvbarros Thanks for the suggestion, is that data
block syntax documented anywhere? I haven't encountered that before.
It's an undocumented block for vault_database_secret_backend_connection
Check 03934f7a0abd89ab11aad0bd7229ed53953f72d8 or #168 . Tests and docs were missing from the original PR 😢
This workaround does not seem to work for me. The template is:
resource "vault_database_secret_backend_connection" "vault-test-db" {
backend = "${vault_mount.database.path}"
name = "vault"
allowed_roles = ["*"]
verify_connection = false
postgresql {
connection_url = "postgresql://{{username}}:{{password}}@${module.vault-test-db.address}:${module.vault-test-db.port}/${module.vault-test-db.db_name}"
}
data = {
username = "${module.vault-test-db.username}"
password = "${module.vault-test-db.password}"
}
}
When requesting credentials, I'm getting:
Code: 500. Errors:
* 1 error occurred:
* pq: Could not detect default username. Please provide one explicitly
I did some digging and found out that the resource template is broken - data
section is only inspected on resource creation, but not on update.
Overview
Currently the connection string for vault_database_secret_backend_connection is printed in plaintext, which makes it very dangerous since its printed to logs by default and usually has root database credentials.
I run concourse in CI, so I make a concerted effort to minimize credential leaking, when possible. I can control access to state files, but this is currently out of my hands.
Terraform Version
0.11.11 vault provider: 1.4.1
Affected Resource(s)
Please list the resources as a list, for example:
Expected Behavior
Actual Behavior