search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
459 stars 540 forks source link

Terraform does not accept password_policy argument #986

Open ghost opened 3 years ago

ghost commented 3 years ago

This issue was originally opened by @olafz as hashicorp/terraform#27943. It was migrated here as a result of the provider split. The original body of the issue is below.

Vaults supports a password policy to be defined with a Database Secrets Engine. However, it cannot be defined via Terraform.

A password policy is used when generating passwords for this database. If not specified, vault will use a default policy defined (20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character).

Terraform Version

Terraform v0.14.6
+ provider registry.terraform.io/hashicorp/vault v2.18.0

Terraform Configuration Files

The simplest configuration to re-produce:

resource "vault_password_policy" "mysql" {
  name   = "mysql"
  policy = file("${path.module}/mysql-password-policy.hcl")
}

resource "vault_mount" "mysql" {
  path = "mysql/secrets"
  type = "database"
}

resource "vault_database_secret_backend_connection" "cluster" {
  backend                  = vault_mount.mysql.path
  name                     = "cluster"
  verify_connection        = true
  root_rotation_statements = [ "ALTER USER '{{username}}'@'%' IDENTIFIED BY '{{password}}'" ]
  allowed_roles            = [ "..." ]
  password_policy = vault_password_policy.mysql.name

  mysql {
    connection_url = "{{username}}:{{password}}@tcp(127.0.0.1:3306)/"
  }

  data = {
    username        = "username"
    password        = "password"
  }
}

Debug Output

Error: Unsupported argument
    password_policy = vault_password_policy.mysql.name

An argument named "password_policy" is not expected here.

Crash Output

N/A

Expected Behavior

I would expect that password_policy would be an accepted argument, as described here. It's at the same level as (for example) root_rotation_statements, allowed_roles and those arguments are accepted.

Actual Behavior

The password_policy is not accepted. The error is shown under "Debug Output". I tried if this change would work, but this does not make any difference. Terraform runs fine in this case, but the passwords generated do not match the custom policy but match the default instead.

  # this does apply, but password policy is not applied
  data = {
    username        = "username"
    password        = "password"
    password_policy = vault_password_policy.mysql.name
  }

Steps to Reproduce

With the configuration above (and a valid mysql-password-policy.hcl file)

  1. terraform init
  2. terraform plan

Additional Context

None

References

N/A

viniciusgarcia-hotmart commented 2 years ago

Hey, do we have a solution for this?

aleskiontherun commented 2 years ago

A workaround using null_resource, assuming $VAULT_TOKEN and $VAULT_ADDR environment variables are provided:

resource "null_resource" "apply_password_policy" {
  triggers = {
    policy_name = vault_password_policy.mysql.name
  }

  provisioner "local-exec" {
    command = <<-EOF
      curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"password_policy":"${vault_password_policy.mysql.name}"}' "$VAULT_ADDR/v1/${vault_mount.mysql.path}/config/${vault_database_secret_backend_connection.cluster.name}"
    EOF
  }
}