Open ghost opened 3 years ago
Hey, do we have a solution for this?
A workaround using null_resource
, assuming $VAULT_TOKEN
and $VAULT_ADDR
environment variables are provided:
resource "null_resource" "apply_password_policy" {
triggers = {
policy_name = vault_password_policy.mysql.name
}
provisioner "local-exec" {
command = <<-EOF
curl --silent --insecure --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"password_policy":"${vault_password_policy.mysql.name}"}' "$VAULT_ADDR/v1/${vault_mount.mysql.path}/config/${vault_database_secret_backend_connection.cluster.name}"
EOF
}
}
This issue was originally opened by @olafz as hashicorp/terraform#27943. It was migrated here as a result of the provider split. The original body of the issue is below.
Vaults supports a password policy to be defined with a Database Secrets Engine. However, it cannot be defined via Terraform.
A password policy is used when generating passwords for this database. If not specified, vault will use a default policy defined (20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character).
Terraform Version
Terraform Configuration Files
The simplest configuration to re-produce:
Debug Output
Crash Output
N/A
Expected Behavior
I would expect that
password_policy
would be an accepted argument, as described here. It's at the same level as (for example)root_rotation_statements
,allowed_roles
and those arguments are accepted.Actual Behavior
The
password_policy
is not accepted. The error is shown under "Debug Output". I tried if this change would work, but this does not make any difference. Terraform runs fine in this case, but the passwords generated do not match the custom policy but match the default instead.Steps to Reproduce
With the configuration above (and a valid
mysql-password-policy.hcl
file)terraform init
terraform plan
Additional Context
None
References
N/A