Open e-r-holt opened 1 year ago
@e-r-holt I think one could emulate that by having a differently specified user. Like 'user'@'%' can be also specified as 'user'@'0.0.0.0/0.0.0.0'. One would have to be careful about which user gets grants, but that would be it.
Any implementation with the new feature will have some issues as this change is stateful.
That said, I'm ok with implementation that would use this
retain_old_password = true
as long as someone provides a patch. I am not planning to write it in the near future.
Terraform Version
Terraform v1.1.6
Affected Resource(s)
Expeted behavior
The terraform resources should support the MySQL Dual password feature introduced in MySQL 8.0
then the two passwords could be accessed
Actual Behavior
Existing functionality only supports one password
Important Factoids
Password rotation is paramount to good security, but automating this process poses a risk to services using a password at the time it gets rotated. To avoid breaking operations, I want two active passwords for a given user. This allows me to rotate the latest password frequently, and trust that a running server will be replaced by a upcoming soonTM deployment, and pull the newest password.
Eventually, all servers will pull the latest password during a new deployment, and the old one will not be actively used by the time it is rotated in ~15-30 days
References