Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

hashivault_db_secret_engine_config password changes logic #395

Open
Roxyrob opened this issue Feb 13, 2022 · 2 comments
Open

hashivault_db_secret_engine_config password changes logic #395

Roxyrob opened this issue Feb 13, 2022 · 2 comments

Comments

@Roxyrob
Copy link

Roxyrob commented Feb 13, 2022

I faced a behavior not so clear to me, not sure if it depends on procedural nature of Ansible or on 'hashivault_db_secret_engine_config' module or hashicorp vault database secret engine logics. I depict simplified steps sequence below:

  1. A task to configure dbms for vault integration (vaultuser/vaultpuserwd and permissions)
  2. A task using module hashivault_db_secret_engine_config for main config of a vault database secret engine, with integration with dbms configured on step (1.)
  3. vaultuser dbms/vault credentials rotation (based on update flag)

after the Fix of issue #381 hashivault_db_secret_engine_config does not anymore change without code modifications. This is right and avoid dbms credencials inconsistency after step (3.). Right!

The problem arises because of argument present in hashivault_db_secret_engine_config, that is more dynamic then other ones (the list of allowed_roles). If I add another step:

  1. Add new vault database secret engine roles and so add these new roles in allowed_roles, on next pipeline cycle it will run step (2.) the task will run hashivault_db_secret_engine_config that correctly set new allowed_roles list and that CHANGES ALSO PASSWORD reverting to the original one and so making inconsistent dbms/vault connection (as this will change password on vault config but not on dbms).

What do you think about that ? Not sure if this is something to solve by:

  1. Hashivault hashivault_db_secret_engine_config that by checking the connection to database backend, woult keep consistency between dbms and vault password (as rotate just do)
  2. Hashicorp Vault database secrete engine, that as far as i know actually not natively support this consistency
  3. My code in ansible, also if such solution appears suboptimal as dbms management code can be in all another code (role/playbook) then vault management code so very innatural and difficult to manage and to maintain atomicity

Sure a solution could be setting allowed_roles: "*" but so we would lose a useful security configuration.

@TerryHowe
Copy link
Owner

Maybe if rotation wasn't specified and this line was removed https://github.com/TerryHowe/ansible-modules-hashivault/blob/main/ansible/modules/hashivault/hashivault_db_secret_engine_config.py#L127 I'm just concerned about the ramifications of that. I don't recall why that line is there in the first place.

@Roxyrob
Copy link
Author

Roxyrob commented Feb 16, 2022

I think that line can be tied to this pheraps: #385 but root_rotation_statements does not deal directly with credentials rotation as that is another task. root_rotation_statements in hashivault_db_secret_engine_config allow only to customize the rotation statements if not standard for same dbms versions, etc. it will conatains the querie/statements rotation will call if not empty.

I'm thinking about a force: true|false flag to allow configuraiton change forced based on external events (like database vault user credentials changes)

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants