diff --git a/CHANGELOG.md b/CHANGELOG.md index 20200e039..e81599a51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ BUGS: * fix `vault_kv_secret_v2` drift when "data" is in secret name/path ([#2104](https://github.com/hashicorp/terraform-provider-vault/pull/2104)) +* fix `vault_database_secret_backend_connection`: allow mysql_rds,mysql_aurora,mysql_legacy options of vault_database_secret_backend_connection terraform resource to allow specifying tls_ca and tls_certificate_key ([#2106](https://github.com/hashicorp/terraform-provider-vault/pull/2106)) ## 3.23.0 (Nov 15, 2023) diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go index e0ca2cd65..2878414ef 100644 --- a/vault/resource_database_secret_backend_connection.go +++ b/vault/resource_database_secret_backend_connection.go @@ -534,32 +534,26 @@ func getDatabaseSchema(typ schema.ValueType) schemaMap { ConflictsWith: util.CalculateConflictsWith(dbEngineMySQL.Name(), dbEngineTypes), }, dbEngineMySQLRDS.name: { - Type: typ, - Optional: true, - Description: "Connection parameters for the mysql-rds-database-plugin plugin.", - Elem: connectionStringResource(&connectionStringConfig{ - includeUserPass: true, - }), + Type: typ, + Optional: true, + Description: "Connection parameters for the mysql-rds-database-plugin plugin.", + Elem: mysqlConnectionStringResource(), MaxItems: 1, ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLRDS.Name(), dbEngineTypes), }, dbEngineMySQLAurora.name: { - Type: typ, - Optional: true, - Description: "Connection parameters for the mysql-aurora-database-plugin plugin.", - Elem: connectionStringResource(&connectionStringConfig{ - includeUserPass: true, - }), + Type: typ, + Optional: true, + Description: "Connection parameters for the mysql-aurora-database-plugin plugin.", + Elem: mysqlConnectionStringResource(), MaxItems: 1, ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLAurora.Name(), dbEngineTypes), }, dbEngineMySQLLegacy.name: { - Type: typ, - Optional: true, - Description: "Connection parameters for the mysql-legacy-database-plugin plugin.", - Elem: connectionStringResource(&connectionStringConfig{ - includeUserPass: true, - }), + Type: typ, + Optional: true, + Description: "Connection parameters for the mysql-legacy-database-plugin plugin.", + Elem: mysqlConnectionStringResource(), MaxItems: 1, ConflictsWith: util.CalculateConflictsWith(dbEngineMySQLLegacy.Name(), dbEngineTypes), }, @@ -912,11 +906,11 @@ func getDatabaseAPIDataForEngine(engine *dbEngine, idx int, d *schema.ResourceDa case dbEngineMySQL: setMySQLDatabaseConnectionData(d, prefix, data, meta) case dbEngineMySQLRDS: - setDatabaseConnectionDataWithUserPass(d, prefix, data) + setMySQLDatabaseConnectionData(d, prefix, data, meta) case dbEngineMySQLAurora: - setDatabaseConnectionDataWithUserPass(d, prefix, data) + setMySQLDatabaseConnectionData(d, prefix, data, meta) case dbEngineMySQLLegacy: - setDatabaseConnectionDataWithUserPass(d, prefix, data) + setMySQLDatabaseConnectionData(d, prefix, data, meta) case dbEngineOracle: setDatabaseConnectionDataWithUserPass(d, prefix, data) case dbEnginePostgres: @@ -1890,11 +1884,11 @@ func getDBConnectionConfig(d *schema.ResourceData, engine *dbEngine, idx int, case dbEngineMySQL: result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta) case dbEngineMySQLRDS: - result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp) + result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta) case dbEngineMySQLAurora: - result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp) + result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta) case dbEngineMySQLLegacy: - result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp) + result = getMySQLConnectionDetailsFromResponse(d, prefix, resp, meta) case dbEngineOracle: result = getConnectionDetailsFromResponseWithUserPass(d, prefix, resp) case dbEnginePostgres: diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index 653b50a5e..6d30dec17 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -749,10 +749,29 @@ func TestAccDatabaseSecretBackendConnection_mysql_tls(t *testing.T) { resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.max_connection_lifetime", "0"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.%", "1"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.password", password), - resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tlsCA", tlsCA+"\n"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tls_ca", tlsCA+"\n"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql.0.tls_certificate_key", tlsCertificateKey+"\n"), ), }, + { + Config: testAccDatabaseSecretBackendConnectionConfig_mysql_aurora_tls(name, backend, connURL, password, tlsCA, tlsCertificateKey), + Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName, + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.1", "prod"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "root_rotation_statements.#", "1"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "root_rotation_statements.0", "FOOBAR"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "verify_connection", "true"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.connection_url", connURL), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_open_connections", "2"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_idle_connections", "0"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.max_connection_lifetime", "0"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.%", "1"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "data.password", password), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.tls_ca", tlsCA+"\n"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mysql_aurora.0.tls_certificate_key", tlsCertificateKey+"\n"), + ), + }, }, }) } @@ -1509,6 +1528,36 @@ EOT `, path, name, connURL, tls_ca, tls_certificate_key, password) } +func testAccDatabaseSecretBackendConnectionConfig_mysql_aurora_tls(name, path, connURL, password, tls_ca, tls_certificate_key string) string { + return fmt.Sprintf(` +resource "vault_mount" "db" { + path = "%s" + type = "database" +} + +resource "vault_database_secret_backend_connection" "test" { + backend = vault_mount.db.path + name = "%s" + allowed_roles = ["dev", "prod"] + root_rotation_statements = ["FOOBAR"] + + mysql_aurora { + connection_url = "%s" + tls_ca = <