Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

db: add fields for skip auto rotation of static roles #2386

Merged
merged 9 commits into from
Feb 10, 2025
Merged

db: add fields for skip auto rotation of static roles #2386

merged 9 commits into from
Feb 10, 2025

Conversation

fairclothjm
Copy link
Contributor

@fairclothjm fairclothjm commented Jan 3, 2025
edited
Loading

Description

Add support for skipping auto rotation of static roles.

We only support the role-level setting skip_import_rotation and omit support for the config-level setting skip_static_role_import_rotation. This is because the config-level setting is always overridden by the role-level setting due to the bug with the Terraform SDK v2 described here. That bug forces the role-level setting to always be sent to Vault as an explicit skip_import_rotation=false whereas it should be sent as empty. This behavior causes the config-level setting to have no effect. Therefore, we will not support the config-level setting in TFVP because it does not function correctly. This is not ideal, however, the ability to set the feature at the role-level is sufficient for a user to be able to enable the feature.

Vault PR: hashicorp/vault#29093

Once the feature is released in Vault 1.18.4 and the build matrix is updated, the failing test will pass.

@fairclothjm fairclothjm force-pushed the VAULT-31660/db-skip-static-role-import-rotation branch from db6f700 to d601371 Compare January 17, 2025 17:28
@fairclothjm fairclothjm requested a review from a team January 17, 2025 19:52
@fairclothjm fairclothjm marked this pull request as ready for review January 17, 2025 19:56
@fairclothjm fairclothjm requested a review from a team as a code owner January 17, 2025 19:56
@fairclothjm fairclothjm requested review from kitography and removed request for kitography January 17, 2025 19:56
vinay-gopalan
vinay-gopalan previously approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Is the test failing for 1.18 CI because the latest Vault version (which would have the feature enabled) is not yet released? If so, should we wait to merge this PR until the monthly release?

@fairclothjm
Copy link
Contributor Author

@vinay-gopalan

Is the test failing for 1.18 CI because the latest Vault version (which would have the feature enabled) is not yet released? If so, should we wait to merge this PR until the monthly release?

Yep!

@fairclothjm fairclothjm force-pushed the VAULT-31660/db-skip-static-role-import-rotation branch from e425d4e to 357f9ca Compare February 4, 2025 20:24
@fairclothjm fairclothjm added this to the 4.7.0 milestone Feb 4, 2025
@fairclothjm fairclothjm force-pushed the VAULT-31660/db-skip-static-role-import-rotation branch from 78c4cdd to 3076681 Compare February 10, 2025 18:53
@fairclothjm fairclothjm merged commit 0430fcd into main Feb 10, 2025
12 checks passed
@fairclothjm fairclothjm deleted the VAULT-31660/db-skip-static-role-import-rotation branch February 10, 2025 21:52
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.7.0
Development

Successfully merging this pull request may close these issues.
2 participants
@fairclothjm @vinay-gopalan