Vault provider doesn't support static-roles for PostgreSQL

Wolfsrudel · November 25, 2019, 11:01am

It seems that the vault provider doesn’t support static-roles for PostgreSQL (https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation):

resource "vault_database_secret_backend_role" "role" {
  backend             = vault_mount.db.path
  name                = "my-role"
  db_name             = vault_database_secret_backend_connection.postgres.name
  creation_statements = "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
}

When a role is created it is setup in vault_mount.db.path/role but for static-roles it should be vault_mount.db.path/static-roles. In addition the credentials should be found in vault_mount.db.path/static-creds instead of vault_mount.db.path/creds.

Maybe there should be a bool is_static_role which defaults to false and if true the static-paths should be used.

Wolfsrudel · November 28, 2019, 7:26pm

I’ve opened an issue for this: https://github.com/terraform-providers/terraform-provider-vault/issues/621

Wolfsrudel · November 28, 2019, 7:37pm

The code is there (https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/resource_database_secret_backend_static_role.go), but the docs are missing the entry.

Topic		Replies	Views
The `vault_gcp_secret_static_account_key` resource for Vault Provider Terraform Providers connect , vault	0	9	October 17, 2024
Verify_connection=false not working with static roles Vault	4	455	July 24, 2020
Unable to generate database credentials, Error "role used to generate credentials is not an allowed role" Vault hcp-terraform , vault	1	670	September 7, 2022
Vault terraform provider configuration Vault	1	792	November 11, 2021
Terraform won't create certificate role in vault Terraform Providers vault	2	217	December 20, 2022

Vault provider doesn't support static-roles for PostgreSQL

Related topics