Vault provider doesn't support static-roles for PostgreSQL

Wolfsrudel · November 25, 2019, 11:01am

It seems that the vault provider doesn’t support static-roles for PostgreSQL (https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation):

resource "vault_database_secret_backend_role" "role" {
  backend             = vault_mount.db.path
  name                = "my-role"
  db_name             = vault_database_secret_backend_connection.postgres.name
  creation_statements = "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
}

When a role is created it is setup in vault_mount.db.path/role but for static-roles it should be vault_mount.db.path/static-roles. In addition the credentials should be found in vault_mount.db.path/static-creds instead of vault_mount.db.path/creds.

Maybe there should be a bool is_static_role which defaults to false and if true the static-paths should be used.

Wolfsrudel · November 28, 2019, 7:26pm

I’ve opened an issue for this: https://github.com/terraform-providers/terraform-provider-vault/issues/621

Wolfsrudel · November 28, 2019, 7:37pm

The code is there (https://github.com/terraform-providers/terraform-provider-vault/blob/master/vault/resource_database_secret_backend_static_role.go), but the docs are missing the entry.