Verify_connection=false not working with static roles

I am working on setting up Vault for Static credentials (rotating password only). I am making use of terraform to setup the vault in local testing(docker) and production instance. This also involves running some test cases. For this reason I want that connection should not be checked while setup or testing as the target database might not be available at this time. I have used verify_connection=false but some how it is not working. The setup is failing as it is not able to establish the connection.

Initially I thought that this might be terraform issue, but same issue is appearing with manual setup as well.

Does anybody knows if this is correct behaviour or there is a bug?

Hello,

Can you share some more logs of the error that you see in Vault and in Terraform ?

I believe the easiest way since you are using Terraform, you can used depends_on in your TF code do create dependency between Vault container and DB container. Let me know if that is not the case.

Martin

  1. I tried depends_on, but it failed to parse.

  2. For terraform I am getting error as below,

Error: Error applying plan:

1 error occurred:
* module.my-database.vault_database_secret_backend_static_role.my-database- backend-role: 1 error occurred:
* vault_database_secret_backend_static_role.my-database-backend-role: error creating static role “my-app-role” for backend “default/my-app/database”: Error making API request.

URL: PUT http://localhost:8200/v1/default/my-app/database/static-roles/my-database-app-role
Code: 500. Errors:

  • 1 error occurred:
    * error setting credentials: rpc error: code = Unknown desc = unable to create database transaction: ORA-12545: Connect failed because target host or object does not exist

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

  1. For Manual setup, I followed this link
    https://learn.hashicorp.com/vault/secrets-management/db-creds-rotation
    just that my url was parameterized.

Hello,

Regarding this :

I tried depends_on, but it failed to parse.

Would you share your TF code, so i can try to reproduce the issue. It should not fail, in 0.13 version of TF the depends_on might be used for modules as well.

Martin

Hi Martin,
Sorry but I can not share the code, about the version, I am using 0.11.14