Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

don't send password updates if no change #1912

Merged
merged 2 commits into from
Jun 21, 2023
Merged

don't send password updates if no change #1912

merged 2 commits into from
Jun 21, 2023

Conversation

raymonstah
Copy link
Contributor

Closes #1629 (again).

Prevents sending the password to Vault when there is no change in the Terraform state.

Updates the remaining database engines:

  • Redis
  • Cassandra
  • Couchbase
  • InfluxDB
  • Elasticsearch

Elasticache was left out since it doesn't use a traditional password as far as I can tell. I believe it's just an alias for the AWS Secret Key.

In addition:

  • updates docker-compose.yml to include database engines for easier testing

raymonstah
raymonstah commented Jun 20, 2023
View reviewed changes
vault/resource_database_secret_backend_connection.go
Comment on lines -866 to -903
if v, ok := d.GetOk(prefix + "hosts"); ok {
log.Printf("[DEBUG] Cassandra hosts: %v", v.([]interface{}))
var hosts []string
for _, host := range v.([]interface{}) {
if v == nil {
continue
}
hosts = append(hosts, host.(string))
}
data["hosts"] = strings.Join(hosts, ",")
}
if v, ok := d.GetOkExists(prefix + "port"); ok {
data["port"] = v.(int)
}
if v, ok := d.GetOk(prefix + "username"); ok {
data["username"] = v.(string)
}
if v, ok := d.GetOk("cassandra.0.password"); ok {
data["password"] = v.(string)
}
if v, ok := d.GetOkExists(prefix + "tls"); ok {
data["tls"] = v.(bool)
}
if v, ok := d.GetOkExists("cassandra.0.insecure_tls"); ok {
data["insecure_tls"] = v.(bool)
}
if v, ok := d.GetOkExists("cassandra.0.pem_bundle"); ok {
data["pem_bundle"] = v.(string)
}
if v, ok := d.GetOkExists(prefix + "pem_json"); ok {
data["pem_json"] = v.(string)
}
if v, ok := d.GetOkExists(prefix + "protocol_version"); ok {
data["protocol_version"] = v.(int)
}
if v, ok := d.GetOkExists(prefix + "connect_timeout"); ok {
data["connect_timeout"] = v.(int)
}
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this block was moved to its own function

vault/resource_database_secret_backend_connection.go
Comment on lines -913 to +876
if v, ok := d.GetOk(prefix + "public_key"); ok {
data["public_key"] = v.(string)
}
if v, ok := d.GetOk(prefix + "private_key"); ok {
data["private_key"] = v.(string)
}
if v, ok := d.GetOk(prefix + "project_id"); ok {
data["project_id"] = v.(string)
}
setMongoDBAtlasDatabaseConnectionData(d, prefix, data)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this block was moved to its own function

@raymonstah raymonstah requested a review from a team June 21, 2023 00:19
@raymonstah raymonstah marked this pull request as ready for review June 21, 2023 00:19
fairclothjm
fairclothjm reviewed Jun 21, 2023
View reviewed changes
docker-compose.yaml Outdated
ports:
- "9042:9042"
volumes:
- ./cassandra.yaml:/etc/cassandra/cassandra.yaml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: could we move the cassandra.yaml file out of the top-level directory? Since it is only for testing, I find it to be out of place here. Maybe we could put it in ./testdata?

fairclothjm
fairclothjm reviewed Jun 21, 2023
View reviewed changes
vault/resource_database_secret_backend_connection_test.go
@@ -823,6 +824,27 @@ func TestAccDatabaseSecretBackendConnection_elasticsearch(t *testing.T) {
resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.tls_server_name", "test"),
),
},
{
PreConfig: func() {
// Uncomment block below to actually rotate root. We're avoiding doing this in CI test runs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we wanted to enable this, we could create a Vault user specifically for this tests. Example: https://github.com/hashicorp/vault-plugin-database-elasticsearch#create-a-role-for-vault

I don't think it is strictly necessary though since the behavior seems well tested enough.

fairclothjm
fairclothjm approved these changes Jun 21, 2023
View reviewed changes
Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

@raymonstah raymonstah merged commit d49ebb8 into main Jun 21, 2023
@raymonstah raymonstah deleted the VAULT-9245/update-remaining-database-engines branch June 21, 2023 18:24
@vinay-gopalan vinay-gopalan added this to the 3.17.0 milestone Jun 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fairclothjm fairclothjm fairclothjm approved these changes

Assignees
No one assigned
Labels
size/XL
Projects
None yet
Milestone
3.17.0
Development

Successfully merging this pull request may close these issues.

Database engine password is sent even if not changed
3 participants
@raymonstah @fairclothjm @vinay-gopalan