vault_database_secret_backend_static_role

Creates a Database Secret Backend static role in Vault. Database secret backend static roles can be used to manage 1-to-1 mapping of a Vault Role to a user in a database for the database.

Example Usage

resource "vault_mount" "db" {
  path = "postgres"
  type = "database"
}

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = vault_mount.db.path
  name          = "postgres"
  allowed_roles = ["*"]

  postgresql {
    connection_url = "postgres://username:password@host:port/database"
  }
}

# configure a static role with period-based rotations
resource "vault_database_secret_backend_static_role" "period_role" {
  backend             = vault_mount.db.path
  name                = "my-period-role"
  db_name             = vault_database_secret_backend_connection.postgres.name
  username            = "example"
  rotation_period     = "3600"
  rotation_statements = ["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"]
}

# configure a static role with schedule-based rotations
resource "vault_database_secret_backend_static_role" "schedule_role" {
  backend             = vault_mount.db.path
  name                = "my-schedule-role"
  db_name             = vault_database_secret_backend_connection.postgres.name
  username            = "example"
  rotation_schedule   = "0 0 * * SAT"
  rotation_window     = "172800"
  rotation_statements = ["ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';"]
}

Argument Reference

The following arguments are supported:

Warning: The rotation_period and rotation_schedule fields are mutually exclusive. One of them must be set but not both.

Attributes Reference

No additional attributes are exported by this resource.

Import

Database secret backend static roles can be imported using the backend, /static-roles/, and the name e.g.

$ terraform import vault_database_secret_backend_static_role.example postgres/static-roles/my-role