Creates a Database Secret Backend role in Vault. Database secret backend roles can be used to generate dynamic credentials for the database.
resource "vault_mount" "db" {
path = "postgres"
type = "database"
}
resource "vault_database_secret_backend_connection" "postgres" {
backend = vault_mount.db.path
name = "postgres"
allowed_roles = ["dev", "prod"]
postgresql {
connection_url = "postgres://username:password@host:port/database"
}
}
resource "vault_database_secret_backend_role" "role" {
backend = vault_mount.db.path
name = "dev"
db_name = vault_database_secret_backend_connection.postgres.name
creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"]
}
The following arguments are supported:
namespace
- (Optional) The namespace to provision the resource in.
The value should not contain leading or trailing forward slashes.
The namespace
is always relative to the provider's configured namespace.
Available only for Vault Enterprise.
name
- (Required) A unique name to give the role.
backend
- (Required) The unique name of the Vault mount to configure.
db_name
- (Required) The unique name of the database connection to use for
the role.
creation_statements
- (Required) The database statements to execute when
creating a user.
revocation_statements
- (Optional) The database statements to execute when
revoking a user.
rollback_statements
- (Optional) The database statements to execute when
rolling back creation due to an error.
renew_statements
- (Optional) The database statements to execute when
renewing a user.
default_ttl
- (Optional) The default number of seconds for leases for this
role.
max_ttl
- (Optional) The maximum number of seconds for leases for this
role.
credential_type
(Optional) – Specifies the type of credential that
will be generated for the role. Options include: password
, rsa_private_key
, client_certificate
.
See the plugin's API page for credential types supported by individual databases.
credential_config
(Optional) – Specifies the configuration
for the given credential_type
.
The following options are available for each credential_type
value:
password
password_policy
(Optional) - The policy
used for password generation. If not provided, defaults to the password policy of the
database configuration.rsa_private_key
key_bits
(Optional) - The bit size of the RSA key to generate. Options include:
2048
, 3072
, 4096
.format
(Optional) - The output format of the generated private key
credential. The private key will be returned from the API in PEM encoding. Options
include: pkcs8
.client_certificate
common_name_template
(Optional) - A username template
to be used for the client certificate common name.ca_cert
(Optional) - The PEM-encoded CA certificate.ca_private_key
(Optional) - The PEM-encoded private key for the given ca_cert
.key_type
(Required) - Specifies the desired key type. Options include:
rsa
, ed25519
, ec
.key_bits
(Optional) - Number of bits to use for the generated keys. Options include:
2048
(default), 3072
, 4096
; with key_type=ec
, allowed values are: 224
, 256
(default),
384
, 521
; ignored with key_type=ed25519
.signature_bits
(Optional) - The number of bits to use in the signature algorithm. Options include:
256
(default), 384
, 512
.No additional attributes are exported by this resource.
Database secret backend roles can be imported using the backend
, /roles/
, and the name
e.g.
$ terraform import vault_database_secret_backend_role.example postgres/roles/my-role