Configure any number of database secrets engines under a single dedicated mount resource.
This resource will be replaced for any of the following conditions:
name
for any configured database engine is changedresource "vault_database_secrets_mount" "db" {
path = "db"
mssql {
name = "db1"
username = "sa"
password = "super_secret_1"
connection_url = "sqlserver://{{username}}:{{password}}@127.0.0.1:1433"
allowed_roles = [
"dev1",
]
}
postgresql {
name = "db2"
username = "postgres"
password = "super_secret_2"
connection_url = "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres"
verify_connection = true
allowed_roles = [
"dev2",
]
}
}
resource "vault_database_secret_backend_role" "dev1" {
name = "dev1"
backend = vault_database_secrets_mount.db.path
db_name = vault_database_secrets_mount.db.mssql[0].name
creation_statements = [
"CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
"CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
"GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
]
}
resource "vault_database_secret_backend_role" "dev2" {
name = "dev2"
backend = vault_database_secrets_mount.db.path
db_name = vault_database_secrets_mount.db.postgresql[0].name
creation_statements = [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
"GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
]
}
The following arguments are supported for the Vault mount
:
path
- (Required) Where the secret backend will be mounted
description
- (Optional) Human-friendly description of the mount
default_lease_ttl_seconds
- (Optional) Default lease duration for tokens and secrets in seconds
max_lease_ttl_seconds
- (Optional) Maximum possible lease duration for tokens and secrets in seconds
audit_non_hmac_response_keys
- (Optional) Specifies the list of keys that will not be HMAC'd by audit devices in the response data object.
audit_non_hmac_request_keys
- (Optional) Specifies the list of keys that will not be HMAC'd by audit devices in the request data object.
local
- (Optional) Boolean flag that can be explicitly set to true to enforce local mount in HA environment
options
- (Optional) Specifies mount type specific options that are passed to the backend
seal_wrap
- (Optional) Boolean flag that can be explicitly set to true to enable seal wrapping for the mount, causing values stored by the mount to be wrapped by the seal's encryption capability
external_entropy_access
- (Optional) Boolean flag that can be explicitly set to true to enable the secrets engine to access Vault's external entropy source
allowed_managed_keys
- (Optional) Set of managed key registry entry names that the mount in question is allowed to access
The following arguments are common to all database engines:
plugin_name
- (Optional) Specifies the name of the plugin to use.
verify_connection
- (Optional) Whether the connection should be verified on
initial configuration or not.
allowed_roles
- (Optional) A list of roles that are allowed to use this
connection.
root_rotation_statements
- (Optional) A list of database statements to be executed to rotate the root user's credentials.
data
- (Optional) A map of sensitive data to pass to the endpoint. Useful for templated connection strings.
Supported list of database secrets engines that can be configured:
cassandra
- (Optional) A nested block containing configuration options for Cassandra connections.
See Configuration Options for more info
couchbase
- (Optional) A nested block containing configuration options for Couchbase connections.
See Configuration Options for more info
elasticsearch
- (Optional) A nested block containing configuration options for Elasticsearch connections.
See Configuration Options for more info
hana
- (Optional) A nested block containing configuration options for SAP HanaDB connections.
See Configuration Options for more info
mongodb
- (Optional) A nested block containing configuration options for MongoDB connections.
See Configuration Options for more info
mongodbatlas
- (Optional) A nested block containing configuration options for MongoDB Atlas connections.
See Configuration Options for more info
mssql
- (Optional) A nested block containing configuration options for MSSQL connections.
See Configuration Options for more info
mysql
- (Optional) A nested block containing configuration options for MySQL connections.
See Configuration Options for more info
mysql_rds
- (Optional) A nested block containing configuration options for RDS MySQL connections.
See Configuration Options for more info
mysql_aurora
- (Optional) A nested block containing configuration options for Aurora MySQL connections.
See Configuration Options for more info
mysql_legacy
- (Optional) A nested block containing configuration options for legacy MySQL connections.
See Configuration Options for more info
oracle
- (Optional) A nested block containing configuration options for Oracle connections.
See Configuration Options for more info
postgresql
- (Optional) A nested block containing configuration options for PostgreSQL connections.
See Configuration Options for more info
redshift
- (Optional) A nested block containing configuration options for AWS Redshift connections.
See Configuration Options for more info
snowflake
- (Optional) A nested block containing configuration options for Snowflake connections.
See Configuration Options for more info
influxdb
- (Optional) A nested block containing configuration options for InfluxDB connections.
See Configuration Options for more info
redis
- (Optional) A nested block containing configuration options for Redis connections.
See Configuration Options for more info
redis_elasticache
- (Optional) A nested block containing configuration options for Redis ElastiCache connections.
See Configuration Options for more info
hosts
- (Required) The hosts to connect to.
username
- (Required) The username to authenticate with.
password
- (Required) The password to authenticate with.
port
- (Optional) The default port to connect to if no port is specified as
part of the host.
tls
- (Optional) Whether to use TLS when connecting to Cassandra.
insecure_tls
- (Optional) Whether to skip verification of the server
certificate when using TLS.
pem_bundle
- (Optional) Concatenated PEM blocks configuring the certificate
chain.
pem_json
- (Optional) A JSON structure configuring the certificate chain.
protocol_version
- (Optional) The CQL protocol version to use.
connect_timeout
- (Optional) The number of seconds to use as a connection
timeout.
hosts
- (Required) A set of Couchbase URIs to connect to. Must use couchbases://
scheme if tls
is true
.
username
- (Required) Specifies the username for Vault to use.
password
- (Required) Specifies the password corresponding to the given username.
tls
- (Optional) Whether to use TLS when connecting to Couchbase.
insecure_tls
- (Optional) Whether to skip verification of the server
certificate when using TLS.
base64_pem
- (Optional) Required if tls
is true
. Specifies the certificate authority of the Couchbase server, as a PEM certificate that has been base64 encoded.
bucket_name
- (Optional) Required for Couchbase versions prior to 6.5.0. This is only used to verify vault's connection to the server.
username_template
- (Optional) Template describing how dynamic usernames are generated.
url
- (Required) The URL for Elasticsearch's API. https requires certificate
by trusted CA if used.
username
- (Required) The username to be used in the connection.
password
- (Required) The password to be used in the connection.
ca_cert
- (Optional) The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
ca_path
- (Optional) The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
client_cert
- (Optional) The path to the certificate for the Elasticsearch client to present for communication.
client_key
- (Optional) The path to the key for the Elasticsearch client to use for communication.
tls_server_name
- (Optional) This, if set, is used to set the SNI host when connecting via TLS.
insecure
- (Optional) Whether to disable certificate verification.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs for more details.
host
- (Required) The host to connect to.
username
- (Required) The username to authenticate with.
password
- (Required) The password to authenticate with.
port
- (Optional) The default port to connect to if no port is specified as
part of the host.
tls
- (Optional) Whether to use TLS when connecting to Cassandra.
insecure_tls
- (Optional) Whether to skip verification of the server
certificate when using TLS.
pem_bundle
- (Optional) Concatenated PEM blocks configuring the certificate
chain.
pem_json
- (Optional) A JSON structure configuring the certificate chain.
username_template
- (Optional) Template describing how dynamic usernames are generated.
connect_timeout
- (Optional) The number of seconds to use as a connection
timeout.
connection_url
- (Required) A URL containing connection information.
See Vault docs
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs
public_key
- (Required) The Public Programmatic API Key used to authenticate with the MongoDB Atlas API.
private_key
- (Required) The Private Programmatic API Key used to connect with MongoDB Atlas API.
project_id
- (Required) The Project ID the Database User should be created within.
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
disable_escaping
- (Optional) Disable special character escaping in username and password.
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
disable_escaping
- (Optional) Disable special character escaping in username and password.
contained_db
- (Optional bool: false) For Vault v1.9+. Set to true when the target is a
Contained Database, e.g. AzureSQL.
See Vault docs
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
tls_certificate_key
- (Optional) x509 certificate for connecting to the database. This must be a PEM encoded version of the private key and the certificate combined.
tls_ca
- (Optional) x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
disable_escaping
- (Optional) Disable special character escaping in username and password.
username_template
- (Optional) For Vault v1.7+. The template to use for username generation.
See Vault docs
host
- (Required) The host to connect to.
username
- (Required) The username to authenticate with.
password
- (Required) The password to authenticate with.
port
- (Optional) The default port to connect to if no port is specified as
part of the host.
tls
- (Optional) Whether to use TLS when connecting to Redis.
insecure_tls
- (Optional) Whether to skip verification of the server
certificate when using TLS.
ca_cert
- (Optional) The contents of a PEM-encoded CA cert file to use to verify the Redis server's identity.
url
- (Required) The configuration endpoint for the ElastiCache cluster to connect to.
username
- (Optional) The AWS access key id to use to talk to ElastiCache.
If omitted the credentials chain provider is used instead.
password
- (Optional) The AWS secret key id to use to talk to ElastiCache.
If omitted the credentials chain provider is used instead.
region
- (Optional) The AWS region where the ElastiCache cluster is hosted.
If omitted the plugin tries to infer the region from the environment.
connection_url
- (Required) Specifies the Redshift DSN.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
the database.
max_idle_connections
- (Optional) The maximum number of idle connections to
the database.
max_connection_lifetime
- (Optional) The maximum amount of time a connection may be reused.
username
- (Optional) The root credential username used in the connection URL.
password
- (Optional) The root credential password used in the connection URL.
disable_escaping
- (Optional) Disable special character escaping in username and password.
username_template
- (Optional) - Template describing how dynamic usernames are generated.
connection_url
- (Required) A URL containing connection information.
See Vault docs
max_open_connections
- (Optional) The maximum number of open connections to
use.
max_idle_connections
- (Optional) The maximum number of idle connections to
maintain.
max_connection_lifetime
- (Optional) The maximum number of seconds to keep
a connection alive for.
username
- (Optional) The username to be used in the connection (the account admin level).
password
- (Optional) The password to be used in the connection.
username_template
- (Optional) - Template describing how dynamic usernames are generated.
engine_count
- The total number of database secrets engines configured.Database secret backend connections can be imported using the path
e.g.
$ terraform import vault_database_secrets_mount.db db