vault_database_secrets_mount

Configure any number of database secrets engines under a single dedicated mount resource.

Caveats:

This resource will be replaced for any of the following conditions:

Example Usage

resource "vault_database_secrets_mount" "db" {
  path = "db"

  mssql {
    name           = "db1"
    username       = "sa"
    password       = "super_secret_1"
    connection_url = "sqlserver://{{username}}:{{password}}@127.0.0.1:1433"
    allowed_roles = [
      "dev1",
    ]
  }

  postgresql {
    name              = "db2"
    username          = "postgres"
    password          = "super_secret_2"
    connection_url    = "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres"
    verify_connection = true
    allowed_roles = [
      "dev2",
    ]
  }
}

resource "vault_database_secret_backend_role" "dev1" {
  name    = "dev1"
  backend = vault_database_secrets_mount.db.path
  db_name = vault_database_secrets_mount.db.mssql[0].name
  creation_statements = [
    "CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
    "CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
    "GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
  ]
}

resource "vault_database_secret_backend_role" "dev2" {
  name    = "dev2"
  backend = vault_database_secrets_mount.db.path
  db_name = vault_database_secrets_mount.db.postgresql[0].name
  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
  ]
}

Argument Reference

The following arguments are supported for the Vault mount:

The following arguments are common to all database engines:

Supported list of database secrets engines that can be configured:

Cassandra Configuration Options

Couchbase Configuration Options

Elasticsearch Configuration Options

InfluxDB Configuration Options

MongoDB Configuration Options

MongoDB Atlas Configuration Options

SAP HanaDB Configuration Options

MSSQL Configuration Options

MySQL Configuration Options

Oracle Configuration Options

PostgreSQL Configuration Options

Redis Configuration Options

Redis ElastiCache Configuration Options

AWS Redshift Configuration Options

Snowflake Configuration Options

Attributes Reference

Import

Database secret backend connections can be imported using the path e.g.

$ terraform import vault_database_secrets_mount.db db