Add contain_db field to mssql db secret backend

In addition the following updates were made - run mssql database secret backend connection tests against a local mssql docker container - factor out db backend types to constants - update canonical list of db backend types to include all supported types - add ability to skip db tests globally or based on the db engine type Dependency updates: - terraform-plugin-sdk/v2 to v2.10.0 - vault/api v1.3.0 - vault/sdk v0.3.1-0.20211214161113-fcc5f22bea02 - vault v1.2.1-0.20211214161113-fcc5f22bea02
hashicorp · Dec 14, 2021 · 22838bc · 22838bc
1 parent 9e1deea
commit 22838bc
Show file tree

Hide file tree

Showing 7 changed files with 1,327 additions and 216 deletions.
diff --git a/go.mod b/go.mod
@@ -6,21 +6,20 @@ require (
 	github.com/Azure/azure-sdk-for-go v58.3.0+incompatible
 	github.com/Azure/go-autorest/autorest v0.11.21
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.8
-	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
-	github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
 	github.com/aws/aws-sdk-go v1.41.8
+	github.com/denisenkom/go-mssqldb v0.11.0
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/gosimple/slug v1.11.0
 	github.com/hashicorp/errwrap v1.1.0
 	github.com/hashicorp/go-cleanhttp v0.5.2
 	github.com/hashicorp/go-hclog v1.0.0
 	github.com/hashicorp/go-multierror v1.1.1
-	github.com/hashicorp/go-retryablehttp v0.6.8 // indirect
-	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.8.0
-	github.com/hashicorp/vault v1.2.0
-	github.com/hashicorp/vault/api v1.2.0
-	github.com/hashicorp/vault/sdk v0.2.1
+	github.com/hashicorp/go-secure-stdlib/awsutil v0.1.5
+	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.10.0
+	github.com/hashicorp/vault v1.2.1-0.20211214161113-fcc5f22bea02
+	github.com/hashicorp/vault/api v1.3.0
+	github.com/hashicorp/vault/sdk v0.3.1-0.20211214161113-fcc5f22bea02
 	github.com/mitchellh/go-homedir v1.1.0
 	golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1
 )
diff --git a/go.sum b/go.sum
diff --git a/p.patch b/p.patch
@@ -0,0 +1,34 @@
+diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
+index c37b94b3..4a5ec81a 100644
+--- a/vault/resource_database_secret_backend_connection.go
++++ b/vault/resource_database_secret_backend_connection.go
+@@ -36,18 +36,6 @@ const (
+ 	dbBackendSnowflake     = "snowflake"
+ )
+
+-type dbEngineInfo struct {
+-	name string
+-}
+-
+-func (d *dbEngineInfo) prefix() string {
+-	return d.name + ".0"
+-}
+-
+-func (d *dbEngineInfo) plugin() string {
+-	return fmt.Sprintf("%s-database-plugin", strings.Replace(d.name, "_", "-", -1))
+-}
+-
+ var (
+ 	databaseSecretBackendConnectionBackendFromPathRegex = regexp.MustCompile("^(.+)/config/.+$")
+ 	databaseSecretBackendConnectionNameFromPathRegex    = regexp.MustCompile("^.+/config/(.+$)")
+@@ -67,10 +55,6 @@ var (
+ 		dbBackendOracle,
+ 		dbBackendSnowflake,
+ 	}
+-
+-	dbEnginePostgresql = dbEngineInfo{
+-		name: "postgresql",
+-	}
+ )
+
+ func databaseSecretBackendConnectionResource() *schema.Resource {
diff --git a/vault/provider.go b/vault/provider.go
@@ -8,10 +8,12 @@ import (
 	"os"
 	"strings"
 
+	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-multierror"
+	"github.com/hashicorp/go-secure-stdlib/awsutil"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/logging"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/vault/api"
-	awsauth "github.com/hashicorp/vault/builtin/credential/aws"
 	"github.com/hashicorp/vault/command/config"
 
 	"github.com/hashicorp/terraform-provider-vault/helper"
@@ -804,7 +806,13 @@ func providerConfigure(d *schema.ResourceData) (interface{}, error) {
 
 		method := authLogin["method"].(string)
 		if method == "aws" {
-			if err := signAWSLogin(authLoginParameters); err != nil {
+			logger := hclog.Default()
+			if logging.IsDebugOrHigher() {
+				logger.SetLevel(hclog.Debug)
+			} else {
+				logger.SetLevel(hclog.Error)
+			}
+			if err := signAWSLogin(authLoginParameters, logger); err != nil {
 				return nil, fmt.Errorf("error signing AWS login request: %s", err)
 			}
 		}
@@ -904,7 +912,7 @@ func parse(descs map[string]*Description) (map[string]*schema.Resource, error) {
 	return resourceMap, errs
 }
 
-func signAWSLogin(parameters map[string]interface{}) error {
+func signAWSLogin(parameters map[string]interface{}, logger hclog.Logger) error {
 	var accessKey, secretKey, securityToken string
 	if val, ok := parameters["aws_access_key_id"].(string); ok {
 		accessKey = val
@@ -918,7 +926,7 @@ func signAWSLogin(parameters map[string]interface{}) error {
 		securityToken = val
 	}
 
-	creds, err := awsauth.RetrieveCreds(accessKey, secretKey, securityToken)
+	creds, err := awsutil.RetrieveCreds(accessKey, secretKey, securityToken, logger)
 	if err != nil {
 		return fmt.Errorf("failed to retrieve AWS credentials: %s", err)
 	}
@@ -932,7 +940,7 @@ func signAWSLogin(parameters map[string]interface{}) error {
 		stsRegion = val
 	}
 
-	loginData, err := awsauth.GenerateLoginData(creds, headerValue, stsRegion)
+	loginData, err := awsutil.GenerateLoginData(creds, headerValue, stsRegion, logger)
 	if err != nil {
 		return fmt.Errorf("failed to generate AWS login data: %s", err)
 	}

diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
@@ -10,18 +10,51 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
-	"github.com/hashicorp/terraform-provider-vault/util"
 	"github.com/hashicorp/vault/api"
+
+	"github.com/hashicorp/terraform-provider-vault/util"
 )
 
 type connectionStringConfig struct {
 	excludeUsernameTemplate bool
 }
 
+const (
+	dbBackendCassandra     = "cassandra"
+	dbBackendElasticSearch = "elasticsearch"
+	dbBackendHana          = "hana"
+	dbBackendInfluxDB      = "influxdb"
+	dbBackendMSSQL         = "mssql"
+	dbBackendMongoDB       = "mongodb"
+	dbBackendMongoDBAtlas  = "mongodbatlas"
+	dbBackendMySQL         = "mysql"
+	dbBackendMySQLAurora   = "mysql_aurora"
+	dbBackendMySQLLegacy   = "mysql_legacy"
+	dbBackendMySQLRDS      = "mysql_rds"
+	dbBackendPostgres      = "postgresql"
+	dbBackendOracle        = "oracle"
+	dbBackendSnowflake     = "snowflake"
+)
+
 var (
 	databaseSecretBackendConnectionBackendFromPathRegex = regexp.MustCompile("^(.+)/config/.+$")
 	databaseSecretBackendConnectionNameFromPathRegex    = regexp.MustCompile("^.+/config/(.+$)")
-	dbBackendTypes                                      = []string{"cassandra", "influxdb", "hana", "mongodb", "mssql", "mysql", "mysql_rds", "mysql_aurora", "mysql_legacy", "postgresql", "oracle", "elasticsearch", "snowflake"}
+	dbBackendTypes                                      = []string{
+		dbBackendCassandra,
+		dbBackendElasticSearch,
+		dbBackendHana,
+		dbBackendInfluxDB,
+		dbBackendMSSQL,
+		dbBackendMongoDB,
+		dbBackendMongoDBAtlas,
+		dbBackendMySQL,
+		dbBackendMySQLAurora,
+		dbBackendMySQLLegacy,
+		dbBackendMySQLRDS,
+		dbBackendPostgres,
+		dbBackendOracle,
+		dbBackendSnowflake,
+	}
 )
 
 func databaseSecretBackendConnectionResource() *schema.Resource {
@@ -96,7 +129,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					},
 				},
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("elasticsearch", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendElasticSearch, dbBackendTypes),
 			},
 
 			"cassandra": {
@@ -171,7 +204,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					},
 				},
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("cassandra", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendCassandra, dbBackendTypes),
 			},
 
 			"influxdb": {
@@ -242,7 +275,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					},
 				},
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("influxdb", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendInfluxDB, dbBackendTypes),
 			},
 
 			"mongodb": {
@@ -251,7 +284,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description:   "Connection parameters for the mongodb-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mongodb", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMongoDB, dbBackendTypes),
 			},
 
 			"mongodbatlas": {
@@ -279,7 +312,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					},
 				},
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mongodbatlas", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMongoDBAtlas, dbBackendTypes),
 			},
 
 			"hana": {
@@ -290,16 +323,16 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 					excludeUsernameTemplate: true,
 				}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("hana", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendHana, dbBackendTypes),
 			},
 
 			"mssql": {
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   "Connection parameters for the mssql-database-plugin plugin.",
-				Elem:          connectionStringResource(&connectionStringConfig{}),
+				Elem:          mssqlConnectionStringResource(),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mssql", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMSSQL, dbBackendTypes),
 			},
 
 			"mysql": {
@@ -308,31 +341,31 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description:   "Connection parameters for the mysql-database-plugin plugin.",
 				Elem:          mysqlConnectionStringResource(),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mysql", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMySQL, dbBackendTypes),
 			},
 			"mysql_rds": {
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   "Connection parameters for the mysql-rds-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mysql_rds", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMySQLRDS, dbBackendTypes),
 			},
 			"mysql_aurora": {
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   "Connection parameters for the mysql-aurora-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mysql_aurora", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMySQLAurora, dbBackendTypes),
 			},
 			"mysql_legacy": {
 				Type:          schema.TypeList,
 				Optional:      true,
 				Description:   "Connection parameters for the mysql-legacy-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("mysql_legacy", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendMySQLLegacy, dbBackendTypes),
 			},
 
 			"postgresql": {
@@ -341,7 +374,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description:   "Connection parameters for the postgresql-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("postgresql", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendPostgres, dbBackendTypes),
 			},
 
 			"oracle": {
@@ -350,7 +383,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description:   "Connection parameters for the oracle-database-plugin plugin.",
 				Elem:          connectionStringResource(&connectionStringConfig{}),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("oracle", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendOracle, dbBackendTypes),
 			},
 
 			"snowflake": {
@@ -359,7 +392,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description:   "Connection parameters for the snowflake-database-plugin plugin.",
 				Elem:          snowflakeConnectionStringResource(),
 				MaxItems:      1,
-				ConflictsWith: util.CalculateConflictsWith("snowflake", dbBackendTypes),
+				ConflictsWith: util.CalculateConflictsWith(dbBackendSnowflake, dbBackendTypes),
 			},
 
 			"backend": {
@@ -430,6 +463,16 @@ func mysqlConnectionStringResource() *schema.Resource {
 	return r
 }
 
+func mssqlConnectionStringResource() *schema.Resource {
+	r := connectionStringResource(&connectionStringConfig{})
+	r.Schema["contain_db"] = &schema.Schema{
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Description: "Set to true when the target is a Contained Database, e.g. AzureSQL.",
+	}
+	return r
+}
+
 func snowflakeConnectionStringResource() *schema.Resource {
 	r := connectionStringResource(&connectionStringConfig{})
 	r.Schema["username"] = &schema.Schema{
@@ -448,33 +491,33 @@ func snowflakeConnectionStringResource() *schema.Resource {
 
 func getDatabasePluginName(d *schema.ResourceData) (string, error) {
 	switch {
-	case len(d.Get("cassandra").([]interface{})) > 0:
+	case len(d.Get(dbBackendCassandra).([]interface{})) > 0:
 		return "cassandra-database-plugin", nil
-	case len(d.Get("influxdb").([]interface{})) > 0:
+	case len(d.Get(dbBackendInfluxDB).([]interface{})) > 0:
 		return "influxdb-database-plugin", nil
-	case len(d.Get("hana").([]interface{})) > 0:
+	case len(d.Get(dbBackendHana).([]interface{})) > 0:
 		return "hana-database-plugin", nil
-	case len(d.Get("mongodbatlas").([]interface{})) > 0:
+	case len(d.Get(dbBackendMongoDBAtlas).([]interface{})) > 0:
 		return "mongodbatlas-database-plugin", nil
-	case len(d.Get("mongodb").([]interface{})) > 0:
+	case len(d.Get(dbBackendMongoDB).([]interface{})) > 0:
 		return "mongodb-database-plugin", nil
-	case len(d.Get("mssql").([]interface{})) > 0:
+	case len(d.Get(dbBackendMSSQL).([]interface{})) > 0:
 		return "mssql-database-plugin", nil
-	case len(d.Get("mysql").([]interface{})) > 0:
+	case len(d.Get(dbBackendMySQL).([]interface{})) > 0:
 		return "mysql-database-plugin", nil
-	case len(d.Get("mysql_rds").([]interface{})) > 0:
+	case len(d.Get(dbBackendMySQLRDS).([]interface{})) > 0:
 		return "mysql-rds-database-plugin", nil
-	case len(d.Get("mysql_aurora").([]interface{})) > 0:
+	case len(d.Get(dbBackendMySQLAurora).([]interface{})) > 0:
 		return "mysql-aurora-database-plugin", nil
-	case len(d.Get("mysql_legacy").([]interface{})) > 0:
+	case len(d.Get(dbBackendMySQLLegacy).([]interface{})) > 0:
 		return "mysql-legacy-database-plugin", nil
-	case len(d.Get("oracle").([]interface{})) > 0:
+	case len(d.Get(dbBackendOracle).([]interface{})) > 0:
 		return "oracle-database-plugin", nil
-	case len(d.Get("postgresql").([]interface{})) > 0:
+	case len(d.Get(dbBackendPostgres).([]interface{})) > 0:
 		return "postgresql-database-plugin", nil
-	case len(d.Get("elasticsearch").([]interface{})) > 0:
+	case len(d.Get(dbBackendElasticSearch).([]interface{})) > 0:
 		return "elasticsearch-database-plugin", nil
-	case len(d.Get("snowflake").([]interface{})) > 0:
+	case len(d.Get(dbBackendSnowflake).([]interface{})) > 0:
 		return "snowflake-database-plugin", nil
 	default:
 		return "", fmt.Errorf("at least one database plugin must be configured")