hashicorp · benashz · Apr 20, 2022 · Jan 14, 2022 · Jan 14, 2022 · Feb 12, 2022
diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
@@ -196,6 +196,42 @@ func getDatabaseSchema(typ schema.ValueType) schemaMap {
 						Description: "The password to be used in the connection URL",
 						Sensitive:   true,
 					},
+					"ca_cert": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity",
+					},
+					"ca_path": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity",
+					},
+					"client_cert": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "The path to the certificate for the Elasticsearch client to present for communication",
+					},
+					"client_key": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "The path to the key for the Elasticsearch client to use for communication",
+					},
+					"tls_server_name": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "This, if set, is used to set the SNI host when connecting via TLS",
+					},
+					"insecure": {
+						Type:        schema.TypeBool,
+						Optional:    true,
+						Default:     false,
+						Description: "Whether to disable certificate verification",
+					},
+					"username_template": {
+						Type:        schema.TypeString,
+						Optional:    true,
+						Description: "Template describing how dynamic usernames are generated.",
+					},
 				},
 			},
 			MaxItems:      1,
@@ -930,6 +966,27 @@ func getElasticsearchConnectionDetailsFromResponse(d *schema.ResourceData, prefi
 		// keep the password we have in state/config if the API doesn't return one
 		result["password"] = v.(string)
 	}
+	if v, ok := data["ca_cert"]; ok {
+		result["ca_cert"] = v.(string)
+	}
+	if v, ok := data["ca_path"]; ok {
+		result["ca_path"] = v.(string)
+	}
+	if v, ok := data["client_cert"]; ok {
+		result["client_cert"] = v.(string)
+	}
+	if v, ok := data["client_key"]; ok {
+		result["client_key"] = v.(string)
+	}
+	if v, ok := data["tls_server_name"]; ok {
+		result["tls_server_name"] = v.(string)
+	}
+	if v, ok := data["insecure"]; ok {
+		result["insecure"] = v.(bool)
+	}
+	if v, ok := data["username_template"]; ok {
+		result["username_template"] = v.(string)
+	}
 
 	return result
 }
@@ -1129,6 +1186,34 @@ func setElasticsearchDatabaseConnectionData(d *schema.ResourceData, prefix strin
 	if v, ok := d.GetOk(prefix + "password"); ok {
 		data["password"] = v.(string)
 	}
+
+	if v, ok := d.GetOk(prefix + "ca_cert"); ok {
+		data["ca_cert"] = v.(string)
+	}
+
+	if v, ok := d.GetOk(prefix + "ca_path"); ok {
+		data["ca_path"] = v.(string)
+	}
+
+	if v, ok := d.GetOk(prefix + "client_cert"); ok {
+		data["client_cert"] = v.(string)
+	}
+
+	if v, ok := d.GetOk(prefix + "client_key"); ok {
+		data["client_key"] = v.(string)
+	}
+
+	if v, ok := d.GetOk(prefix + "tls_server_name"); ok {
+		data["tls_server_name"] = v.(string)
+	}
+
+	if v, ok := d.GetOk(prefix + "insecure"); ok {
+		data["insecure"] = v.(bool)
+	}
+
+	if v, ok := d.GetOk(prefix + "username_template"); ok {
+		data["username_template"] = v.(string)
+	}
 }
 
 func setCouchbaseDatabaseConnectionData(d *schema.ResourceData, prefix string, data map[string]interface{}) {

diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go
@@ -720,7 +720,33 @@ func TestAccDatabaseSecretBackendConnection_elasticsearch(t *testing.T) {
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.1", "prod"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "verify_connection", "true"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.#", "1"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.url", connURL),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.username", username),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.password", password),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.insecure", "false"),
+				),
+			},
+			{
+				ResourceName:            testDefaultDatabaseSecretBackendResource,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"verify_connection", "elasticsearch.0.password"},
+			},
+			{
+				Config: testAccDatabaseSecretBackendConnectionConfig_elasticsearchUpdated(name, backend, connURL, username, password),
+				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.1", "prod"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "verify_connection", "true"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.#", "1"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.url", connURL),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.username", username),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.password", password),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.insecure", "true"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.username_template", "test"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "elasticsearch.0.tls_server_name", "test"),
 				),
 			},
 		},
@@ -998,6 +1024,31 @@ resource "vault_database_secret_backend_connection" "test" {
 `, path, name, host, username, password)
 }
 
+func testAccDatabaseSecretBackendConnectionConfig_elasticsearchUpdated(name, path, host, username, password string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "db" {
+  path = "%s"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "test" {
+  backend = vault_mount.db.path
+  name = "%s"
+  allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
+
+  elasticsearch {
+    url = "%s"
+    username = "%s"
+    password = "%s"
+	insecure = true
+	username_template = "test"
+	tls_server_name = "test"
+  }
+}
+`, path, name, host, username, password)
+}
+
 func testAccDatabaseSecretBackendConnectionConfig_mongodbatlas(name, path, public_key, private_key, project_id string) string {
 	return fmt.Sprintf(`
 resource "vault_mount" "db" {

diff --git a/website/docs/r/database_secret_backend_connection.md b/website/docs/r/database_secret_backend_connection.md
@@ -323,6 +323,20 @@ See the [Vault
 
 * `password` - (Required) The password to be used in the connection.
 
+* `ca_cert` - (Optional) The path to a PEM-encoded CA cert file to use to verify the Elasticsearch server's identity.
+
+* `ca_path` - (Optional) The path to a directory of PEM-encoded CA cert files to use to verify the Elasticsearch server's identity.
+
+* `client_cert` - (Optional) The path to the certificate for the Elasticsearch client to present for communication.
+
+* `client_key` - (Optional) The path to the key for the Elasticsearch client to use for communication.
+
+* `tls_server_name` - (Optional) This, if set, is used to set the SNI host when connecting via TLS.
+
+* `insecure` - (Optional) Whether to disable certificate verification.
+
+* `username_template` - (Optional) For Vault v1.7+. The template to use for username generation. See [Vault docs](https://www.vaultproject.io/docs/concepts/username-templating) for more details.
+
 ### Snowflake Configuration Options
 
 * `connection_url` - (Required) A URL containing connection information. See