Enabling seamless downstream integration by adding a datasource that handles sdm connect

[jamiepedwards]

One of the advantages of using terraform is the ability to seamlessly integrate between different types of resources, allowing them to dynamically pass values from one to another. In our environment, we often will create modules which may create a database server, then connect to it via a tunnel and provision database credentials and grants within that server.

One thing we noticed the provider was lacking which would be very useful is a datasource that would allow us to connect to a database (e.g. by issuing sdm connect) and then outputting the port number, which we could then use to configure downstream providers to tunnel via strongDM and avoid having to store credentials or use a separate SSH tunnel for those operations.

In the meantime, I've implemented a basic external datasource that allows us to do this (source code included below in case you're interested):

The datasource definition:

data "external" "sdm_client" {
  program = [
    "sh",
    "${path.module}/scripts/client.sh"
  ]
  query = {
    datasource = "<name of strongDM datasource to connect to>"
  }
}

Here's the source for the shell script that it's calling:

QUERY="`dd 2>/dev/null`"
export DATASOURCE="`echo $QUERY | sed -e 's/^.*\"datasource\": *\"//' -e 's/\".*$//g'`"

OUTPUT="`sdm connect $DATASOURCE -v | head -n 1`"

#output an error if it is not successful
case "$OUTPUT" in
  *connected*)
    #grab the port number to use
    PORTNUMBER="`echo $OUTPUT | sed 's/^.*on port //g'`"
    echo "{\"portnumber\": \"$PORTNUMBER\"}"
    ;;
  *)
    exit 1
    ;;
esac

We can then configure the downstream mysql provider to use the datasource to perform provisioning operations like this:

provider "mysql" {
  alias    = "sdm"
  endpoint = "127.0.0.1:${data.external.sdm_client.result.portnumber}"
  username = var.root_db_user
}

resource "mysql_user" "user" {
  provider           = mysql.sdm
  depends_on         = [data.external.sdm_client]
  user               = "my_app_user"
  host               = "%"
  plaintext_password = "somepassword"
  tls_option         = "SSL"
}

[200sc]

Unfortunately, the API key pairs that control public API access (and therefore terraform as well) are not currently allowed to posses permissions to connect to or execute commands against resources in StrongDM.

This can be considered as a feature request, but it will be complicated, as it would be unusual for a terraform provider or SDK to assume the existence of and interface with a locally hosted StrongDM listener or client running on the machine executing the terraform job. Additionally, the ability to execute queries against a resource is a permission that opens up billing questions.

If this feature request is still of interest, please reference this issue in a message to support@strongdm.com.