Add new database_secrets_mount resource

[benashz]

This PR introduces a new resource for provisioning multiple database secret engines under a dedicated database mount. It is the combination of vault_mount and vault_database_secret_backend_connection.

Caveats:

The vault_database_secrets_mount resource will be replaced

• On update, a database engine block is removed
• On update, the name is changed for any configured engine

Example usage:

resource "vault_database_secrets_mount" "db" {
  path = "db"

  mssql {
    name           = "db1"
    username       = "sa"
    password       = "super_secret_1"
    connection_url = "sqlserver://{{username}}:{{password}}@127.0.0.1:1433"
    allowed_roles = [
      "dev1",
    ]
  }

  postgresql {
    name              = "db2"
    username          = "postgres"
    password          = "super_secret_2"
    connection_url    = "postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres"
    verify_connection = true
    allowed_roles = [
      "dev2",
    ]
  }
}

resource "vault_database_secret_backend_role" "dev1" {
  name    = "dev1"
  backend = vault_database_secrets_mount.db.path
  db_name = vault_database_secrets_mount.db.mssql[0].name
  creation_statements = [
    "CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}';",
    "CREATE USER [{{name}}] FOR LOGIN [{{name}}];",
    "GRANT SELECT ON SCHEMA::dbo TO [{{name}}];",
  ]
}

resource "vault_database_secret_backend_role" "dev2" {
  name    = "dev2"
  backend = vault_database_secrets_mount.db.path
  db_name = vault_database_secrets_mount.db.postgresql[0].name
  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";",
  ]
}

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

Release note for CHANGELOG:

Output from acceptance testing:

$ make testacc TESTARGS='-v -test.run TestAccDatabaseSecretsMount_mssql*'

==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test -v -v -test.run TestAccDatabaseSecretsMount_mssql* -timeout 30m ./...

=== RUN   TestAccDatabaseSecretsMount_mssql
--- PASS: TestAccDatabaseSecretsMount_mssql (10.47s)
=== RUN   TestAccDatabaseSecretsMount_mssql_multi
--- PASS: TestAccDatabaseSecretsMount_mssql_multi (17.30s)
PASS
ok      github.com/hashicorp/terraform-provider-vault/vault     34.174s

[vinay-gopalan]

Looking great! A few minor suggestions/queries

[vinay-gopalan]

These aren't part of your changes, but I'm wondering if we need both dbEngine.Name() and dbEngine.String(). Looks like they are duplicate functions

[benashz]

Yeah, String() should probably return Name(). String() implements the Stringer interface

[vinay-gopalan]

Looks good!