vault_database_secret_backend_role

Creates a Database Secret Backend role in Vault. Database secret backend roles can be used to generate dynamic credentials for the database.

Example Usage 

resource "vault_mount" "db" {
  path = "postgres"
  type = "database"
}

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = "${vault_mount.db.path}"
  name          = "postgres"
  allowed_roles = ["dev", "prod"]

  postgresql {
    role_url = "postgres://username:password@host:port/database"
  }
}

resource "vault_database_secret_backend_role" "role" {
  backend             = "${vault_mount.db.path}"
  name                = "my-role"
  db_name             = "${vault_database_secret_backend_connection.postgres.name}"
  creation_statements = "CREATE ROLE {{name}} WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"
}

Argument Reference

The following arguments are supported:

  • name - (Required) A unique name to give the role.

  • backend - (Required) The unique name of the Vault mount to configure.

  • db_name - (Required) The unique name of the database connection to use for the role.

  • creation_statements - (Required) The database statements to execute when creating a user.

  • revocation_statements - (Optional) The database statements to execute when revoking a user.

  • rollback_statements - (Optional) The database statements to execute when rolling back creation due to an error.

  • renew_statements - (Optional) The database statements to execute when renewing a user.

  • default_ttl - (Optional) The default number of seconds for leases for this role.

  • max_ttl - (Optional) The maximum number of seconds for leases for this role.

Attributes Reference

No additional attributes are exported by this resource.

© 2018 HashiCorp
Licensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/vault/r/database_secret_backend_role.html