hashicorp · vinay-gopalan · Feb 10, 2022 · Feb 2, 2022 · Feb 2, 2022 · Feb 2, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ IMPROVEMENTS:
 * `resource/pki_secret_backend_root_sign_intermediate`: Update schema for `ca_chain` from string to a list of   
   `issuing_ca` and `certificate`, add new `certificate_bundle` attribute that provides the concatenation of the   
   intermediate and issuing CA certificates (PEM encoded) ([#1330](https://github.com/hashicorp/terraform-provider-vault/pull/1330))
+* `resource/database_secret_backend_connection`: Add `username` and `password` support to Redshift, Hana, Postgres and MSSQL ([#1331](https://github.com/hashicorp/terraform-provider-vault/pull/1331))
 
 ## 3.2.1 (January 20, 2022)
 BUGS:

diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go
@@ -485,6 +485,7 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 				Description: "Connection parameters for the hana-database-plugin plugin.",
 				Elem: connectionStringResource(&connectionStringConfig{
 					excludeUsernameTemplate: true,
+					includeUserPass:         true,
 				}),
 				MaxItems:      1,
 				ConflictsWith: util.CalculateConflictsWith(dbEngineHana.Name(), dbEngineTypes),
@@ -533,10 +534,12 @@ func databaseSecretBackendConnectionResource() *schema.Resource {
 			},
 
 			dbEnginePostgres.name: {
-				Type:          schema.TypeList,
-				Optional:      true,
-				Description:   "Connection parameters for the postgresql-database-plugin plugin.",
-				Elem:          connectionStringResource(&connectionStringConfig{}),
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Connection parameters for the postgresql-database-plugin plugin.",
+				Elem: connectionStringResource(&connectionStringConfig{
+					includeUserPass: true,
+				}),
 				MaxItems:      1,
 				ConflictsWith: util.CalculateConflictsWith(dbEnginePostgres.Name(), dbEngineTypes),
 			},
@@ -650,7 +653,9 @@ func mysqlConnectionStringResource() *schema.Resource {
 }
 
 func mssqlConnectionStringResource() *schema.Resource {
-	r := connectionStringResource(&connectionStringConfig{})
+	r := connectionStringResource(&connectionStringConfig{
+		includeUserPass: true,
+	})
 	r.Schema["contained_db"] = &schema.Schema{
 		Type:        schema.TypeBool,
 		Optional:    true,
@@ -729,7 +734,7 @@ func getDatabaseAPIData(d *schema.ResourceData) (map[string]interface{}, error)
 	case dbEngineInfluxDB:
 		setInfluxDBDatabaseConnectionData(d, "influxdb.0.", data)
 	case dbEngineHana:
-		setDatabaseConnectionData(d, "hana.0.", data)
+		setDatabaseConnectionDataWithUserPass(d, "hana.0.", data)
 	case dbEngineMongoDB:
 		setDatabaseConnectionData(d, "mongodb.0.", data)
 	case dbEngineMongoDBAtlas:
@@ -755,7 +760,7 @@ func getDatabaseAPIData(d *schema.ResourceData) (map[string]interface{}, error)
 	case dbEngineOracle:
 		setDatabaseConnectionData(d, "oracle.0.", data)
 	case dbEnginePostgres:
-		setDatabaseConnectionData(d, "postgresql.0.", data)
+		setDatabaseConnectionDataWithUserPass(d, "postgresql.0.", data)
 	case dbEngineElasticSearch:
 		setElasticsearchDatabaseConnectionData(d, "elasticsearch.0.", data)
 	case dbEngineSnowflake:
@@ -818,7 +823,7 @@ func getConnectionDetailsFromResponse(d *schema.ResourceData, prefix string, res
 }
 
 func getMSSQLConnectionDetailsFromResponse(d *schema.ResourceData, prefix string, resp *api.Secret) ([]map[string]interface{}, error) {
-	result := getConnectionDetailsFromResponse(d, prefix, resp)
+	result := getConnectionDetailsFromResponseWithUserPass(d, prefix, resp)
 	if result == nil {
 		return nil, nil
 	}
@@ -831,6 +836,7 @@ func getMSSQLConnectionDetailsFromResponse(d *schema.ResourceData, prefix string
 		}
 		result[0]["contained_db"] = containedDB
 	}
+
 	return result, nil
 }
 
@@ -1015,6 +1021,23 @@ func getSnowflakeConnectionDetailsFromResponse(d *schema.ResourceData, prefix st
 	return []map[string]interface{}{result}
 }
 
+func getConnectionDetailsFromResponseWithUserPass(d *schema.ResourceData, prefix string, resp *api.Secret) []map[string]interface{} {
+	result := getConnectionDetailsFromResponse(d, prefix, resp)
+	if result == nil {
+		return nil
+	}
+
+	details := resp.Data["connection_details"].(map[string]interface{})
+	if v, ok := details["username"]; ok {
+		result[0]["username"] = v.(string)
+	}
+	if v, ok := d.GetOk(prefix + "password"); ok {
+		result[0]["password"] = v.(string)
+	}
+
+	return result
+}
+
 func setDatabaseConnectionData(d *schema.ResourceData, prefix string, data map[string]interface{}) {
 	if v, ok := d.GetOk(prefix + "connection_url"); ok {
 		data["connection_url"] = v.(string)
@@ -1034,7 +1057,7 @@ func setDatabaseConnectionData(d *schema.ResourceData, prefix string, data map[s
 }
 
 func setMSSQLDatabaseConnectionData(d *schema.ResourceData, prefix string, data map[string]interface{}) {
-	setDatabaseConnectionData(d, prefix, data)
+	setDatabaseConnectionDataWithUserPass(d, prefix, data)
 	if v, ok := d.GetOk(prefix + "contained_db"); ok {
 		// TODO:
 		//  we have to pass string value here due to an issue with the
@@ -1284,7 +1307,7 @@ func databaseSecretBackendConnectionRead(d *schema.ResourceData, meta interface{
 	case dbEngineInfluxDB:
 		d.Set("influxdb", getInfluxDBConnectionDetailsFromResponse(d, "influxdb.0.", resp))
 	case dbEngineHana:
-		d.Set("hana", getConnectionDetailsFromResponse(d, "hana.0.", resp))
+		d.Set("hana", getConnectionDetailsFromResponseWithUserPass(d, "hana.0.", resp))
 	case dbEngineMongoDB:
 		d.Set("mongodb", getConnectionDetailsFromResponse(d, "mongodb.0.", resp))
 	case dbEngineMongoDBAtlas:
@@ -1321,13 +1344,13 @@ func databaseSecretBackendConnectionRead(d *schema.ResourceData, meta interface{
 	case dbEngineOracle:
 		d.Set("oracle", getConnectionDetailsFromResponse(d, "oracle.0.", resp))
 	case dbEnginePostgres:
-		d.Set("postgresql", getConnectionDetailsFromResponse(d, "postgresql.0.", resp))
+		d.Set("postgresql", getConnectionDetailsFromResponseWithUserPass(d, "postgresql.0.", resp))
 	case dbEngineElasticSearch:
 		d.Set("elasticsearch", getElasticsearchConnectionDetailsFromResponse(d, "elasticsearch.0.", resp))
 	case dbEngineSnowflake:
 		d.Set("snowflake", getSnowflakeConnectionDetailsFromResponse(d, "snowflake.0.", resp))
 	case dbEngineRedshift:
-		d.Set("redshift", getConnectionDetailsFromResponse(d, "redshift.0.", resp))
+		d.Set("redshift", getConnectionDetailsFromResponseWithUserPass(d, "redshift.0.", resp))
 	default:
 		return fmt.Errorf("no response handler for dbEngine: %s", db)
 	}

diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net/url"
 	"os"
 	"reflect"
 	"strings"
@@ -46,7 +47,7 @@ func TestAccDatabaseSecretBackendConnection_import(t *testing.T) {
 		CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, connURL, userTempl),
+				Config: testAccDatabaseSecretBackendConnectionConfig_import(name, backend, connURL, userTempl),
 				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
@@ -322,13 +323,19 @@ func TestAccDatabaseSecretBackendConnection_mssql(t *testing.T) {
 	pluginName := dbEngineMSSQL.DefaultPluginName()
 	name := acctest.RandomWithPrefix("db")
 
+	parsedURL, err := url.Parse(connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	username := parsedURL.User.Username()
 	resource.Test(t, resource.TestCase{
 		Providers:    testProviders,
 		PreCheck:     func() { testutil.TestAccPreCheck(t) },
 		CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDatabaseSecretBackendConnectionConfig_mssql(name, backend, connURL, pluginName, false),
+				Config: testAccDatabaseSecretBackendConnectionConfig_mssql(name, backend, pluginName, parsedURL, false),
 				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
@@ -340,11 +347,12 @@ func TestAccDatabaseSecretBackendConnection_mssql(t *testing.T) {
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_open_connections", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_idle_connections", "0"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_connection_lifetime", "0"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.username", username),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.contained_db", "false"),
 				),
 			},
 			{
-				Config: testAccDatabaseSecretBackendConnectionConfig_mssql(name, backend, connURL, pluginName, true),
+				Config: testAccDatabaseSecretBackendConnectionConfig_mssql(name, backend, pluginName, parsedURL, true),
 				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "plugin_name", pluginName),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
@@ -357,6 +365,7 @@ func TestAccDatabaseSecretBackendConnection_mssql(t *testing.T) {
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_open_connections", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_idle_connections", "0"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.max_connection_lifetime", "0"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.username", username),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "mssql.0.contained_db", "true"),
 				),
 			},
@@ -631,7 +640,12 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) {
 	// TODO: make these fatal once we auto provision the required test infrastructure.
 	values := testutil.SkipTestEnvUnset(t, "POSTGRES_URL")
 	connURL := values[0]
+	parsedURL, err := url.Parse(connURL)
+	if err != nil {
+		t.Fatal(err)
+	}
 
+	username := parsedURL.User.Username()
 	backend := acctest.RandomWithPrefix("tf-test-db")
 	pluginName := dbEnginePostgres.DefaultPluginName()
 	name := acctest.RandomWithPrefix("db")
@@ -642,7 +656,7 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) {
 		CheckDestroy: testAccDatabaseSecretBackendConnectionCheckDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, connURL, userTempl),
+				Config: testAccDatabaseSecretBackendConnectionConfig_postgresql(name, backend, userTempl, parsedURL),
 				Check: testComposeCheckFuncCommonDatabaseSecretBackend(name, backend, pluginName,
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.#", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "allowed_roles.0", "dev"),
@@ -654,6 +668,7 @@ func TestAccDatabaseSecretBackendConnection_postgresql(t *testing.T) {
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.max_open_connections", "2"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.max_idle_connections", "0"),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.max_connection_lifetime", "0"),
+					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username", username),
 					resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "postgresql.0.username_template", userTempl),
 				),
 			},
@@ -848,6 +863,27 @@ resource "vault_database_secret_backend_connection" "test" {
 `, path, name, host, username, password)
 }
 
+func testAccDatabaseSecretBackendConnectionConfig_import(name, path, connURL, userTempl string) string {
+	return fmt.Sprintf(`
+resource "vault_mount" "db" {
+  path = "%s"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "test" {
+  backend = vault_mount.db.path
+  name = "%s"
+  allowed_roles = ["dev", "prod"]
+  root_rotation_statements = ["FOOBAR"]
+
+  postgresql {
+	  connection_url = "%s"
+	  username_template = "%s"
+  }
+}
+`, path, name, connURL, userTempl)
+}
+
 func testAccDatabaseSecretBackendConnectionConfig_influxdb(name, path, host, username, password string) string {
 	return fmt.Sprintf(`
 resource "vault_mount" "db" {
@@ -955,18 +991,24 @@ resource "vault_database_secret_backend_connection" "test" {
 `, path, name, connURL)
 }
 
-func testAccDatabaseSecretBackendConnectionConfig_mssql(name, path, connURL, pluginName string, containedDB bool) string {
+func testAccDatabaseSecretBackendConnectionConfig_mssql(name, path, pluginName string, parsedURL *url.URL, containedDB bool) string {
 	var config string
+	password, _ := parsedURL.User.Password()
+
 	if containedDB {
 		config = `
   mssql {
     connection_url = "%s"
+	username       = "%s"
+	password       = "%s"
     contained_db   = true
   }`
 	} else {
 		config = `
   mssql {
     connection_url = "%s"
+	username       = "%s"
+	password       = "%s"
   }`
 	}
 
@@ -984,7 +1026,7 @@ resource "vault_database_secret_backend_connection" "test" {
   root_rotation_statements = ["FOOBAR"]
 %s
 }
-`, path, pluginName, name, fmt.Sprintf(config, connURL))
+`, path, pluginName, name, fmt.Sprintf(config, parsedURL.String(), parsedURL.User.Username(), password))
 
 	return result
 }
@@ -1153,7 +1195,9 @@ resource "vault_database_secret_backend_connection" "test" {
 `, path, name, connURL)
 }
 
-func testAccDatabaseSecretBackendConnectionConfig_postgresql(name, path, connURL, userTempl string) string {
+func testAccDatabaseSecretBackendConnectionConfig_postgresql(name, path, userTempl string, parsedURL *url.URL) string {
+	password, _ := parsedURL.User.Password()
+
 	return fmt.Sprintf(`
 resource "vault_mount" "db" {
   path = "%s"
@@ -1168,10 +1212,12 @@ resource "vault_database_secret_backend_connection" "test" {
 
   postgresql {
 	  connection_url = "%s"
+      username = "%s"
+      password = "%s"
 	  username_template = "%s"
   }
 }
-`, path, name, connURL, userTempl)
+`, path, name, parsedURL.String(), parsedURL.User.Username(), password, userTempl)
 }
 
 func testAccDatabaseSecretBackendConnectionConfig_snowflake(name, path, url, username, password, userTempl string) string {