vault: Allow to provide extra statement for roles creation. (#8)

cyrilgdn · greut · web-flow · commit 529c79d8dbeb · 2022-02-21T16:52:44.000+01:00
* vault: Allow to provide extra statement for roles creation. * Update vault.tf Co-authored-by: Yoan Blanc <yblanc@edgelab.ch> * fixup! docs: add license (#7) * fixup! fixup! docs: add license (#7) * Apply suggestions from code review Co-authored-by: Yoan Blanc <yblanc@edgelab.ch>
diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ In particular:
 
 ```hcl
 module "my_database" {
-  source = "git@github.com:edgelaboratories/terraform-mysql-db?ref=v0.1.2"
+  source = "git@github.com:edgelaboratories/terraform-mysql-db?ref=v0.2.0"
 
   database = "my-database"
 
@@ -37,3 +37,22 @@ module "my_database" {
   vault_role_default_ttl   = 3600
 }
 ```
+
+You can provide extra permissions for `all-privileges` or `read-only` roles with `vault_roles_extra_statements`:
+
+```hcl
+module "my_database" {
+  source = "git@github.com:edgelaboratories/terraform-mysql-db?ref=v0.2.0"
+
+  database = "my-database"
+
+  # Optional
+  vault_backend_path       = "mysql/my-cluster"
+  vault_db_connection_name = "my-cluster"
+  vault_role_default_ttl   = 3600
+
+  vault_roles_extra_statements = {
+    all-privileges = ["GRANT XA_RECOVER_ADMIN ON *.* TO '{{name}}'@'%';"]
+  }
+}
+```
diff --git a/provider.tf b/provider.tf
@@ -1,4 +1,6 @@
 terraform {
+  experiments = [module_variable_optional_attrs]
+
   required_providers {
     mysql = {
       source = "winebarrel/mysql"
diff --git a/variables.tf b/variables.tf
@@ -35,3 +35,10 @@ variable "vault_db_connection_name" {
 variable "vault_role_default_ttl" {
   default = 3600
 }
+
+variable "vault_roles_extra_statements" {
+  type = object({
+    all-privileges = optional(list(string)),
+    read-only      = optional(list(string)),
+  })
+}
diff --git a/vault.tf b/vault.tf
@@ -1,21 +1,23 @@
 locals {
   roles = var.vault_backend_path == null ? {} : {
-    "${var.database}-all-privileges" = "ALL PRIVILEGES"
-    "${var.database}-read-only"      = "SELECT"
+    "all-privileges" = "ALL PRIVILEGES"
+    "read-only"      = "SELECT"
   }
 }
 
 resource "vault_database_secret_backend_role" "this" {
   for_each = local.roles
 
-  name    = each.key
+  name    = "${var.database}-${each.key}"
   backend = var.vault_backend_path
   db_name = var.vault_db_connection_name
 
-  creation_statements = [
-    "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';",
-    "GRANT ${each.value} ON ${var.database}.* TO '{{name}}'@'%';",
-  ]
+  creation_statements = concat(
+    [
+      "CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';",
+      "GRANT ${each.value} ON ${var.database}.* TO '{{name}}'@'%';",
+    ], coalesce(var.vault_roles_extra_statements[each.key], []),
+  )
 
   default_ttl = var.vault_role_default_ttl
 }
@@ -24,19 +26,19 @@ data "vault_policy_document" "this" {
   for_each = local.roles
 
   rule {
-    path         = "${var.vault_backend_path}/creds/${each.key}"
+    path         = "${var.vault_backend_path}/creds/${var.database}-${each.key}"
     capabilities = ["read"]
   }
 
   rule {
-    path         = "${var.vault_backend_path}/roles/${each.key}"
+    path         = "${var.vault_backend_path}/roles/${var.database}-${each.key}"
     capabilities = ["read"]
   }
 }
 
 resource "vault_policy" "this" {
   for_each = local.roles
 
-  name   = "${var.vault_backend_path}/${each.key}"
+  name   = "${var.vault_backend_path}/${var.database}-${each.key}"
   policy = data.vault_policy_document.this[each.key].hcl
 }
