Support database dynamic credential_type & credential_config block

[faseyiks]

Description

This request further expands on
#2244

Currently the support for credential_type and credential_config configuration in vault_database_secret_backend_static_role and vault_database_secret_backend_role is patchy and challenging. In a multi-namespace setting when you want to support multiple credential types using the same module, this is even rather impossible

Affected Resource(s) and/or Data Source(s)

vault_database_secret_backend_static_role, and
vault_database_secret_backend_role`

Potential Terraform Configuration

(I realise some of the attributes are rather verbose and too expansive for most use cases (especially the client_certificates but these are all the possible attributes that could possibly be configured to generate a client certificate)

resource "vault_database_secret_backend_static_role" "role" {
  for_each = {for k,v in var.database_roles : k => v }

  backend             = vault_database_secrets_mount.db[xxx].path
  name                = each.value.role_name
  db_name             = each.value.db_name
  username            = each.value.db_username
  rotation_period     = each.value.rotation_period
  rotation_statements = each.value.rotation_statements

  dynamic "credential_type" {
    for_each = each.value.credential_type != null ? [each.value.credential_type] : []
    content {
      credential_type = each.value.credential_type

      dynamic "credential_config" {
        for_each = [each.value.credential_config]
        content {
          password_policy = lookup(each.value.credential_config, "password_policy", null)
        }
      }

     dynamic "rsa_private_key" {
        for_each = each.value.credential_type == "rsa_private_key" && each.value.credential_config != null ? [each.value.credential_config] : []
        content {
          rsa_key_bits    = lookup(each.value.credential_config, "rsa_key_bits", null)
          rsa_key_algorithm = lookup(each.value.credential_config, "rsa_key_algorithm", null)
        }
      }

      dynamic "client_certificate" {
        for_each = each.value.credential_type == "client_certificate" && each.value.credential_config != null ? [each.value.credential_config] : []
        content {
          common_name            = lookup(each.value.credential_config, "common_name", null)
          alt_names              = lookup(each.value.credential_config, "alt_names", null)
          ip_sans                = lookup(each.value.credential_config, "ip_sans", null)
          uri_sans               = lookup(each.value.credential_config, "uri_sans", null)
          other_sans             = lookup(each.value.credential_config, "other_sans", null)
          ttl                    = lookup(each.value.credential_config, "ttl", null)
          format                 = lookup(each.value.credential_config, "format", null)
          private_key_format     = lookup(each.value.credential_config, "private_key_format", null)
          exclude_cn_from_sans   = lookup(each.value.credential_config, "exclude_cn_from_sans", null)
          ou                     = lookup(each.value.credential_config, "ou", null)
          organization           = lookup(each.value.credential_config, "organization", null)
          country                = lookup(each.value.credential_config, "country", null)
          locality               = lookup(each.value.credential_config, "locality", null)
          province               = lookup(each.value.credential_config, "province", null)
          street_address         = lookup(each.value.credential_config, "street_address", null)
          postal_code            = lookup(each.value.credential_config, "postal_code", null)
          serial_number          = lookup(each.value.credential_config, "serial_number", null)
        }
      }
    }
  }
}

References

No response

Would you like to implement a fix?

Yes