Introduction:
This document outlines the steps to assign a password policy to the database secret engine.
Prerequisites:
- Vault token with admin access.
- Terraform
Steps:
- Let's assume the database secret engine has already been created, but without a password policy
vault read database/config/postgres
Key Value
--- -----
allowed_roles [readonly]
connection_details map[connection_url:postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres?sslmode=disable username:root]
password_policy n/a
plugin_name postgresql-database-plugin
plugin_version n/a
root_credentials_rotate_statements []
- Run the below terraform module, which will first create a password policy in vault and then assign that policy to the previously mentioned database secret engine.
provider "vault" {
address = "<Vault Address"
token = "<Admin token>"
}
resource "vault_password_policy" "demo_password_policy" {
name = "demo-policy"
policy = <<EOT
length = 10
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
EOT
}
resource "vault_generic_endpoint" "password_policy" {
path = "/database/config/postgres"
ignore_absent_fields = true
data_json = <<EOT
{
"password_policy": "demo-policy"
}
EOT
}
Output after the Terraform execution
- Listing the newly created password policy.
vault list sys/policies/password
Keys
----
demo-policy
root@vaulty-pr-1:~/terraform/testdb# vault read sys/policies/password/demo-policy
Key Value
--- -----
policy length = 10
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 1
}
- Reading the database secret engine config. There will be a demo-policy attached to the secret mount.
vault read database/config/postgres
Key Value
--- -----
allowed_roles [readonly]
connection_details map[connection_url:postgresql://{{username}}:{{password}}@127.0.0.1:5432/postgres?sslmode=disable username:root]
password_policy demo-policy
plugin_name postgresql-database-plugin
plugin_version n/a
root_credentials_rotate_statements []
References:
vault generic endpoint terraform module