diff --git a/CHANGELOG.md b/CHANGELOG.md index 333e48db9..7f8fb072b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ FEATURES: * Update `vault_database_secret_backend_connection` to support inline TLS config for PostgreSQL ([#2339](https://github.com/hashicorp/terraform-provider-vault/pull/2339)) +* Update `vault_database_secret_backend_connection` to support skip_verification config for Cassandra ([#2346](https://github.com/hashicorp/terraform-provider-vault/pull/2346)) ## 4.4.0 (Aug 7, 2024) diff --git a/vault/resource_database_secret_backend_connection.go b/vault/resource_database_secret_backend_connection.go index 48680e0b6..8159b3741 100644 --- a/vault/resource_database_secret_backend_connection.go +++ b/vault/resource_database_secret_backend_connection.go @@ -335,6 +335,12 @@ func getDatabaseSchema(typ schema.ValueType) schemaMap { Default: 5, Description: "The number of seconds to use as a connection timeout.", }, + "skip_verification": { + Type: schema.TypeBool, + Optional: true, + Default: false, + Description: "Skip permissions checks when a connection to Cassandra is first created. These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles.", + }, }, }, MaxItems: 1, @@ -1041,6 +1047,9 @@ func setCassandraDatabaseConnectionData(d *schema.ResourceData, prefix string, d if v, ok := d.GetOkExists(prefix + "connect_timeout"); ok { data["connect_timeout"] = v.(int) } + if v, ok := d.GetOkExists(prefix + "skip_verification"); ok { + data["skip_verification"] = v.(bool) + } } func getConnectionDetailsFromResponse(d *schema.ResourceData, prefix string, resp *api.Secret) map[string]interface{} { @@ -2070,6 +2079,9 @@ func getConnectionDetailsCassandra(d *schema.ResourceData, prefix string, resp * } result["connect_timeout"] = timeout } + if v, ok := data["skip_verification"]; ok { + result["skip_verification"] = v.(bool) + } return result, nil } return nil, nil diff --git a/vault/resource_database_secret_backend_connection_test.go b/vault/resource_database_secret_backend_connection_test.go index c487f8aa3..6c9a579e2 100644 --- a/vault/resource_database_secret_backend_connection_test.go +++ b/vault/resource_database_secret_backend_connection_test.go @@ -116,6 +116,7 @@ func TestAccDatabaseSecretBackendConnection_cassandra(t *testing.T) { resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.pem_json", ""), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.protocol_version", "4"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.connect_timeout", "5"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.skip_verification", "false"), ), }, }, @@ -159,6 +160,7 @@ func TestAccDatabaseSecretBackendConnection_cassandraProtocol(t *testing.T) { resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.pem_json", ""), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.protocol_version", "5"), resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.connect_timeout", "5"), + resource.TestCheckResourceAttr(testDefaultDatabaseSecretBackendResource, "cassandra.0.skip_verification", "false"), ), }, }, diff --git a/website/docs/r/database_secret_backend_connection.md b/website/docs/r/database_secret_backend_connection.md index b3d364fec..769f96c6a 100644 --- a/website/docs/r/database_secret_backend_connection.md +++ b/website/docs/r/database_secret_backend_connection.md @@ -124,6 +124,9 @@ Exactly one of the nested blocks of configuration options must be supplied. * `connect_timeout` - (Optional) The number of seconds to use as a connection timeout. +* `skip_verification` - (Optional) Skip permissions checks when a connection to Cassandra is first created. + These checks ensure that Vault is able to create roles, but can be resource intensive in clusters with many roles. + ### Couchbase Configuration Options * `hosts` - (Required) A set of Couchbase URIs to connect to. Must use `couchbases://` scheme if `tls` is `true`.