Skip to content

New Action: Rotate secret backend root credentials#2956

Open
drewmullen wants to merge 8 commits into
mainfrom
action-rotate-root
Open

New Action: Rotate secret backend root credentials#2956
drewmullen wants to merge 8 commits into
mainfrom
action-rotate-root

Conversation

@drewmullen

@drewmullen drewmullen commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description

Adds an action to automate rotating backend root creds on a secret engine config creation.

Potential disagreements:

  • implementation can be used for any endpoint that supports rotate-root, not attempting to hardcode it to a type (ex: database)
  • placed the code at vault/secrets/rotate/

References:

Relates OR Closes #2954

Checklist

  • Added CHANGELOG entry (only for user-facing changes)
  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ TF_ACC=1 go test ./internal/vault/secrets/rotate/... -run TestAccSecretBackendRotateRoot_ -v -timeout 30m
=== RUN   TestAccSecretBackendRotateRoot_basic
--- PASS: TestAccSecretBackendRotateRoot_basic (1.15s)
=== RUN   TestAccSecretBackendRotateRoot_invalidBackend
--- PASS: TestAccSecretBackendRotateRoot_invalidBackend (0.58s)
PASS
ok  	github.com/hashicorp/terraform-provider-vault/internal/vault/secrets/rotate	2.778s

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.

  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

  • If applicable, I've documented the impact of any changes to security controls.

    Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

@drewmullen drewmullen requested review from a team as code owners July 2, 2026 17:05
@drewmullen drewmullen requested a review from keeefer July 2, 2026 17:05
@drewmullen

Copy link
Copy Markdown
Contributor Author

FWIW - using this locally:

vault_mount.database: Creating...
vault_mount.database: Creation complete after 0s [id=oracle]
vault_database_secret_backend_connection.oracle: Creating...
vault_database_secret_backend_connection.oracle: Creation complete after 0s [id=oracle/config/db-1-dev]
Action started: action.vault_secret_backend_rotate_root.test (triggered by vault_database_secret_backend_connection.oracle)
vault_database_secret_backend_role.oracle_dba: Creating...
Action action.vault_secret_backend_rotate_root.test (triggered by vault_database_secret_backend_connection.oracle): Rotating root credentials at oracle/rotate-root/db-1-dev
vault_database_secret_backend_role.oracle_dba: Creation complete after 0s [id=oracle/roles/db-1-dev-admin]
Action action.vault_secret_backend_rotate_root.test (triggered by vault_database_secret_backend_connection.oracle): Successfully rotated root credentials at oracle/rotate-root/db-1-dev
Action complete: action.vault_secret_backend_rotate_root.test (triggered by vault_database_secret_backend_connection.oracle)

Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Actions: 1 invoked.

@drewmullen

Copy link
Copy Markdown
Contributor Author

also closes: #202

@drewmullen

drewmullen commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Ok so the action tests are working: https://github.com/hashicorp/terraform-provider-vault/actions/runs/28615276902/job/84857830818?pr=2956

**=== RUN   TestAccSecretBackendRotateRoot_basic
--- PASS: TestAccSecretBackendRotateRoot_basic (2.06s)
=== RUN   TestAccSecretBackendRotateRoot_invalidBackend
--- PASS: TestAccSecretBackendRotateRoot_invalidBackend (1.15s)
PASS**

but the action tests rotate the root password used by other tests causing other false-failures. These tests get the password from $POSTGRES_URL set at runtime:

=== RUN   TestAccDatabaseSecretBackendConnection_postgresql_import
    resource_database_secret_backend_connection_test.go:58: Step 1/2 error: Error running apply: exit status 1
        
        Error: error configuring database connection "tf-test-db-3454244516925818279/config/db-2531120351711995218": Error making API request.

A few options...

  1. create an different database (or use another secret engine backend) that can be used to showcase password rotation
  2. move the action rotate tests to last
  3. switch to mocks + unit tests for the action
  4. create a new process that records the rotated password elsewhere to be used for further tests

@drewmullen

Copy link
Copy Markdown
Contributor Author

Advice from TFVP team was to create a new user on the DB for this action to rotate - will implement this week

@drewmullen drewmullen force-pushed the action-rotate-root branch from 26697b4 to bf0bd37 Compare July 7, 2026 16:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Enhancement]: Support rotating root passwords upon creation

1 participant