Skip to content

feat(mongodb): support rotation_statements for static roles#31914

Open
pbromb wants to merge 1 commit into
hashicorp:release/1.21.xfrom
pbromb:feat/mongodb-rotation-statements
Open

feat(mongodb): support rotation_statements for static roles#31914
pbromb wants to merge 1 commit into
hashicorp:release/1.21.xfrom
pbromb:feat/mongodb-rotation-statements

Conversation

@pbromb
Copy link
Copy Markdown

@pbromb pbromb commented Apr 13, 2026

Description

This PR enhances the MongoDB database plugin to support rotation_statements for static roles, similar to the MySQL plugin behavior.

  • Support rotation_statements during password rotation (UpdateUser), executing a list of JSON statements shaped like:
    • {"db":"admin","command":{...}}
  • Template variables supported in each statement: {{username}}, {{password}} (and {{name}})
  • Ordered command execution: decode command into an ordered bson.D before calling RunCommand (fixes multi-key command errors)
  • Optional ignore_errors per statement to allow idempotent rotations (e.g. ignore “user already exists” for createUser), supporting friendly tokens like UserAlreadyExists / DuplicateKey

Example:

"rotation_statements" = [
  "{\"db\":\"admin\",\"command\":{\"createUser\":\"{{username}}\",\"pwd\":\"{{password}}\",\"roles\":[]},\"ignore_errors\":[\"UserAlreadyExists\"]}",
  "{\"db\":\"admin\",\"command\":{\"updateUser\":\"{{username}}\",\"pwd\":\"{{password}}\",\"roles\":[{\"role\":\"readWrite\",\"db\":\"example\"}]}}"
]

For comparison, in the MySQL plugin this can be achieved by providing rotation_statements, e.g.:

"rotation_statements" = [
    "CREATE USER IF NOT EXISTS '{{name}}'@'%' IDENTIFIED BY '{{password}}';",
    "GRANT ALL ON example.* TO '{{name}}'@'%';",
    "ALTER USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';"
]

This PR brings equivalent rotation_statements support to the MongoDB plugin, which previously did not support rotation statements for static roles.

@pbromb pbromb requested a review from a team as a code owner April 13, 2026 10:57
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 13, 2026

Someone is attempting to deploy a commit to the HashiCorp Team on Vercel.

A member of the Team first needs to authorize it.

@hashicorp-cla-app
Copy link
Copy Markdown

hashicorp-cla-app Bot commented Apr 13, 2026

CLA assistant check

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

pbromboszcz seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

Have you signed the CLA already but the status is still pending? Recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement secret/database/mongodb

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pbromb