Skip to content

Latest commit

 

History

History
62 lines (52 loc) · 3.22 KB

secret-redis-static.md

File metadata and controls

62 lines (52 loc) · 3.22 KB

Redis Static Credential Benchmark (redis_static_secret)

This benchmark will test the static generation of redis credentials.

~> We highly recommended that you use a Vault-specific user rather than the admin user in your database when configuring the plugin. This user will be used to create/update/delete users within the database so it will need to have the appropriate permissions to do so.

Benchmark Configuration Parameters

DB Configuration (db_connection)

  • name (string: "benchmark-redis-db") - Name for this database connection.
  • plugin_name (string: "redis-database-plugin") - Specifies the name of the plugin to use for this connection.
  • plugin_version (string: "") - Specifies the semantic version of the plugin to use for this connection.
  • verify_connection (bool: true) – Specifies if the connection is verified during initial configuration. Defaults to true.
  • allowed_roles (list: ["my-*-role"]) - List of the roles allowed to use this connection.
  • host (string: <required>) - Specifies the host to connect to.
  • port (int: <required>) - Specifies the port to connect to.
  • username (string: <required>) - The root credential username. This can also be provided via the VAULT_BENCHMARK_STATIC_REDIS_USERNAME environment variable.
  • password (string: <required>) - The root credential password. This can also be provided via the VAULT_BENCHMARK_STATIC_REDIS_PASSWORD environment variable.
  • password_policy (string: "") - The name of the password policy to use when generating passwords for this database. If not specified, this will use a default policy defined as: 20 characters with at least 1 uppercase, 1 lowercase, 1 number, and 1 dash character.
  • tls (bool: false) - Specifies whether to use TLS when connecting to Redis.
  • ca_cert (string: optional) - Specifies whether to use TLS when connecting to Redis.

Static Role Configuration (role)

  • name (string: "my-static-role") - Specifies the name of the role to create.
  • db_name (string: "benchmark-redis-db") - Specifies the name of the database connection to use for this role.
  • rotation_period (string: "5m") – Specifies the amount of time Vault should wait before rotating the password. The minimum is 5 seconds.
  • username (string: <required>) – Specifies the database username that this Vault role corresponds to. This can also be provided via the VAULT_BENCHMARK_STATIC_REDIS_USERNAME environment variable.
  • insecure_tls (bool: false) - Specifies whether to skip verification of the server certificate when using TLS. This can also be provided via the VAULT_BENCHMARK_STATIC_REDIS_PASSWORD environment variable.

Example HCL

test "redis_static_secret" "redis_static_secret_1" {
  weight = 100
  config {
    db_connection {
      host          = "localhost"
      name          = "redis"
      port          = "6379"
      allowed_roles = ["my-*-role"]
      username      = "default"
      password      = "pass"
      tls           = false
    }

    role {
      name            = "my-s-role"
      db_name         = "redis"
      rotation_period = "5m"
      username        = "my-static-role"
    }
  }
}