feat: support tls_ca and tls_certificate_key for mongodb connections

[jd-hatzenbuhler]

Description

Add TLS options to MongoDB database connection to allow verification of certificate as well as client auth. This is in line with the CLI options.

Closes #980

Checklist

• Added CHANGELOG entry (only for user-facing changes)
• Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

❯ export VAULT_ADDR=http://127.0.0.1:8200
❯ export VAULT_TOKEN=root
❯ export MONGODB_CA=$(cat .tls_ca)
❯ export MONGODB_URL="mongodb://<user>:<password>@<host>:27017/admin?tls=true
❯ TESTARGS="--run DatabaseSecretBackendConnection" make testacc
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test --run DatabaseSecretBackendConnection -timeout 30m ./...
?   	github.com/hashicorp/terraform-provider-vault	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/coverage	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/cmd/generate	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/codegen	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/helper	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/consts	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/framework/base	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/framework/client	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/framework/errutil	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/framework/model	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/framework/validators	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/internal/identity/entity	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/group	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/identity/mfa	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/pki	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/provider	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/internal/provider/fwprovider	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/providertest	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/rotation	[no test files]
?   	github.com/hashicorp/terraform-provider-vault/internal/sync	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/internal/vault/secrets/ephemeral	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/internal/vault/sys	(cached) [no tests to run]
?   	github.com/hashicorp/terraform-provider-vault/schema	[no test files]
ok  	github.com/hashicorp/terraform-provider-vault/testutil	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/util	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/util/mountutil	(cached) [no tests to run]
ok  	github.com/hashicorp/terraform-provider-vault/vault	5.036s

vault logs during the acceptance test

2025-07-04T17:18:14.721+0200 [DEBUG] secrets.database.database_f75fffcd: got database plugin instance: type=mongodb
2025-07-04T17:18:15.168+0200 [DEBUG] secrets.database.database_f75fffcd: created database object: name=db-2675928798515249032 plugin_name=mongodb-database-plugin
2025-07-04T17:18:15.168+0200 [DEBUG] secrets.database.database_f75fffcd: Deregistering rotation job: mount=tf-test-db-6094841153995290209/config/db-2675928798515249032

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

[hashicorp-cla-app]

All committers have signed the CLA.