VAULT-41206 remaining db role hwm counts (#11706) (#11931)

* add definitions and logic to track count of db roles * add mongo db atlas roles * fix keys for ali cloud and nomad * fix test for consul * remove mongodb tracking since it is already tracked by database * add unit tests for consumption billing * add unit tests for billing util * feedback * add new tests to verify that mongodb roles count towards Database roles Co-authored-by: Amir Aslamov <amir.aslamov@hashicorp.com>
2026-02-03 20:40:45 -05:00 · 2026-01-26 12:37:33 -05:00 · 2026-01-26 12:37:33 -05:00 · 2855ca4318
commit 2855ca4318
parent a1f3a33a46
5 changed files with 240 additions and 197 deletions
--- a/vault/consumption_billing_test.go
+++ b/vault/consumption_billing_test.go
@ -32,6 +32,10 @@ var secretEngineBackends = map[string]struct {
 		mount: pluginconsts.SecretEngineAzure,
 		key:   "roles/",
 	},
+	"Azure Static Roles": {
+		mount: pluginconsts.SecretEngineAzure,
+		key:   "static-roles/",
+	},
 	"Database Dynamic Roles": {
 		mount: pluginconsts.SecretEngineDatabase,
 		key:   "role/",
@ -68,6 +72,36 @@ var secretEngineBackends = map[string]struct {
 		mount: pluginconsts.SecretEngineOpenLDAP,
 		key:   "static-role/",
 	},
+	"Alicloud Dynamic Roles": {
+		mount: pluginconsts.SecretEngineAlicloud,
+		key:   "role/",
+	},
+	"RabbitMQ Dynamic Roles": {
+		mount: pluginconsts.SecretEngineRabbitMQ,
+		key:   "role/",
+	},
+	"Consul Dynamic Roles": {
+		mount: pluginconsts.SecretEngineConsul,
+		key:   "policy/",
+	},
+	"Nomad Dynamic Roles": {
+		mount: pluginconsts.SecretEngineNomad,
+		key:   "role/",
+	},
+	"Kubernetes Dynamic Roles": {
+		mount: pluginconsts.SecretEngineKubernetes,
+		key:   "roles/",
+	},
+	// MongoDB roles, unlike MongoDB Atlas roles, are
+	// counted as part of the Database secret engine
+	"MongoDB Atlas Dynamic Roles": {
+		mount: pluginconsts.SecretEngineMongoDBAtlas,
+		key:   "roles/",
+	},
+	"Terraform Cloud Dynamic Roles": {
+		mount: pluginconsts.SecretEngineTerraform,
+		key:   "role/",
+	},
 }

 // TestConsumptionBillingMetricsWorker tests that we correctly update the consumption metrics at
@ -95,27 +129,13 @@ func TestConsumptionBillingMetricsWorker(t *testing.T) {
 		addRoleToStorage(t, core, tc.mount, tc.key, 5)
 	}
 	timer := time.NewTimer(5 * time.Second)
-	expectedCounts := RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}

 	_ = <-timer.C
 	// Check that the billing metrics have been updated
 	counts, err := core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, *counts, expectedCounts)
+	verifyExpectedRoleCounts(t, counts, 5)

 	for _, tc := range secretEngineBackends {
 		deleteAllRolesFromStorage(t, core, tc.mount, tc.key)
@ -129,5 +149,5 @@ func TestConsumptionBillingMetricsWorker(t *testing.T) {
 	counts, err = core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, *counts, expectedCounts)
+	verifyExpectedRoleCounts(t, counts, 5)
 }
--- a/vault/consumption_billing_util.go
+++ b/vault/consumption_billing_util.go
@ -26,6 +26,7 @@ func combineRoleCounts(ctx context.Context, a, b *RoleCounts) *RoleCounts {
 		a.AWSDynamicRoles + b.AWSDynamicRoles,
 		a.AWSStaticRoles + b.AWSStaticRoles,
 		a.AzureDynamicRoles + b.AzureDynamicRoles,
+		a.AzureStaticRoles + b.AzureStaticRoles,
 		a.DatabaseDynamicRoles + b.DatabaseDynamicRoles,
 		a.DatabaseStaticRoles + b.DatabaseStaticRoles,
 		a.GCPRolesets + b.GCPRolesets,
@ -35,6 +36,13 @@ func combineRoleCounts(ctx context.Context, a, b *RoleCounts) *RoleCounts {
 		a.LDAPStaticRoles + b.LDAPStaticRoles,
 		a.OpenLDAPDynamicRoles + b.OpenLDAPDynamicRoles,
 		a.OpenLDAPStaticRoles + b.OpenLDAPStaticRoles,
+		a.AlicloudDynamicRoles + b.AlicloudDynamicRoles,
+		a.RabbitMQDynamicRoles + b.RabbitMQDynamicRoles,
+		a.ConsulDynamicRoles + b.ConsulDynamicRoles,
+		a.NomadDynamicRoles + b.NomadDynamicRoles,
+		a.KubernetesDynamicRoles + b.KubernetesDynamicRoles,
+		a.MongoDBAtlasDynamicRoles + b.MongoDBAtlasDynamicRoles,
+		a.TerraformCloudDynamicRoles + b.TerraformCloudDynamicRoles,
 	}
 }

@ -139,42 +147,27 @@ func (c *Core) UpdateMaxRoleCounts(ctx context.Context, localPathPrefix string,
 	if currentRoleCounts == nil {
 		currentRoleCounts = &RoleCounts{}
 	}
-	if currentRoleCounts.AWSDynamicRoles > maxRoleCounts.AWSDynamicRoles {
-		maxRoleCounts.AWSDynamicRoles = currentRoleCounts.AWSDynamicRoles
-	}
-	if currentRoleCounts.AzureDynamicRoles > maxRoleCounts.AzureDynamicRoles {
-		maxRoleCounts.AzureDynamicRoles = currentRoleCounts.AzureDynamicRoles
-	}
-	if currentRoleCounts.GCPRolesets > maxRoleCounts.GCPRolesets {
-		maxRoleCounts.GCPRolesets = currentRoleCounts.GCPRolesets
-	}
-	if currentRoleCounts.AWSStaticRoles > maxRoleCounts.AWSStaticRoles {
-		maxRoleCounts.AWSStaticRoles = currentRoleCounts.AWSStaticRoles
-	}
-	if currentRoleCounts.DatabaseDynamicRoles > maxRoleCounts.DatabaseDynamicRoles {
-		maxRoleCounts.DatabaseDynamicRoles = currentRoleCounts.DatabaseDynamicRoles
-	}
-	if currentRoleCounts.OpenLDAPStaticRoles > maxRoleCounts.OpenLDAPStaticRoles {
-		maxRoleCounts.OpenLDAPStaticRoles = currentRoleCounts.OpenLDAPStaticRoles
-	}
-	if currentRoleCounts.OpenLDAPDynamicRoles > maxRoleCounts.OpenLDAPDynamicRoles {
-		maxRoleCounts.OpenLDAPDynamicRoles = currentRoleCounts.OpenLDAPDynamicRoles
-	}
-	if currentRoleCounts.LDAPDynamicRoles > maxRoleCounts.LDAPDynamicRoles {
-		maxRoleCounts.LDAPDynamicRoles = currentRoleCounts.LDAPDynamicRoles
-	}
-	if currentRoleCounts.LDAPStaticRoles > maxRoleCounts.LDAPStaticRoles {
-		maxRoleCounts.LDAPStaticRoles = currentRoleCounts.LDAPStaticRoles
-	}
-	if currentRoleCounts.DatabaseStaticRoles > maxRoleCounts.DatabaseStaticRoles {
-		maxRoleCounts.DatabaseStaticRoles = currentRoleCounts.DatabaseStaticRoles
-	}
-	if currentRoleCounts.GCPImpersonatedAccounts > maxRoleCounts.GCPImpersonatedAccounts {
-		maxRoleCounts.GCPImpersonatedAccounts = currentRoleCounts.GCPImpersonatedAccounts
-	}
-	if currentRoleCounts.GCPStaticAccounts > maxRoleCounts.GCPStaticAccounts {
-		maxRoleCounts.GCPStaticAccounts = currentRoleCounts.GCPStaticAccounts
-	}
+	maxRoleCounts.AWSDynamicRoles = adjustCounts(currentRoleCounts.AWSDynamicRoles, maxRoleCounts.AWSDynamicRoles)
+	maxRoleCounts.AzureDynamicRoles = adjustCounts(currentRoleCounts.AzureDynamicRoles, maxRoleCounts.AzureDynamicRoles)
+	maxRoleCounts.AzureStaticRoles = adjustCounts(currentRoleCounts.AzureStaticRoles, maxRoleCounts.AzureStaticRoles)
+	maxRoleCounts.GCPRolesets = adjustCounts(currentRoleCounts.GCPRolesets, maxRoleCounts.GCPRolesets)
+	maxRoleCounts.AWSStaticRoles = adjustCounts(currentRoleCounts.AWSStaticRoles, maxRoleCounts.AWSStaticRoles)
+	maxRoleCounts.DatabaseDynamicRoles = adjustCounts(currentRoleCounts.DatabaseDynamicRoles, maxRoleCounts.DatabaseDynamicRoles)
+	maxRoleCounts.OpenLDAPStaticRoles = adjustCounts(currentRoleCounts.OpenLDAPStaticRoles, maxRoleCounts.OpenLDAPStaticRoles)
+	maxRoleCounts.OpenLDAPDynamicRoles = adjustCounts(currentRoleCounts.OpenLDAPDynamicRoles, maxRoleCounts.OpenLDAPDynamicRoles)
+	maxRoleCounts.LDAPDynamicRoles = adjustCounts(currentRoleCounts.LDAPDynamicRoles, maxRoleCounts.LDAPDynamicRoles)
+	maxRoleCounts.LDAPStaticRoles = adjustCounts(currentRoleCounts.LDAPStaticRoles, maxRoleCounts.LDAPStaticRoles)
+	maxRoleCounts.DatabaseStaticRoles = adjustCounts(currentRoleCounts.DatabaseStaticRoles, maxRoleCounts.DatabaseStaticRoles)
+	maxRoleCounts.GCPImpersonatedAccounts = adjustCounts(currentRoleCounts.GCPImpersonatedAccounts, maxRoleCounts.GCPImpersonatedAccounts)
+	maxRoleCounts.GCPStaticAccounts = adjustCounts(currentRoleCounts.GCPStaticAccounts, maxRoleCounts.GCPStaticAccounts)
+	maxRoleCounts.AlicloudDynamicRoles = adjustCounts(currentRoleCounts.AlicloudDynamicRoles, maxRoleCounts.AlicloudDynamicRoles)
+	maxRoleCounts.RabbitMQDynamicRoles = adjustCounts(currentRoleCounts.RabbitMQDynamicRoles, maxRoleCounts.RabbitMQDynamicRoles)
+	maxRoleCounts.ConsulDynamicRoles = adjustCounts(currentRoleCounts.ConsulDynamicRoles, maxRoleCounts.ConsulDynamicRoles)
+	maxRoleCounts.NomadDynamicRoles = adjustCounts(currentRoleCounts.NomadDynamicRoles, maxRoleCounts.NomadDynamicRoles)
+	maxRoleCounts.KubernetesDynamicRoles = adjustCounts(currentRoleCounts.KubernetesDynamicRoles, maxRoleCounts.KubernetesDynamicRoles)
+	maxRoleCounts.MongoDBAtlasDynamicRoles = adjustCounts(currentRoleCounts.MongoDBAtlasDynamicRoles, maxRoleCounts.MongoDBAtlasDynamicRoles)
+	maxRoleCounts.TerraformCloudDynamicRoles = adjustCounts(currentRoleCounts.TerraformCloudDynamicRoles, maxRoleCounts.TerraformCloudDynamicRoles)
+
 	err = c.storeMaxRoleCountsLocked(ctx, maxRoleCounts, localPathPrefix, currentMonth)
 	if err != nil {
 		return nil, err
@ -208,3 +201,10 @@ func (c *Core) getStoredRoleCountsLocked(ctx context.Context, localPathPrefix st
 func (c *Core) GetBillingSubView() *BarrierView {
 	return c.systemBarrierView.SubView(billing.BillingSubPath)
 }
+
+func adjustCounts(currentCount int, maxCount int) int {
+	if currentCount > maxCount {
+		return currentCount
+	}
+	return maxCount
+}
--- a/vault/consumption_billing_util_oss_test.go
+++ b/vault/consumption_billing_util_oss_test.go
@ -0,0 +1,40 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+//go:build !enterprise
+
+package vault
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// verifyExpectedRoleCounts verifies that the actual role counts match expected values.
+// In OSS, AzureStaticRoles should be 0 since they're only supported in Enterprise.
+func verifyExpectedRoleCounts(t *testing.T, actual *RoleCounts, baseCount int) {
+	expected := &RoleCounts{
+		AWSDynamicRoles:            baseCount,
+		AWSStaticRoles:             baseCount,
+		AzureDynamicRoles:          baseCount,
+		AzureStaticRoles:           0, // OSS: Azure Static roles not supported
+		DatabaseDynamicRoles:       baseCount,
+		DatabaseStaticRoles:        baseCount,
+		GCPImpersonatedAccounts:    baseCount,
+		GCPRolesets:                baseCount,
+		GCPStaticAccounts:          baseCount,
+		LDAPDynamicRoles:           baseCount,
+		LDAPStaticRoles:            baseCount,
+		OpenLDAPDynamicRoles:       baseCount,
+		OpenLDAPStaticRoles:        baseCount,
+		AlicloudDynamicRoles:       baseCount,
+		RabbitMQDynamicRoles:       baseCount,
+		ConsulDynamicRoles:         baseCount,
+		NomadDynamicRoles:          baseCount,
+		KubernetesDynamicRoles:     baseCount,
+		MongoDBAtlasDynamicRoles:   baseCount,
+		TerraformCloudDynamicRoles: baseCount,
+	}
+	require.Equal(t, expected, actual)
+}
--- a/vault/consumption_billing_util_test.go
+++ b/vault/consumption_billing_util_test.go
@ -9,13 +9,20 @@ import (
 	"testing"
 	"time"

+	logicalAlicloud "github.com/hashicorp/vault-plugin-secrets-alicloud"
 	logicalAzure "github.com/hashicorp/vault-plugin-secrets-azure"
 	logicalGcp "github.com/hashicorp/vault-plugin-secrets-gcp/plugin"
+	logicalKubernetes "github.com/hashicorp/vault-plugin-secrets-kubernetes"
 	logicalKv "github.com/hashicorp/vault-plugin-secrets-kv"
+	logicalMongoDBAtlas "github.com/hashicorp/vault-plugin-secrets-mongodbatlas"
 	logicalLDAP "github.com/hashicorp/vault-plugin-secrets-openldap"
+	logicalTerraform "github.com/hashicorp/vault-plugin-secrets-terraform"
 	"github.com/hashicorp/vault/builtin/credential/userpass"
 	logicalAws "github.com/hashicorp/vault/builtin/logical/aws"
+	logicalConsul "github.com/hashicorp/vault/builtin/logical/consul"
 	logicalDatabase "github.com/hashicorp/vault/builtin/logical/database"
+	logicalNomad "github.com/hashicorp/vault/builtin/logical/nomad"
+	logicalRabbitMQ "github.com/hashicorp/vault/builtin/logical/rabbitmq"
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/helper/pluginconsts"
 	"github.com/hashicorp/vault/sdk/logical"
@ -24,13 +31,20 @@ import (
 )

 var roleLogicalBackends = map[string]logical.Factory{
-	pluginconsts.SecretEngineAWS:      logicalAws.Factory,
-	pluginconsts.SecretEngineAzure:    logicalAzure.Factory,
-	pluginconsts.SecretEngineGCP:      logicalGcp.Factory,
-	pluginconsts.SecretEngineKV:       logicalKv.Factory,
-	pluginconsts.SecretEngineLDAP:     logicalLDAP.Factory,
-	pluginconsts.SecretEngineDatabase: logicalDatabase.Factory,
-	pluginconsts.SecretEngineOpenLDAP: logicalLDAP.Factory,
+	pluginconsts.SecretEngineAWS:          logicalAws.Factory,
+	pluginconsts.SecretEngineAzure:        logicalAzure.Factory,
+	pluginconsts.SecretEngineGCP:          logicalGcp.Factory,
+	pluginconsts.SecretEngineKV:           logicalKv.Factory,
+	pluginconsts.SecretEngineLDAP:         logicalLDAP.Factory,
+	pluginconsts.SecretEngineDatabase:     logicalDatabase.Factory,
+	pluginconsts.SecretEngineOpenLDAP:     logicalLDAP.Factory,
+	pluginconsts.SecretEngineAlicloud:     logicalAlicloud.Factory,
+	pluginconsts.SecretEngineRabbitMQ:     logicalRabbitMQ.Factory,
+	pluginconsts.SecretEngineConsul:       logicalConsul.Factory,
+	pluginconsts.SecretEngineNomad:        logicalNomad.Factory,
+	pluginconsts.SecretEngineKubernetes:   logicalKubernetes.Factory,
+	pluginconsts.SecretEngineMongoDBAtlas: logicalMongoDBAtlas.Factory,
+	pluginconsts.SecretEngineTerraform:    logicalTerraform.Factory,
 }

 // TestStoreAndGetMaxRoleCounts verifies that we can store and retrieve the HWM role counts correctly
@ -105,6 +119,7 @@ func TestStoreAndGetMaxRoleCounts(t *testing.T) {
 			require.Equal(t, tc.roleCounts.AWSDynamicRoles, retrievedCounts.AWSDynamicRoles)
 			require.Equal(t, tc.roleCounts.AWSStaticRoles, retrievedCounts.AWSStaticRoles)
 			require.Equal(t, tc.roleCounts.AzureDynamicRoles, retrievedCounts.AzureDynamicRoles)
+			require.Equal(t, tc.roleCounts.AzureStaticRoles, retrievedCounts.AzureStaticRoles)
 			require.Equal(t, tc.roleCounts.GCPStaticAccounts, retrievedCounts.GCPStaticAccounts)
 			require.Equal(t, tc.roleCounts.GCPImpersonatedAccounts, retrievedCounts.GCPImpersonatedAccounts)
 			require.Equal(t, tc.roleCounts.OpenLDAPDynamicRoles, retrievedCounts.OpenLDAPDynamicRoles)
@ -114,6 +129,13 @@ func TestStoreAndGetMaxRoleCounts(t *testing.T) {
 			require.Equal(t, tc.roleCounts.DatabaseDynamicRoles, retrievedCounts.DatabaseDynamicRoles)
 			require.Equal(t, tc.roleCounts.DatabaseStaticRoles, retrievedCounts.DatabaseStaticRoles)
 			require.Equal(t, tc.roleCounts.GCPRolesets, retrievedCounts.GCPRolesets)
+			require.Equal(t, tc.roleCounts.AlicloudDynamicRoles, retrievedCounts.AlicloudDynamicRoles)
+			require.Equal(t, tc.roleCounts.RabbitMQDynamicRoles, retrievedCounts.RabbitMQDynamicRoles)
+			require.Equal(t, tc.roleCounts.ConsulDynamicRoles, retrievedCounts.ConsulDynamicRoles)
+			require.Equal(t, tc.roleCounts.NomadDynamicRoles, retrievedCounts.NomadDynamicRoles)
+			require.Equal(t, tc.roleCounts.KubernetesDynamicRoles, retrievedCounts.KubernetesDynamicRoles)
+			require.Equal(t, tc.roleCounts.MongoDBAtlasDynamicRoles, retrievedCounts.MongoDBAtlasDynamicRoles)
+			require.Equal(t, tc.roleCounts.TerraformCloudDynamicRoles, retrievedCounts.TerraformCloudDynamicRoles)
 		})
 	}
 }
@ -156,6 +178,11 @@ func TestHWMRoleCounts(t *testing.T) {
 			key:          "roles/",
 			numberOfKeys: 5,
 		},
+		"Azure Static Roles": {
+			mount:        pluginconsts.SecretEngineAzure,
+			key:          "static-roles/",
+			numberOfKeys: 5,
+		},
 		"Database Dynamic Roles": {
 			mount:        pluginconsts.SecretEngineDatabase,
 			key:          "role/",
@ -201,6 +228,41 @@ func TestHWMRoleCounts(t *testing.T) {
 			key:          "static-role/",
 			numberOfKeys: 5,
 		},
+		"Alicloud Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineAlicloud,
+			key:          "role/",
+			numberOfKeys: 5,
+		},
+		"RabbitMQ Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineRabbitMQ,
+			key:          "role/",
+			numberOfKeys: 5,
+		},
+		"Consul Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineConsul,
+			key:          "policy/",
+			numberOfKeys: 5,
+		},
+		"Nomad Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineNomad,
+			key:          "role/",
+			numberOfKeys: 5,
+		},
+		"Kubernetes Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineKubernetes,
+			key:          "roles/",
+			numberOfKeys: 5,
+		},
+		"MongoDB Atlas Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineMongoDBAtlas,
+			key:          "roles/",
+			numberOfKeys: 5,
+		},
+		"Terraform Cloud Dynamic Roles": {
+			mount:        pluginconsts.SecretEngineTerraform,
+			key:          "role/",
+			numberOfKeys: 5,
+		},
 	}

 	// Sleep to prevent race conditions during the role initialization
@ -213,56 +275,17 @@ func TestHWMRoleCounts(t *testing.T) {
 	}

 	firstCounts := core.GetRoleCounts()
-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}, firstCounts)
+	verifyExpectedRoleCounts(t, firstCounts, 5)

 	counts, err := core.UpdateMaxRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 5)

 	counts, err = core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)
 	// Verify that the max role counts are as expected
-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 5)

 	// Reduce the number of roles. The max counts should remain the same
 	for _, tc := range testCases {
@ -273,38 +296,12 @@ func TestHWMRoleCounts(t *testing.T) {
 	counts, err = core.UpdateMaxRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 5)

 	counts, err = core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         5,
-		AWSStaticRoles:          5,
-		AzureDynamicRoles:       5,
-		DatabaseDynamicRoles:    5,
-		DatabaseStaticRoles:     5,
-		GCPImpersonatedAccounts: 5,
-		GCPRolesets:             5,
-		GCPStaticAccounts:       5,
-		LDAPDynamicRoles:        5,
-		LDAPStaticRoles:         5,
-		OpenLDAPDynamicRoles:    5,
-		OpenLDAPStaticRoles:     5,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 5)

 	// Increase the number of roles. The max counts should update
 	for _, tc := range testCases {
@ -315,38 +312,12 @@ func TestHWMRoleCounts(t *testing.T) {
 	counts, err = core.UpdateMaxRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         8,
-		AWSStaticRoles:          8,
-		AzureDynamicRoles:       8,
-		DatabaseDynamicRoles:    8,
-		DatabaseStaticRoles:     8,
-		GCPImpersonatedAccounts: 8,
-		GCPRolesets:             8,
-		GCPStaticAccounts:       8,
-		LDAPDynamicRoles:        8,
-		LDAPStaticRoles:         8,
-		OpenLDAPDynamicRoles:    8,
-		OpenLDAPStaticRoles:     8,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 8)

 	counts, err = core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         8,
-		AWSStaticRoles:          8,
-		AzureDynamicRoles:       8,
-		DatabaseDynamicRoles:    8,
-		DatabaseStaticRoles:     8,
-		GCPImpersonatedAccounts: 8,
-		GCPRolesets:             8,
-		GCPStaticAccounts:       8,
-		LDAPDynamicRoles:        8,
-		LDAPStaticRoles:         8,
-		OpenLDAPDynamicRoles:    8,
-		OpenLDAPStaticRoles:     8,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 8)

 	// Decrease the number of roles back to 5. The max counts should remain at 8
 	for _, tc := range testCases {
@ -357,37 +328,11 @@ func TestHWMRoleCounts(t *testing.T) {
 	counts, err = core.UpdateMaxRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)

-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         8,
-		AWSStaticRoles:          8,
-		AzureDynamicRoles:       8,
-		DatabaseDynamicRoles:    8,
-		DatabaseStaticRoles:     8,
-		GCPImpersonatedAccounts: 8,
-		GCPRolesets:             8,
-		GCPStaticAccounts:       8,
-		LDAPDynamicRoles:        8,
-		LDAPStaticRoles:         8,
-		OpenLDAPDynamicRoles:    8,
-		OpenLDAPStaticRoles:     8,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 8)

 	counts, err = core.GetStoredHWMRoleCounts(context.Background(), billing.ReplicatedPrefix, time.Now())
 	require.NoError(t, err)
-	require.Equal(t, &RoleCounts{
-		AWSDynamicRoles:         8,
-		AWSStaticRoles:          8,
-		AzureDynamicRoles:       8,
-		DatabaseDynamicRoles:    8,
-		DatabaseStaticRoles:     8,
-		GCPImpersonatedAccounts: 8,
-		GCPRolesets:             8,
-		GCPStaticAccounts:       8,
-		LDAPDynamicRoles:        8,
-		LDAPStaticRoles:         8,
-		OpenLDAPDynamicRoles:    8,
-		OpenLDAPStaticRoles:     8,
-	}, counts)
+	verifyExpectedRoleCounts(t, counts, 8)
 }

 // TestHWMKvSecretsCounts tests that we correctly store and track the HWM kv counts
--- a/vault/core_metrics.go
+++ b/vault/core_metrics.go
@ -766,18 +766,26 @@ func (c *Core) configuredPoliciesGaugeCollector(ctx context.Context) ([]metricsu
 }

 type RoleCounts struct {
-	AWSDynamicRoles         int `json:"aws_dynamic_roles"`
-	AWSStaticRoles          int `json:"aws_static_roles"`
-	AzureDynamicRoles       int `json:"azure_dynamic_roles"`
-	DatabaseDynamicRoles    int `json:"database_dynamic_roles"`
-	DatabaseStaticRoles     int `json:"database_static_roles"`
-	GCPRolesets             int `json:"gcp_rolesets"`
-	GCPStaticAccounts       int `json:"gcp_static_accounts"`
-	GCPImpersonatedAccounts int `json:"gcp_impersonated_accounts"`
-	LDAPDynamicRoles        int `json:"ldap_dynamic_roles"`
-	LDAPStaticRoles         int `json:"ldap_static_roles"`
-	OpenLDAPDynamicRoles    int `json:"openldap_dynamic_roles"`
-	OpenLDAPStaticRoles     int `json:"openldap_static_roles"`
+	AWSDynamicRoles            int `json:"aws_dynamic_roles"`
+	AWSStaticRoles             int `json:"aws_static_roles"`
+	AzureDynamicRoles          int `json:"azure_dynamic_roles"`
+	AzureStaticRoles           int `json:"azure_static_roles"`
+	DatabaseDynamicRoles       int `json:"database_dynamic_roles"`
+	DatabaseStaticRoles        int `json:"database_static_roles"`
+	GCPRolesets                int `json:"gcp_rolesets"`
+	GCPStaticAccounts          int `json:"gcp_static_accounts"`
+	GCPImpersonatedAccounts    int `json:"gcp_impersonated_accounts"`
+	LDAPDynamicRoles           int `json:"ldap_dynamic_roles"`
+	LDAPStaticRoles            int `json:"ldap_static_roles"`
+	OpenLDAPDynamicRoles       int `json:"openldap_dynamic_roles"`
+	OpenLDAPStaticRoles        int `json:"openldap_static_roles"`
+	AlicloudDynamicRoles       int `json:"alicloud_dynamic_roles"`
+	RabbitMQDynamicRoles       int `json:"rabbitmq_dynamic_roles"`
+	ConsulDynamicRoles         int `json:"consul_dynamic_roles"`
+	NomadDynamicRoles          int `json:"nomad_dynamic_roles"`
+	KubernetesDynamicRoles     int `json:"kubernetes_dynamic_roles"`
+	MongoDBAtlasDynamicRoles   int `json:"mongodb_atlas_dynamic_roles"`
+	TerraformCloudDynamicRoles int `json:"terraformcloud_dynamic_roles"`
 }

 func (c *Core) getRoleCountsInternal(includeLocal bool, includeReplicated bool) *RoleCounts {
@ -831,6 +839,8 @@ func (c *Core) getRoleCountsInternal(includeLocal bool, includeReplicated bool)
 		case pluginconsts.SecretEngineAzure:
 			dynamicRoles := apiList(entry, "roles")
 			roles.AzureDynamicRoles += len(dynamicRoles)
+			staticRoles := apiList(entry, "static-roles")
+			roles.AzureStaticRoles += len(staticRoles)

 		case pluginconsts.SecretEngineDatabase:
 			dynamicRoles := apiList(entry, "roles")
@ -857,6 +867,34 @@ func (c *Core) getRoleCountsInternal(includeLocal bool, includeReplicated bool)
 			roles.OpenLDAPDynamicRoles += len(dynamicRoles)
 			staticRoles := apiList(entry, "static-role")
 			roles.OpenLDAPStaticRoles += len(staticRoles)
+
+		case pluginconsts.SecretEngineAlicloud:
+			dynamicRoles := apiList(entry, "role")
+			roles.AlicloudDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineRabbitMQ:
+			dynamicRoles := apiList(entry, "roles")
+			roles.RabbitMQDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineConsul:
+			dynamicRoles := apiList(entry, "roles")
+			roles.ConsulDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineNomad:
+			dynamicRoles := apiList(entry, "role")
+			roles.NomadDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineKubernetes:
+			dynamicRoles := apiList(entry, "roles")
+			roles.KubernetesDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineMongoDBAtlas:
+			dynamicRoles := apiList(entry, "roles")
+			roles.MongoDBAtlasDynamicRoles += len(dynamicRoles)
+
+		case pluginconsts.SecretEngineTerraform:
+			dynamicRoles := apiList(entry, "role")
+			roles.TerraformCloudDynamicRoles += len(dynamicRoles)
 		}
 	}