Anybody here know whether I can use the Terraform Provider for Vault’s API to register a plugin?
Or do I have to use an exec resource / userdata if I want to do that?
// , I reached out in some internal channels I have access to, and got some advice. Since this just boils down to a POST request, it looks like I can use the “Generic Endpoint”, vault_generic_endpoint, resource in the Terraform Provider for Vault:
$ vault plugin register -output-curl-string -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 auth oracle-plugin
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"type":1,"command":"oracle-plugin","sha256":"d3f0a8be02f6c074cf38c9c99d4d04c9c6466249"}' https://vault.mycorp.com:8200/v1/sys/plugins/catalog/secret/oracle-database-plugin
API docs for the above: https://www.vaultproject.io/api-docs/system/plugins-catalog#register-plugin
If I used the vault_generic_endpoint resource, which is terraform-ese for a POST request, I could do the following:
resource "vault_generic_endpoint" "register" {
path = "sys/plugins/catalog/database/oracle-database-plugin"
disable_read = true
disable_delete = true
data_json = <<EOT
{
"type":1,
"command":"oracle-database-plugin",
"sha256":"d3f0a8be02f6c074cf38c9c99d4d04c9c6466249"
}
EOT
}
For comparison, I can use the vault_generic_endpoint resource on a completely different feature of Vault that may need a plugin:
resource "vault_generic_endpoint" "pki_backend" {
disable_read = false
disable_delete = true
path = "sys/plugins/catalog/secret/venafi-pki-backend"
ignore_absent_fields = true
data_json = jsonencode({
sha_256 = ""
command = "venafi-pki-backend"
})
}
1 Like