// , Can I use the Terraform Provider for Vault to register a plugin? E.g. a new DB plugin?

Anybody here know whether I can use the Terraform Provider for Vault’s API to register a plugin?

Or do I have to use an exec resource / userdata if I want to do that?

// , I reached out in some internal channels I have access to, and got some advice. Since this just boils down to a POST request, it looks like I can use the “Generic Endpoint”, vault_generic_endpoint, resource in the Terraform Provider for Vault:

$ vault plugin register -output-curl-string -sha256=d3f0a8be02f6c074cf38c9c99d4d04c9c6466249 auth oracle-plugin
curl -X PUT -H "X-Vault-Request: true" -H "X-Vault-Token: $(vault print token)" -d '{"type":1,"command":"oracle-plugin","sha256":"d3f0a8be02f6c074cf38c9c99d4d04c9c6466249"}' https://vault.mycorp.com:8200/v1/sys/plugins/catalog/secret/oracle-database-plugin

API docs for the above: https://www.vaultproject.io/api-docs/system/plugins-catalog#register-plugin

If I used the vault_generic_endpoint resource, which is terraform-ese for a POST request, I could do the following:

resource "vault_generic_endpoint" "register" {
  path           = "sys/plugins/catalog/database/oracle-database-plugin"
  disable_read   = true
  disable_delete = true  
  data_json = <<EOT

For comparison, I can use the vault_generic_endpoint resource on a completely different feature of Vault that may need a plugin:

resource "vault_generic_endpoint" "pki_backend" {
  disable_read         = false
  disable_delete       = true
  path                 = "sys/plugins/catalog/secret/venafi-pki-backend"
  ignore_absent_fields = true
  data_json = jsonencode({
    sha_256 = ""
    command = "venafi-pki-backend"
1 Like