We have been successfully using the vault_pki_secret_backend_cert resource to issue certificates using the vault-pki-backend-venafi for several years. However, we’ve recently tried to implement the /revoke operation in our Terraform modules only to discover that this vault engine expects /revoke/ whereas this vault provider performs a POST to /revoke and supplies the in the body of the POST.
This was raised with venafi on github here - Revoke from Terraform vault_pki_secret_backend_cert fails · Issue #170 · Venafi/vault-pki-backend-venafi
It seems they expect a specific venafi resource to be created on the vault provider vault_pki_venafi_secret_backend_certrather than comply with the existing /revoke convention and have expressed surprise their engine works at all (despite the fact their plugin is named vault-pki-backend-venafi).
There is no precedence for the vault provider to support specific engines in such a way. Would Hashicorp’s opinion be that one should be created? Or that the vault engine should support the operations in a standard way? Is there documentation that can be shared that shows the expected interface?
Kind regards,
Joshua