hashicorp · hashiblaum · Aug 1, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023
@@ -0,0 +1,3 @@
+```release-note:improvement
+Add `vault_plugin` resource as optional subresource for `hcp_vault_cluster`
+```
@@ -31,6 +31,7 @@ data "hcp_vault_cluster" "example" {
 If not specified, the project specified in the HCP Provider config block will be used, if configured.
 If a project is not configured in the HCP Provider config block, the oldest project in the organization will be used.
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+- `vault_plugin` (Block List) The external plugins to install on the vault cluster (see [below for nested schema](#nestedblock--vault_plugin))
 
 ### Read-Only
 
@@ -63,6 +64,15 @@ Optional:
 - `default` (String)
 
 
+<a id="nestedblock--vault_plugin"></a>
+### Nested Schema for `vault_plugin`
+
+Required:
+
+- `plugin_name` (String) The name of the plugin
+- `plugin_type` (String) The type of the plugin
+
+
 <a id="nestedblock--audit_log_config"></a>
 ### Nested Schema for `audit_log_config`
 

@@ -61,6 +61,7 @@ If a project is not configured in the HCP Provider config block, the oldest proj
 - `public_endpoint` (Boolean) Denotes that the cluster has a public endpoint. Defaults to false.
 - `tier` (String) Tier of the HCP Vault cluster. Valid options for tiers - `dev`, `starter_small`, `standard_small`, `standard_medium`, `standard_large`, `plus_small`, `plus_medium`, `plus_large`. See [pricing information](https://www.hashicorp.com/products/vault/pricing). Changing a cluster's size or tier is only available to admins. See [Scale a cluster](https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/guides/vault-scaling).
 - `timeouts` (Block, Optional) (see [below for nested schema](#nestedblock--timeouts))
+- `vault_plugin` (Block List) The external plugins to install on the vault cluster (see [below for nested schema](#nestedblock--vault_plugin))
 
 ### Read-Only
 
@@ -127,6 +128,15 @@ Optional:
 - `delete` (String)
 - `update` (String)
 
+
+<a id="nestedblock--vault_plugin"></a>
+### Nested Schema for `vault_plugin`
+
+Required:
+
+- `plugin_name` (String) The name of the plugin - Valid options for plugin name - 'venafi-pki-backend'
+- `plugin_type` (String) The type of the plugin - Valid options for plugin type - 'SECRET', 'AUTH', 'DATABASE'
+
 -> **Note:** When establishing performance replication links between clusters in different HVNs, an HVN peering connection is required. This can be defined explicitly using an [`hcp_hvn_peering_connection`](hvn_peering_connection.md), or HCP will create the connection automatically (peering connections can be imported after creation using [terraform import](https://www.terraform.io/cli/import)). Note HVN peering [CIDR block requirements](https://cloud.hashicorp.com/docs/hcp/network/routes#cidr-block-requirements).
 
 ## Import

@@ -273,3 +273,92 @@ func DeleteVaultPathsFilter(ctx context.Context, client *Client, loc *sharedmode
 
 	return deleteResp.Payload, nil
 }
+
+// AddPlugin will make a call to the Vault service to add a plugin to a Vault cluster
+func AddPlugin(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation, clusterID string,
+	request *vaultmodels.HashicorpCloudVault20201125AddPluginRequest) (vaultmodels.HashicorpCloudVault20201125AddPluginResponse, error) {
+
+	region := &sharedmodels.HashicorpCloudLocationRegion{}
+	if loc.Region != nil {
+		region = loc.Region
+	}
+	locInternal := &vaultmodels.HashicorpCloudInternalLocationLocation{
+		OrganizationID: loc.OrganizationID,
+		ProjectID:      loc.ProjectID,
+		Region: &vaultmodels.HashicorpCloudInternalLocationRegion{
+			Provider: region.Provider,
+			Region:   region.Region,
+		},
+	}
+	request.Location = locInternal
+	request.ClusterID = clusterID
+	addPluginParams := vault_service.NewAddPluginParams()
+	addPluginParams.Context = ctx
+	addPluginParams.ClusterID = clusterID
+	addPluginParams.LocationProjectID = loc.ProjectID
+	addPluginParams.LocationOrganizationID = loc.OrganizationID
+	addPluginParams.Body = request
+
+	addPluginResp, err := client.Vault.AddPlugin(addPluginParams, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return addPluginResp.Payload, nil
+}
+
+// DeletePlugin will make a call to the Vault service to remove a plugin to a Vault cluster
+func DeletePlugin(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation, clusterID string,
+	request *vaultmodels.HashicorpCloudVault20201125DeletePluginRequest) (vaultmodels.HashicorpCloudVault20201125DeletePluginResponse, error) {
+
+	region := &sharedmodels.HashicorpCloudLocationRegion{}
+	if loc.Region != nil {
+		region = loc.Region
+	}
+	locInternal := &vaultmodels.HashicorpCloudInternalLocationLocation{
+		OrganizationID: loc.OrganizationID,
+		ProjectID:      loc.ProjectID,
+		Region: &vaultmodels.HashicorpCloudInternalLocationRegion{
+			Provider: region.Provider,
+			Region:   region.Region,
+		},
+	}
+	request.Location = locInternal
+	request.ClusterID = clusterID
+	delPluginParams := vault_service.NewDeletePluginParams()
+	delPluginParams.Context = ctx
+	delPluginParams.ClusterID = clusterID
+	delPluginParams.LocationProjectID = loc.ProjectID
+	delPluginParams.LocationOrganizationID = loc.OrganizationID
+	delPluginParams.Body = request
+
+	delPluginResp, err := client.Vault.DeletePlugin(delPluginParams, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return delPluginResp.Payload, nil
+}
+
+// ListPlugins will make a call to the Vault service plugin status api to get names of valid plugins
+func ListPlugins(ctx context.Context, client *Client, loc *sharedmodels.HashicorpCloudLocationLocation, clusterID string) (*vaultmodels.HashicorpCloudVault20201125PluginRegistrationStatusResponse, error) {
+	region := &sharedmodels.HashicorpCloudLocationRegion{}
+	if loc.Region != nil {
+		region = loc.Region
+	}
+
+	listPluginsParams := vault_service.NewPluginRegistrationStatusParams()
+	listPluginsParams.Context = ctx
+	listPluginsParams.ClusterID = clusterID
+	listPluginsParams.LocationProjectID = loc.ProjectID
+	listPluginsParams.LocationOrganizationID = loc.OrganizationID
+	listPluginsParams.LocationRegionProvider = &region.Provider
+	listPluginsParams.LocationRegionRegion = &region.Region
+
+	listPluginsResp, err := client.Vault.PluginRegistrationStatus(listPluginsParams, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return listPluginsResp.Payload, nil
+}
@@ -208,6 +208,26 @@ If a project is not configured in the HCP Provider config block, the oldest proj
 					},
 				},
 			},
+			"vault_plugin": {
+				Description: "The external plugins to install on the vault cluster",
+				Type:        schema.TypeList,
+				Optional:    true,
+				Computed:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"plugin_name": {
+							Description: "The name of the plugin",
+							Type:        schema.TypeString,
+							Required:    true,
+						},
+						"plugin_type": {
+							Description: "The type of the plugin",
+							Type:        schema.TypeString,
+							Required:    true,
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -242,8 +262,14 @@ func dataSourceVaultClusterRead(ctx context.Context, d *schema.ResourceData, met
 
 	d.SetId(url)
 
+	plugins, err := clients.ListPlugins(ctx, client, loc, clusterID)
+	if err != nil {
+		log.Printf("[ERROR] Vault cluster (%s) failed to list plugins", clusterID)
+		return diag.FromErr(err)
+	}
+
 	// Cluster found, update resource data.
-	if err := setVaultClusterResourceData(d, cluster); err != nil {
+	if err := setVaultClusterResourceData(d, cluster, plugins.Plugins); err != nil {
 		return diag.FromErr(err)
 	}