Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support configuring plugins in Vault's plugin catalog #214

Closed
JayH5 opened this issue Oct 19, 2018 · 3 comments · Fixed by #2159
Closed

Support configuring plugins in Vault's plugin catalog #214

JayH5 opened this issue Oct 19, 2018 · 3 comments · Fixed by #2159

Comments

@JayH5
Copy link
Contributor

JayH5 commented Oct 19, 2018

Terraform Version

Terraform v0.11.8
+ provider.vault v1.1.4

Affected Resource(s)

A suitable resource does not exist yet.

Terraform Configuration Files

N/A

Debug Output

N/A

Panic Output

N/A

Expected Behavior

There should be a resource type to add plugins to Vault's plugin catalog. This process is described in this blog post: https://www.hashicorp.com/blog/building-a-vault-secure-plugin

The main thing I am asking for here is native support for writing to the plugin catalog, like:
vault write sys/plugins/catalog/my-plugin command=my-plugin sha256=fc1c3225364b5cdb570c0b1e7be8ebf2725bdabf472c86e4095b4880083606a3

Such a resource could be called something like vault_plugin or vault_catalog_plugin.

It is possible to approximate this with the vault_generic_secret resource.

Actual Behavior

There is not such a resource type.

Steps to Reproduce

N/A

References
@michaeljs1990 michaeljs1990 mentioned this issue Jul 30, 2019
Closed
@cpick
Copy link

cpick commented Dec 7, 2019

It's ugly, but you can work around this by using:

resource "vault_generic_secret" "plugin_registration" {
  path         = "sys/plugins/catalog/my-plugin-name"
  disable_read = true

  data_json = <<-EOF
    {
      "sha_256": "...",
      "command": "my-plugin-command"
    }
  EOF
}

@mbrancato
Copy link

mbrancato commented Mar 11, 2020
edited
Loading

Similarly, we use this:

resource "vault_generic_endpoint" "plugin_name" {
  disable_read         = false
  disable_delete       = true
  path                 = "sys/plugins/catalog/secret/pluginname"
  ignore_absent_fields = true

  data_json = jsonencode({
    sha_256 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaa..."
    command = "pluginname_v1"
  })
}

@TJM
Copy link

TJM commented Apr 19, 2023
edited
Loading

With the new versioned plugins, a simple vault_generic_endpoint is not going to cut it. I have a workaround using "curl" commands in the scottwinker_shell provider, but I feel like it is time to add this properly.

REF: https://gist.github.com/TJM/c5600ee1902762e8bba7915b74084ad8

USE AT YOUR OWN RISK!

@tomhjp tomhjp mentioned this issue Mar 1, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

New resources vault_plugin and vault_plugin_pinned_version hashicorp/terraform-provider-vault
4 participants
@cpick @TJM @JayH5 @mbrancato