Сan't choose custom database plugin in vault_database_secret_backend_connection

[everythings-gonna-be-alright]

https://github.com/hashicorp/terraform-provider-vault/blob/24044c48b6aed5d76da9d8856aa348a13a727c9b/vault/resource_database_secret_backend_connection.go#L103

I'm trying to add my own clickhouse plugin but can't do it because of this architecture issue.

Error: │ Error: unsupported database plugin name "clickhouse-database-plugin", must begin with one of: elasticsearch, mysql-legacy, mongodbatlas, mysql-aurora, postgresql, mysql-rds, couchbase, cassandra, snowflake, influxdb, redshift, mongodb, oracle, mssql, mysql, hana

Example without terraform:

vault write database/config/clickhouse \
                      plugin_name=clickhouse-database-plugin \
                      allowed_roles="my-role" \
                      connection_url='.....'

[benashz]

Hi @everythings-gonna-be-alright , unfortunately the provider does not currently support configuring custom plugins. We may add support in the future but we would not be able to provide an estimate on when that would be.

[everythings-gonna-be-alright]

@benashz Thanks for your answer. It can be useful for some cases in my view. For now databases with custom plugins can be created through vault_generic_endpoint resource. Something like this:

resource "vault_generic_endpoint" "db_clickhouse" {
  path                 = "${vault_mount.clickhouse.path}/config/db_clickhouse"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "plugin_name": "clickhouse-database-plugin",
  "allowed_roles": "db_clickhouse_read",
  "connection_url": "clickhouse://{{username}}:{{password}}@127.0.0.1:9000/db",
  "username": "${var.vault_clickhouse_login}",
  "password": "${var.vault_clickhouse_pass}"
}
EOT
}

[benashz]

We could perhaps add a new db engine type custom to replace the workaround you have above.

[manobi]

@benashz the problem with current implementation is that is incompatible with HCP Vault Oracle Plugin. On HCP it's registered as vault-plugin-database-oracle but terraform-provider-vault expects it to be called oracle-xxxxx.

It's an embarrassing situation because Oracle database are supported officially by the provider and by HCP Vault.

[fairclothjm]

@manobi Hi, can you try setting plugin_name to be vault-plugin-database-oracle?

[manobi]

@fairclothjm I've tried, but got the following error reproduced by HCP support engineers.

Error: unsupported database plugin name "vault-plugin-database-oracle", must begin with one of: redis-elasticache, elasticsearch, mysql-legacy, mongodbatlas, mysql-aurora, postgresql, couchbase, cassandra, snowflake, mysql-rds, influxdb, redshift, mongodb, oracle, mysql, mssql, redis, hana

The support team referenced this issue and the vault_generic_endpoint workaround, but I would like to share with the community that it's actually required to work with Oracle on HCP and save everyone a bit of debugging time.

If you have access to it, my case is present on Hashicorp Help Center #121682.

[bo0ts]

This is indeed embarrassing and for whatever reason it works when using vault_database_secrets_mount.

[hirencp]

Is this issue fixed? I am using vault-plugin-database-oracle as the plugin_name in vault_database_secret_backend_connection but it default to oracle-database-plugin