Сan't choose custom database plugin in vault_database_secret_backend_connection

hashicorp / terraform-provider-vault

Terraform Vault provider

https://www.terraform.io/docs/providers/vault/

Mozilla Public License 2.0

451 stars 535 forks source link

Сan't choose custom database plugin in vault_database_secret_backend_connection #1519

Open everythings-gonna-be-alright opened 2 years ago

everythings-gonna-be-alright commented 2 years ago

https://github.com/hashicorp/terraform-provider-vault/blob/24044c48b6aed5d76da9d8856aa348a13a727c9b/vault/resource_database_secret_backend_connection.go#L103

I'm trying to add my own clickhouse plugin but can't do it because of this architecture issue.

Error: │ Error: unsupported database plugin name "clickhouse-database-plugin", must begin with one of: elasticsearch, mysql-legacy, mongodbatlas, mysql-aurora, postgresql, mysql-rds, couchbase, cassandra, snowflake, influxdb, redshift, mongodb, oracle, mssql, mysql, hana

Example without terraform:

vault write database/config/clickhouse \
                      plugin_name=clickhouse-database-plugin \
                      allowed_roles="my-role" \
                      connection_url='.....'

benashz commented 2 years ago

Hi @everythings-gonna-be-alright , unfortunately the provider does not currently support configuring custom plugins. We may add support in the future but we would not be able to provide an estimate on when that would be.

everythings-gonna-be-alright commented 2 years ago

@benashz Thanks for your answer. It can be useful for some cases in my view. For now databases with custom plugins can be created through vault_generic_endpoint resource. Something like this:

resource "vault_generic_endpoint" "db_clickhouse" {
  path                 = "${vault_mount.clickhouse.path}/config/db_clickhouse"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "plugin_name": "clickhouse-database-plugin",
  "allowed_roles": "db_clickhouse_read",
  "connection_url": "clickhouse://{{username}}:{{password}}@127.0.0.1:9000/db",
  "username": "${var.vault_clickhouse_login}",
  "password": "${var.vault_clickhouse_pass}"
}
EOT
}

benashz commented 2 years ago

We could perhaps add a new db engine type custom to replace the workaround you have above.

manobi commented 10 months ago

@benashz the problem with current implementation is that is incompatible with HCP Vault Oracle Plugin. On HCP it's registered as vault-plugin-database-oracle but terraform-provider-vault expects it to be called oracle-xxxxx.

It's an embarrassing situation because Oracle database are supported officially by the provider and by HCP Vault.

fairclothjm commented 10 months ago

@manobi Hi, can you try setting plugin_name to be vault-plugin-database-oracle?

manobi commented 10 months ago

@fairclothjm I've tried, but got the following error reproduced by HCP support engineers.

Error: unsupported database plugin name "vault-plugin-database-oracle", must begin with one of: redis-elasticache, elasticsearch, mysql-legacy, mongodbatlas, mysql-aurora, postgresql, couchbase, cassandra, snowflake, mysql-rds, influxdb, redshift, mongodb, oracle, mysql, mssql, redis, hana

The support team referenced this issue and the vault_generic_endpoint workaround, but I would like to share with the community that it's actually required to work with Oracle on HCP and save everyone a bit of debugging time.

If you have access to it, my case is present on Hashicorp Help Center #121682.

bo0ts commented 6 months ago

This is indeed embarrassing and for whatever reason it works when using vault_database_secrets_mount.