database_secret_backend_connection resource missing plugin_name field.

[chperie]

Hello,

I need to create the oracle database engine in Vault as mentionned in https://www.vaultproject.io/api/secret/databases/oracle
I plan to use Terraform and so : resource "vault_database_secret_backend_connection"

but I can not use :
=> plugin_name as a configuration parameter (and it's mandatory for Oracle) as it's not defined in the documentation https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/database_secret_backend_connection

=> And under oracle arguments I also need to define username/password in order for Vault to define resources in the Oracle database but it's the same, the arguments don't exist

do I have to use => resource "vault_generic_endpoint" ?
Or Did I miss something?
Thanks for your help

[DrFaust92]

the oracle DB connection type is not (yet) supported in the provider. so this should be labels as enhancment/feature-parity.

[benashz]

@chperie we are going to take a closer look at this issue. Setting up the Oracle db engine is supported per: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/database_secret_backend_connection#oracle-configuration-options, but I see that we may be missing some of it's fields.

[DrFaust92]

Oops, sorry for misleading.

[benashz]

the oracle DB connection type is not (yet) supported in the provider. so this should be labels as enhancment/feature-parity.

@DrFaust92 would you mind expanding on the above statement please. We should have Oracle support per: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/database_secret_backend_connection#oracle-configuration-options

[chperie]

I found out how to deal with, I think:

resource "vault_mount" "db" {
  path = "oracle"
  type = "database"
}

resource "vault_generic_endpoint" "register" {
  path           = "sys/plugins/catalog/database/vault-plugin-database-oracle_12_1"
  disable_read   = true
  disable_delete = true  
  data_json = <<EOT
{
  "type":1,
  "command":"vault-plugin-database-oracle_12_1",
  "sha256":"27a587ae27b7cf21d7b0830105xxxxxxxxxxxxxxxxxxxxxxxxa"
}
EOT
}


resource "vault_database_secret_backend_connection" "oracle_dbform12" {
  backend       = vault_mount.db.path
  name          = "oracle_dbform12"
  allowed_roles = ["role_dbform12"] 
    oracle {
       connection_url = "{{username}}:{{password}}@qxxxxxxx3:1522/DBFORM12"
    }
    data = {
      username = "vxxxxx"
      password = "vaxxxxxxxx"
      plugin_name = "vault-plugin-database-oracle_12_1"
    }
}

resource "vault_database_secret_backend_role" "role_dbform12" {
  backend             = vault_mount.db.path
  name                = "role_dbform12"
  db_name             = vault_database_secret_backend_connection.oracle_dbform12.name
  creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"]
}

[benashz]

@chperie the use of data in your example above should not be needed. Are you encountering an error without it?

[chperie]

yes...

[benashz]

Would you mind providing the exact error message?

[chperie]

this kind of error
24: plugin_name = "oracle-database-plugin_10_2"

An argument named "plugin_name" is not expected here.

[benashz]

We will take a closer look to see what the issue might be.