Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oracle DB engine enablement on HCP Vault #2006

Merged
merged 3 commits into from
Sep 19, 2023
Merged

Oracle DB engine enablement on HCP Vault #2006

merged 3 commits into from
Sep 19, 2023

Conversation

codergs
Copy link
Contributor

@codergs codergs commented Sep 8, 2023
edited
Loading

Description

The PR introduces the concept of plugin aliases so that different plugin names on HCP Vault can also be supported. The immediate fix is going to allow our customers to use vault-plugin-database-oracle in place of oracle-plugin while enabling the engine via Vault TFP on a HCP Vault cluster.

Checklist

  • Added CHANGELOG entry (only for user-facing changes)
  • Acceptance tests where run against all supported Vault Versions

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" comments, they generate extra noise for pull request followers and do not help prioritize the request

@codergs codergs changed the title Add hcp registered plugin name for oracle in case where vault provide… Add hcp registered plugin name for oracle in case where vault provider is used with HCP Vault cluster Sep 8, 2023
@codergs
Copy link
Contributor Author

codergs commented Sep 8, 2023
edited
Loading 

Thu Sep 14 15:18:06 EDT 2023 terraform-provider-vault/testtf - (codergs-hcp-oracle-add) > terraform plan   
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/vault in /Users/gsharma/.terraform.d/plugins
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state
│ to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
  + create

Terraform will perform the following actions:

  # vault_database_secrets_mount.oracle-mount will be created
  + resource "vault_database_secrets_mount" "oracle-mount" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + engine_count                 = 1
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "db"
      + seal_wrap                    = (known after apply)

      + oracle {
          + allowed_roles        = [
              + "default",
            ]
          + connection_url       = "{{username}}/{{password}}@localhost:1521/OraDoc.localhost"
          + max_open_connections = 2
          + name                 = "oracledb1"
          + password             = (sensitive value)
          + plugin_name          = "vault-plugin-database-oracle"
          + username             = "test"
          + verify_connection    = false
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.
Thu Sep 14 15:18:12 EDT 2023 terraform-provider-vault/testtf - (codergs-hcp-oracle-add) > terraform apply -auto-approve

╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/vault in /Users/gsharma/.terraform.d/plugins
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state
│ to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
  + create

Terraform will perform the following actions:

  # vault_database_secrets_mount.oracle-mount will be created
  + resource "vault_database_secrets_mount" "oracle-mount" {
      + accessor                     = (known after apply)
      + audit_non_hmac_request_keys  = (known after apply)
      + audit_non_hmac_response_keys = (known after apply)
      + default_lease_ttl_seconds    = (known after apply)
      + engine_count                 = 1
      + external_entropy_access      = false
      + id                           = (known after apply)
      + max_lease_ttl_seconds        = (known after apply)
      + path                         = "db"
      + seal_wrap                    = (known after apply)

      + oracle {
          + allowed_roles        = [
              + "default",
            ]
          + connection_url       = "{{username}}/{{password}}@localhost:1521/OraDoc.localhost"
          + max_open_connections = 2
          + name                 = "oracledb1"
          + password             = (sensitive value)
          + plugin_name          = "vault-plugin-database-oracle"
          + username             = "test"
          + verify_connection    = false
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
vault_database_secrets_mount.oracle-mount: Creating...
vault_database_secrets_mount.oracle-mount: Creation complete after 0s [id=db]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Thu Sep 14 15:18:26 EDT 2023 terraform-provider-vault/testtf - (codergs-hcp-oracle-add) > vault read -format=json db/config/oracledb1 | jq .
{
  "request_id": "1b3a07a1-70ac-c204-58f7-6bf5fbec842d",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": {
    "allowed_roles": [
      "default"
    ],
    "connection_details": {
      "connection_url": "%7B%7Busername%7D%7D/%7B%7Bpassword%7D%7D@localhost:1521/OraDoc.localhost",
      "max_open_connections": 2,
      "username": "test"
    },
    "password_policy": "",
    "plugin_name": "vault-plugin-database-oracle",
    "plugin_version": "",
    "root_credentials_rotate_statements": []
  },
  "warnings": null
}

Thu Sep 14 15:18:32 EDT 2023 terraform-provider-vault/testtf - (codergs-hcp-oracle-add) > terraform destroy
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - hashicorp/vault in /Users/gsharma/.terraform.d/plugins
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state
│ to become incompatible with published releases.
╵
vault_database_secrets_mount.oracle-mount: Refreshing state... [id=db]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
  - destroy

Terraform will perform the following actions:

  # vault_database_secrets_mount.oracle-mount will be destroyed
  - resource "vault_database_secrets_mount" "oracle-mount" {
      - accessor                     = "database_cab5b354" -> null
      - allowed_managed_keys         = [] -> null
      - audit_non_hmac_request_keys  = [] -> null
      - audit_non_hmac_response_keys = [] -> null
      - default_lease_ttl_seconds    = 0 -> null
      - engine_count                 = 1 -> null
      - external_entropy_access      = false -> null
      - id                           = "db" -> null
      - local                        = false -> null
      - max_lease_ttl_seconds        = 0 -> null
      - options                      = {} -> null
      - path                         = "db" -> null
      - seal_wrap                    = false -> null

      - oracle {
          - allowed_roles            = [
              - "default",
            ] -> null
          - connection_url           = "{{username}}/{{password}}@localhost:1521/OraDoc.localhost" -> null
          - data                     = {} -> null
          - max_connection_lifetime  = 0 -> null
          - max_idle_connections     = 0 -> null
          - max_open_connections     = 2 -> null
          - name                     = "oracledb1" -> null
          - password                 = (sensitive value) -> null
          - plugin_name              = "vault-plugin-database-oracle" -> null
          - root_rotation_statements = [] -> null
          - username                 = "test" -> null
          - verify_connection        = false -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

vault_database_secrets_mount.oracle-mount: Destroying... [id=db]
vault_database_secrets_mount.oracle-mount: Destruction complete after 0s

Destroy complete! Resources: 1 destroyed.

@codergs codergs changed the title Add hcp registered plugin name for oracle in case where vault provider is used with HCP Vault cluster Add HCP Vault registered plugin name for oracle database engine enablement Sep 8, 2023
@github-actions github-actions bot added size/S and removed size/XS labels Sep 8, 2023
@github-actions github-actions bot added size/M and removed size/S labels Sep 14, 2023
@codergs codergs marked this pull request as ready for review September 14, 2023 17:51
@codergs codergs changed the title Add HCP Vault registered plugin name for oracle database engine enablement Oracle DB Engine Enablement on HCP Vault Sep 14, 2023
@codergs codergs changed the title Oracle DB Engine Enablement on HCP Vault Oracle DB engine enablement on HCP Vault Sep 14, 2023
benashz
benashz approved these changes Sep 15, 2023
View reviewed changes
Copy link
Contributor

@benashz benashz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Just one minor nit.

vault/resource_database_secret_backend_connection.go Outdated
@@ -1659,11 +1675,11 @@ func validateDBPluginName(s string) error {
func getSortedPluginPrefixes() ([]string, error) {
var pluginPrefixes []string
for _, d := range dbEngines {
prefix, err := d.PluginPrefix()
prefix, err := d.PluginPrefixes()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should be plural

Suggested change
prefix, err := d.PluginPrefixes()
prefixes, err := d.PluginPrefixes()

vault/resource_database_secret_backend_connection.go Outdated Show resolved Hide resolved
vinay-gopalan
vinay-gopalan approved these changes Sep 18, 2023
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codergs codergs merged commit 3a64710 into main Sep 19, 2023
11 checks passed
@codergs codergs deleted the codergs-hcp-oracle-add branch September 19, 2023 14:17
@benashz benashz added this to the 3.21.0 milestone Sep 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benashz benashz benashz approved these changes

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

Assignees
No one assigned
Labels
size/M
Projects
None yet
Milestone
3.21.0
Development

Successfully merging this pull request may close these issues.
3 participants
@codergs @benashz @vinay-gopalan