Terraform Vault provider fails to create Oracle connection using Vault Oracle Enterprise Plugin

Avatar
Gerard Mansvelder
  • Updated

Introduction

Problem

Terraform Vault provider fails to create database connection using Vault Oracle Enterprise plugin for the Vault Database Secrets Engine.

Prerequisites

  • Vault Enterprise 
  • Vault Oracle Enterprise plugin v0.11.0 and later
  • Terraform 
  • Terraform Vault provider v5.3.0

Cause

The Terraform Vault provider currently expects the database plugin to be called oracle-database-plugin instead of vault-plugin-database-oracle, which is the default name for the Vault Oracle Enterprise plugin. 

Please find an example of the error below:

vault_database_secret_backend_connection.database: Modifying... [id=database/config/oracle-test]
╷
│ Error: error configuring database connection "database/config/oracle-test": Error making API request.
│
│ URL: PUT http://192.168.1.1:8200/v1/database/config/oracle-test
│ Code: 400. Errors:
│
│ * error creating database object: invalid database version: 2 errors occurred:
│ 	* plugin not found in the catalog: oracle-database-plugin, version=v0.12.3+ent
│ 	* plugin not found in the catalog: oracle-database-plugin, version=v0.12.3+ent
│
│
│
│   with vault_database_secret_backend_connection.database,
│   on main.tf line 8, in resource "vault_database_secret_backend_connection" "database":
│    8: resource "vault_database_secret_backend_connection" "database" {
│
╵


Please see an example of the installed Vault Oracle Enterprise plugin using the default name below:

vault plugin list database | grep -i oracle
vault-plugin-database-oracle         v0.12.3+ent

Overview of possible solutions

Solutions:

Currently the Terraform Vault Provider doesn't support specifying custom plugin_name and plugin_version parameters. This has been reported to Vault engineering and is scheduled to be addressed in a future version of the Terraform Vault Provider.

A possible workaround is to install the Vault Oracle Enterprise plugin using the 
oracle-database-plugin name, this can be accomplished as follows:
 

sudo unzip  vault-plugin-database-oracle_0.12.3+ent_linux_amd64 -d  /opt/vault/plugins/oracle-database-plugin_0.12.3+ent_linux_amd64
sudo mv /opt/vault/plugins/oracle-database-plugin_0.12.3+ent_linux_amd64/vault-plugin-database-oracle /opt/vault/plugins/oracle-database-plugin_0.12.3+ent_linux_amd64/oracle-database-plugin
sudo chown -R vault:vault /opt/vault/plugins/oracle-database-plugin_0.12.3+ent_linux_amd64/
vault plugin register -version=0.12.3+ent database oracle-database-plugin

Please note, for example,  the Vault plugin directory or the version of the Vault Oracle Enterprise plugin may be different.

After this the plugin should be listed:

vault plugin list database | grep -i oracle
oracle-database-plugin               v0.12.3+ent
vault-plugin-database-oracle         v0.12.3+ent

Outcome

After installing the plugin using the name oracle-database-plugin,  

the Terraform Vault Provider should be able to create a database connection using the Vault Oracle Enterprise plugin for the Vault Database Secrets Engine.

 

terraform apply
vault_mount.db: Refreshing state... [id=database]
vault_database_secret_backend_connection.database: Refreshing state... [id=database/config/oracle-test]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # vault_database_secret_backend_connection.database will be updated in-place
  ~ resource "vault_database_secret_backend_connection" "database" {
        id                         = "database/config/oracle-test"
        name                       = "oracle-test"
      ~ plugin_name                = "oracle-database-plugin" -> "vault-plugin-database-oracle"
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

vault_database_secret_backend_connection.database: Modifying... [id=database/config/oracle-test]
vault_database_secret_backend_connection.database: Modifications complete after 0s [id=database/config/oracle-test]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

 

Additional Information

Articles in this section

See more