TJM · April 20, 2023 15:14
diff --git a/main.tf b/main.tf
 ## Providers
 terraform {
  required_providers {
    shell = {
      source  = "scottwinkler/shell"
      version = "~> 1.7"
    }
  }
 }

 ## Variables
 variable "artifactory_plugin_version_info" {
  type = map(map(string))
  description = "Artifactory Plugin Version Information - see default for example"
  default = {
    "0.2.12" = {
      "sha256" = "2112d38d700855151af5b9662891fbb17145b9e89c836003a9308176d784dd08"
    }
    "0.2.15" = {
      sha256 = "5f420e3e78902aa11ec2b926bbecc147f3aa42c130595abe07f3ccdd4ba4db26"
    }
  }
 }

 variable "VAULT_ADDR" {
  type = string
  description = "Vault Address (no trailing /)"
  default = "http://127.0.0.1:8200"
 }

 variable "VAULT_TOKEN" {
  type = string
  description = "Vault Authentication Token, provided by pipeline"
  default = "root"
 }


 ## Plugins
 ### NOTE: Vault needs to be configured with a plugin-path, and the plugin
 ###   plugin binaries need to be populated on the vault image in the
 ###   plugin path *prior* to registering them

 # artifactory secrets plugin
 resource "shell_script" "artifactory_secrets_plugin" {
  for_each = var.artifactory_plugin_version_info
  lifecycle_commands {
    create = "./vault-plugin-register.sh"
    update = "./vault-plugin-register.sh"
    delete = "./vault-plugin-deregister.sh"
    read   = "./vault-plugin-info.sh"
  }
  interpreter = ["/bin/bash", "-x"] # debug mode
  environment = {
    PLUGIN_NAME    = "artifactory"
    PLUGIN_VERSION = each.key
    PLUGIN_JSON_DATA = jsonencode({
      command = "artifactory-secrets-plugin_v${each.key}" # We named the files like they used to be named prior to v0.2.12
      sha256  = each.value.sha256
      version = each.key # This is optional post v0.2.12
    })
    VAULT_ADDR = var.VAULT_ADDR
  }
  sensitive_environment = {
    VAULT_TOKEN = trimsuffix(var.VAULT_TOKEN, "\n")
  }
 }
diff --git a/vault-plugin-deregister.tf b/vault-plugin-deregister.tf
 #!/bin/bash
 set -e
 set -o pipefail

 # Required Variables
 : "${VAULT_TOKEN:?}"
 : "${VAULT_ADDR:?}"
 : "${PLUGIN_NAME:?}"


 # Optional Variables
 PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
 PLUGIN_VERSION=${PLUGIN_VERSION:-}

 if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
 else
  CURL_FAIL="--fail"
 fi

 if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
 else
  VERSION_QUERY=""
 fi

 curl -XDELETE $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}"
 echo '{}'
diff --git a/vault-plugin-info.sh b/vault-plugin-info.sh
 #!/bin/bash
 # set -e
 set -o pipefail

 # Required Variables
 : "${VAULT_TOKEN:?}"
 : "${VAULT_ADDR:?}"
 : "${PLUGIN_NAME:?}"


 # Optional Variables
 PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
 PLUGIN_VERSION=${PLUGIN_VERSION:-}

 if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
 else
  CURL_FAIL="--fail"
 fi

 if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
 else
  VERSION_QUERY=""
 fi

 CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
 CURL_RC=$?
 if [ $CURL_RC == 0 ]; then
  echo $CURL_OUT | jq -eMc '.data' || echo '{}'
 else
  echo $CURL_OUT >&2
  echo '{}'
  exit $CURL_RC
 fi
diff --git a/vault-plugin-register.tf b/vault-plugin-register.tf
 #!/bin/bash
 set -e
 set -o pipefail

 # Required Variables
 : "${VAULT_TOKEN:?}"
 : "${VAULT_ADDR:?}"
 : "${PLUGIN_NAME:?}"
 : "${PLUGIN_JSON_DATA:?}"

 ### PLUGIN_JSON_DATA see: https://developer.hashicorp.com/vault/api-docs/system/plugins-catalog#register-plugin
 # EXAMPLE:
 # {
 #   "args": [],
 #   "command": "artifactory-secrets-plugin_v0.2.11",
 #   "name": "artifactory",
 #   "sha256": "e6b80753894a10d4efe7793e3bf7b5de610a49b16e7eb4d46b34721aead4e76f",
 #   "version": "v0.2.11"
 # }


 # Optional Variables
 PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
 PLUGIN_VERSION=${PLUGIN_VERSION:-}

 if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
 else
  CURL_FAIL="--fail"
 fi

 if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
 else
  VERSION_QUERY=""
 fi


 curl -XPOST  $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}" -d "${PLUGIN_JSON_DATA}"

 CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
 CURL_RC=$?
 if [ $CURL_RC == 0 ]; then
  echo $CURL_OUT | jq -eMc '.data'
 else
  echo $CURL_OUT >&2
  exit $CURL_RC
 fi
	## Providers
	terraform {
	required_providers {
	shell = {
	source = "scottwinkler/shell"
	version = "~> 1.7"
	}
	}
	}

	## Variables
	variable "artifactory_plugin_version_info" {
	type = map(map(string))
	description = "Artifactory Plugin Version Information - see default for example"
	default = {
	"0.2.12" = {
	"sha256" = "2112d38d700855151af5b9662891fbb17145b9e89c836003a9308176d784dd08"
	}
	"0.2.15" = {
	sha256 = "5f420e3e78902aa11ec2b926bbecc147f3aa42c130595abe07f3ccdd4ba4db26"
	}
	}
	}

	variable "VAULT_ADDR" {
	type = string
	description = "Vault Address (no trailing /)"
	default = "http://127.0.0.1:8200"
	}

	variable "VAULT_TOKEN" {
	type = string
	description = "Vault Authentication Token, provided by pipeline"
	default = "root"
	}


	## Plugins
	### NOTE: Vault needs to be configured with a plugin-path, and the plugin
	### plugin binaries need to be populated on the vault image in the
	### plugin path prior to registering them

	# artifactory secrets plugin
	resource "shell_script" "artifactory_secrets_plugin" {
	for_each = var.artifactory_plugin_version_info
	lifecycle_commands {
	create = "./vault-plugin-register.sh"
	update = "./vault-plugin-register.sh"
	delete = "./vault-plugin-deregister.sh"
	read = "./vault-plugin-info.sh"
	}
	interpreter = ["/bin/bash", "-x"] # debug mode
	environment = {
	PLUGIN_NAME = "artifactory"
	PLUGIN_VERSION = each.key
	PLUGIN_JSON_DATA = jsonencode({
	command = "artifactory-secrets-plugin_v${each.key}" # We named the files like they used to be named prior to v0.2.12
	sha256 = each.value.sha256
	version = each.key # This is optional post v0.2.12
	})
	VAULT_ADDR = var.VAULT_ADDR
	}
	sensitive_environment = {
	VAULT_TOKEN = trimsuffix(var.VAULT_TOKEN, "\n")
	}
	}
	#!/bin/bash
	set -e
	set -o pipefail

	# Required Variables
	: "${VAULT_TOKEN:?}"
	: "${VAULT_ADDR:?}"
	: "${PLUGIN_NAME:?}"


	# Optional Variables
	PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
	PLUGIN_VERSION=${PLUGIN_VERSION:-}

	if curl --help all \| grep -q fail-with-body; then
	CURL_FAIL="--fail-with-body"
	else
	CURL_FAIL="--fail"
	fi

	if test -n "${PLUGIN_VERSION}"; then
	VERSION_QUERY="version=${PLUGIN_VERSION}"
	else
	VERSION_QUERY=""
	fi

	curl -XDELETE $CURL_FAIL -sS -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}"
	echo '{}'
	#!/bin/bash
	# set -e
	set -o pipefail

	# Required Variables
	: "${VAULT_TOKEN:?}"
	: "${VAULT_ADDR:?}"
	: "${PLUGIN_NAME:?}"


	# Optional Variables
	PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
	PLUGIN_VERSION=${PLUGIN_VERSION:-}

	if curl --help all \| grep -q fail-with-body; then
	CURL_FAIL="--fail-with-body"
	else
	CURL_FAIL="--fail"
	fi

	if test -n "${PLUGIN_VERSION}"; then
	VERSION_QUERY="version=${PLUGIN_VERSION}"
	else
	VERSION_QUERY=""
	fi

	CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
	CURL_RC=$?
	if [ $CURL_RC == 0 ]; then
	echo $CURL_OUT \| jq -eMc '.data' \|\| echo '{}'
	else
	echo $CURL_OUT >&2
	echo '{}'
	exit $CURL_RC
	fi