TJM/main.tf

## main.tf
## Providers
terraform {
  required_providers {
    shell = {
      source  = "scottwinkler/shell"
      version = "~> 1.7"
    }
  }
}

## Variables
variable "artifactory_plugin_version_info" {
  type = map(map(string))
  description = "Artifactory Plugin Version Information - see default for example"
  default = {
    "0.2.12" = {
      "sha256" = "2112d38d700855151af5b9662891fbb17145b9e89c836003a9308176d784dd08"
    }
    "0.2.15" = {
      sha256 = "5f420e3e78902aa11ec2b926bbecc147f3aa42c130595abe07f3ccdd4ba4db26"
    }
  }
}

variable "VAULT_ADDR" {
  type = string
  description = "Vault Address (no trailing /)"
  default = "http://127.0.0.1:8200"
}

variable "VAULT_TOKEN" {
  type = string
  description = "Vault Authentication Token, provided by pipeline"
  default = "root"
}


## Plugins
### NOTE: Vault needs to be configured with a plugin-path, and the plugin
###   plugin binaries need to be populated on the vault image in the
###   plugin path *prior* to registering them

# artifactory secrets plugin
resource "shell_script" "artifactory_secrets_plugin" {
  for_each = var.artifactory_plugin_version_info
  lifecycle_commands {
    create = "./vault-plugin-register.sh"
    update = "./vault-plugin-register.sh"
    delete = "./vault-plugin-deregister.sh"
    read   = "./vault-plugin-info.sh"
  }
  interpreter = ["/bin/bash", "-x"] # debug mode
  environment = {
    PLUGIN_NAME    = "artifactory"
    PLUGIN_VERSION = each.key
    PLUGIN_JSON_DATA = jsonencode({
      command = "artifactory-secrets-plugin_v${each.key}" # We named the files like they used to be named prior to v0.2.12
      sha256  = each.value.sha256
      version = each.key # This is optional post v0.2.12
    })
    VAULT_ADDR = var.VAULT_ADDR
  }
  sensitive_environment = {
    VAULT_TOKEN = trimsuffix(var.VAULT_TOKEN, "\n")
  }
}

## vault-plugin-deregister.tf
#!/bin/bash
set -e
set -o pipefail

# Required Variables
: "${VAULT_TOKEN:?}"
: "${VAULT_ADDR:?}"
: "${PLUGIN_NAME:?}"


# Optional Variables
PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
PLUGIN_VERSION=${PLUGIN_VERSION:-}

if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
else
  CURL_FAIL="--fail"
fi

if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
else
  VERSION_QUERY=""
fi

curl -XDELETE $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}"
echo '{}'

## vault-plugin-info.sh
#!/bin/bash
# set -e
set -o pipefail

# Required Variables
: "${VAULT_TOKEN:?}"
: "${VAULT_ADDR:?}"
: "${PLUGIN_NAME:?}"


# Optional Variables
PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
PLUGIN_VERSION=${PLUGIN_VERSION:-}

if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
else
  CURL_FAIL="--fail"
fi

if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
else
  VERSION_QUERY=""
fi

CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
CURL_RC=$?
if [ $CURL_RC == 0 ]; then
  echo $CURL_OUT | jq -eMc '.data' || echo '{}'
else
  echo $CURL_OUT >&2
  echo '{}'
  exit $CURL_RC
fi

## vault-plugin-register.tf
#!/bin/bash
set -e
set -o pipefail

# Required Variables
: "${VAULT_TOKEN:?}"
: "${VAULT_ADDR:?}"
: "${PLUGIN_NAME:?}"
: "${PLUGIN_JSON_DATA:?}"

### PLUGIN_JSON_DATA see: https://developer.hashicorp.com/vault/api-docs/system/plugins-catalog#register-plugin
# EXAMPLE:
# {
#   "args": [],
#   "command": "artifactory-secrets-plugin_v0.2.11",
#   "name": "artifactory",
#   "sha256": "e6b80753894a10d4efe7793e3bf7b5de610a49b16e7eb4d46b34721aead4e76f",
#   "version": "v0.2.11"
# }


# Optional Variables
PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
PLUGIN_VERSION=${PLUGIN_VERSION:-}

if curl --help all | grep -q fail-with-body; then
  CURL_FAIL="--fail-with-body"
else
  CURL_FAIL="--fail"
fi

if test -n "${PLUGIN_VERSION}"; then
  VERSION_QUERY="version=${PLUGIN_VERSION}"
else
  VERSION_QUERY=""
fi


curl -XPOST  $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}" -d "${PLUGIN_JSON_DATA}"

CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true"  -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
CURL_RC=$?
if [ $CURL_RC == 0 ]; then
  echo $CURL_OUT | jq -eMc '.data'
else
  echo $CURL_OUT >&2
  exit $CURL_RC
fi
	## Providers
	terraform {
	required_providers {
	shell = {
	source = "scottwinkler/shell"
	version = "~> 1.7"
	}
	}
	}

	## Variables
	variable "artifactory_plugin_version_info" {
	type = map(map(string))
	description = "Artifactory Plugin Version Information - see default for example"
	default = {
	"0.2.12" = {
	"sha256" = "2112d38d700855151af5b9662891fbb17145b9e89c836003a9308176d784dd08"
	}
	"0.2.15" = {
	sha256 = "5f420e3e78902aa11ec2b926bbecc147f3aa42c130595abe07f3ccdd4ba4db26"
	}
	}
	}

	variable "VAULT_ADDR" {
	type = string
	description = "Vault Address (no trailing /)"
	default = "http://127.0.0.1:8200"
	}

	variable "VAULT_TOKEN" {
	type = string
	description = "Vault Authentication Token, provided by pipeline"
	default = "root"
	}


	## Plugins
	### NOTE: Vault needs to be configured with a plugin-path, and the plugin
	### plugin binaries need to be populated on the vault image in the
	### plugin path prior to registering them

	# artifactory secrets plugin
	resource "shell_script" "artifactory_secrets_plugin" {
	for_each = var.artifactory_plugin_version_info
	lifecycle_commands {
	create = "./vault-plugin-register.sh"
	update = "./vault-plugin-register.sh"
	delete = "./vault-plugin-deregister.sh"
	read = "./vault-plugin-info.sh"
	}
	interpreter = ["/bin/bash", "-x"] # debug mode
	environment = {
	PLUGIN_NAME = "artifactory"
	PLUGIN_VERSION = each.key
	PLUGIN_JSON_DATA = jsonencode({
	command = "artifactory-secrets-plugin_v${each.key}" # We named the files like they used to be named prior to v0.2.12
	sha256 = each.value.sha256
	version = each.key # This is optional post v0.2.12
	})
	VAULT_ADDR = var.VAULT_ADDR
	}
	sensitive_environment = {
	VAULT_TOKEN = trimsuffix(var.VAULT_TOKEN, "\n")
	}
	}
	#!/bin/bash
	set -e
	set -o pipefail

	# Required Variables
	: "${VAULT_TOKEN:?}"
	: "${VAULT_ADDR:?}"
	: "${PLUGIN_NAME:?}"


	# Optional Variables
	PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
	PLUGIN_VERSION=${PLUGIN_VERSION:-}

	if curl --help all \| grep -q fail-with-body; then
	CURL_FAIL="--fail-with-body"
	else
	CURL_FAIL="--fail"
	fi

	if test -n "${PLUGIN_VERSION}"; then
	VERSION_QUERY="version=${PLUGIN_VERSION}"
	else
	VERSION_QUERY=""
	fi

	curl -XDELETE $CURL_FAIL -sS -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}"
	echo '{}'
	#!/bin/bash
	# set -e
	set -o pipefail

	# Required Variables
	: "${VAULT_TOKEN:?}"
	: "${VAULT_ADDR:?}"
	: "${PLUGIN_NAME:?}"


	# Optional Variables
	PLUGIN_TYPE=${PLUGIN_TYPE:-secret}
	PLUGIN_VERSION=${PLUGIN_VERSION:-}

	if curl --help all \| grep -q fail-with-body; then
	CURL_FAIL="--fail-with-body"
	else
	CURL_FAIL="--fail"
	fi

	if test -n "${PLUGIN_VERSION}"; then
	VERSION_QUERY="version=${PLUGIN_VERSION}"
	else
	VERSION_QUERY=""
	fi

	CURL_OUT=$(curl $CURL_FAIL -sS -H "X-Vault-Request: true" -H "X-Vault-Token: $VAULT_TOKEN" "$VAULT_ADDR/v1/sys/plugins/catalog/${PLUGIN_TYPE}/${PLUGIN_NAME}?${VERSION_QUERY}")
	CURL_RC=$?
	if [ $CURL_RC == 0 ]; then
	echo $CURL_OUT \| jq -eMc '.data' \|\| echo '{}'
	else
	echo $CURL_OUT >&2
	echo '{}'
	exit $CURL_RC
	fi