feat(plugin): support plugin exec dir

hashicorp · Oct 4, 2022 · 4d9bd33 · 4d9bd33
1 parent da6a3b6
commit 4d9bd33
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 5 deletions.
diff --git a/docs/index.md b/docs/index.md
@@ -34,6 +34,7 @@ provider "boundary" {
 - `auth_method_id` (String) The auth method ID e.g. ampw_1234567890
 - `password_auth_method_login_name` (String) The auth method login name for password-style auth methods
 - `password_auth_method_password` (String) The auth method password for password-style auth methods
+- `plugin_execution_dir` (String) Specifies a directory that the provider can use to write and execute its built-in plugins.
 - `recovery_kms_hcl` (String) Can be a heredoc string or a path on disk. If set, the string/file will be parsed as HCL and used with the recovery KMS mechanism. While this is set, it will override any other authentication information; the KMS mechanism will always be used. See Boundary's KMS docs for examples: https://boundaryproject.io/docs/configuration/kms
 - `tls_insecure` (Boolean) When set to true, does not validate the Boundary API endpoint certificate
 - `token` (String) The Boundary token to use, as a string or path on disk containing just the string. If set, the token read here will be used in place of authenticating with the auth method specified in "auth_method_id", although the recovery KMS mechanism will still override this. Can also be set with the BOUNDARY_TOKEN environment variable.
diff --git a/internal/provider/provider.go b/internal/provider/provider.go
@@ -60,6 +60,11 @@ func New() *schema.Provider {
 				Optional:    true,
 				Description: "When set to true, does not validate the Boundary API endpoint certificate",
 			},
+			"plugin_execution_dir": {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: `Specifies a directory that the Boundary provider can use to write and execute its built-in plugins.`,
+			},
 		},
 		ResourcesMap: map[string]*schema.Resource{
 			"boundary_account":                      resourceAccount(),
@@ -116,17 +121,36 @@ func providerAuthenticate(ctx context.Context, d *schema.ResourceData, md *metaD
 		if err != nil {
 			return fmt.Errorf(`error reading data from "recovery_kms_hcl": %v`, err)
 		}
-		wrapper, _, err := wrapper.GetWrapperFromHcl(ctx, recoveryHclStr, "recovery",
-			configutil.WithPluginOptions(
-				pluginutil.WithPluginsMap(kms_plugin_assets.BuiltinKmsPlugins()),
-				pluginutil.WithPluginsFilesystem(kms_plugin_assets.KmsPluginPrefix, kms_plugin_assets.FileSystem()),
-			))
+
+		opts := []pluginutil.Option{
+			pluginutil.WithPluginsMap(kms_plugin_assets.BuiltinKmsPlugins()),
+			pluginutil.WithPluginsFilesystem(kms_plugin_assets.KmsPluginPrefix, kms_plugin_assets.FileSystem()),
+		}
+
+		if execDir, ok := d.GetOk("plugin_execution_dir"); ok {
+			opts = append(opts, pluginutil.WithPluginExecutionDirectory(execDir.(string)))
+		}
+
+		wrapper, cleanUp, err := wrapper.GetWrapperFromHcl(
+			ctx,
+			recoveryHclStr,
+			"recovery",
+			configutil.WithPluginOptions(opts...))
 		if err != nil {
 			return fmt.Errorf(`error reading wrappers from "recovery_kms_hcl": %v`, err)
 		}
 		if wrapper == nil {
 			return errors.New(`No "kms" block with purpose "recovery" found in "recovery_kms_hcl"`)
 		}
+		if cleanUp != nil {
+			// Terraform will cancel the context when work is complete.
+			go func() {
+				select {
+				case <-ctx.Done():
+					_ = cleanUp()
+				}
+			}()
+		}
 
 		md.recoveryKmsWrapper = wrapper
 		md.client.SetRecoveryKmsWrapper(wrapper)