Revoke from Terraform vault_pki_secret_backend_cert fails

[MasakariDOR]

PROBLEM SUMMARY
When attempting to revoke a venafi-pki certificate through Terraform's vault_pki_secret_backend_cert resource, it fails with the error

Code: 404. Errors:
│
│ * 1 error occurred:
│       * unsupported path

STEPS TO REPRODUCE

1. Issue a certificate using Terraform's vault provider and the resource vault_pki_secret_backend_cert with revoke = true configured.
2. Destroy the vault_pki_secret_backend_cert resource

EXPECTED RESULTS
Certificate should be revoked.

ACTUAL RESULTS
The vault provider attempts to revoke the certificate using the path "/revoke" but the vault-pki-backend-venafi plugin expects this to be /revoke/. Weirdly, it also expects the role to be provided in the payload... this should adhere to the standards Hashicorp have implemented (although poorly documented) to ensure interoperability with Terraform.

ENVIRONMENT DETAILS
vault-pki-backend-venafi v0.14.0
vault enterprise v1.16.1

COMMENTS/WORKAROUNDS
This works from the vault CLI using the /revoke/ path. I've also tested with a POST command using the API and it also works but MUST have the role name supplied in the path. Given the role is already part of the schema, this seems to be an easy fix to line 20 on path_venafi_cert_revoke.go

[luispresuelVenafi]

Hi there @MasakariDOR , thank you for reaching out.

Looking at the docs for that resource you mentioned (vault_pki_secret_backend_cert) in: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_cert :

They are using the native pki secrets engine which does support certificate "CRUD" operations. I'm surprised you were able to use our secrets engine using that resource since it does not (and shouldn't have) native support for our engine, since they are different engines. I wonder, did you do some sort of aliasing in order to be able to use our engine in that resource? If so I would expect a proper support for this.

If our plugin would work with the Vault provider, I'd rather expect to see a resource named vault_pki_venafi_secret_backend_cert (notice "venafi" within the resource name) for example.

This would be an ask I'd recommend you to do HashiCorp team, since what's in their provider, it's something we do not have control. By that I mean, add native support for our secrets engine, which already follow the expected standard for it being an standalone plugin.

That said, this is not bug, but rather this is not supported on our side, which makes sense since, as I mentioned earlier, they are different engines, and, If I understand correctly, this is a HashiCorp's ask, not for us. I'll be removing the "bug" tag, but keep this ticket open for a while in case you are able to get any confirmation from HashiCorp and that indeed they are able to confirm we do need and improvement in our side.

[jskirde]

Thanks @luispresuelVenafi , I am checking with Hashi.