Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sensitive_source block #81

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add sensitive_source block #81

wants to merge 2 commits into from

Conversation

lwoerdeman
Copy link

@lwoerdeman lwoerdeman commented Jan 28, 2021
edited
Loading

Adds a new sensitive source block which won't be rendered in terraform plans.

For example, here's a terraform configuration that will use this provider

main.tf 
data "archive_file" "archive" {
  output_path = "certs.zip"
  type = "zip"

  sensitive_source {
    content = tls_private_key.pk.private_key_pem
    filename = "pk.pem"
  }

  source {
    content = tls_self_signed_cert.crt.cert_pem
    filename = "cert.pem"
  }
}

resource "tls_private_key" "pk" {
  algorithm = "RSA"
  rsa_bits = 2048
}

resource "tls_self_signed_cert" "crt" {
  allowed_uses = []
  key_algorithm = "RSA"
  private_key_pem = tls_private_key.pk.private_key_pem
  validity_period_hours = 24
  dns_names = ["*.landonwoerdeman.com"]
  subject {
    country = "US"
    province = "Iowa"
    locality = "Ames"
    organization = "Landon Woerdeman"
    common_name = "*.landonwoerdeman.com"
  }
}

# needed to trigger plan output
resource "null_resource" "do_nothing" {
  triggers = {
    always = timestamp()
  }
  provisioner "local-exec" {
    command = "echo done"
  }
}

When adjusting a value on the certificate, the plan would look like the following. Specifically, you can see that the private key contents aren't outputted to the console during the plan.

tfplan 
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

null_resource.do_nothing: Refreshing state... [id=4622476077227136761]
tls_private_key.pk: Refreshing state... [id=9c07ba198391a62ce2524ac27ea1115c99e07566]
tls_self_signed_cert.crt: Refreshing state... [id=17411721654946504328367726288512378649]
data.archive_file.archive: Refreshing state... [id=b227e966aae628ffeb8e23294d0cab91147dc169]

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
 <= read (data resources)

Terraform will perform the following actions:

  # data.archive_file.archive will be read during apply
  # (config refers to values not yet known)
 <= data "archive_file" "archive"  {
      ~ id                  = "b227e966aae628ffeb8e23294d0cab91147dc169" -> (known after apply)
      ~ output_base64sha256 = "02fYwo5Ua1MMRL0ij8JEdruhJB7U38DPExeLEGOUjoI=" -> (known after apply)
      ~ output_md5          = "90f81ac8087d7fda4e182fe4950af234" -> (known after apply)
        output_path         = "certs.zip"
      ~ output_sha          = "b227e966aae628ffeb8e23294d0cab91147dc169" -> (known after apply)
      ~ output_size         = 2468 -> (known after apply)
        type                = "zip"

        sensitive_source {
            content  = (sensitive value)
            filename = "pk.pem"
        }

      - source {
          - content  = <<~EOT
                -----BEGIN CERTIFICATE-----
                MIIDiDCCAnCgAwIBAgIQDRlgKBlNd1owsExrFnpnGTANBgkqhkiG9w0BAQsFADBm
                MQswCQYDVQQGEwJVUzENMAsGA1UECBMESW93YTENMAsGA1UEBxMEQW1lczEZMBcG
                A1UEChMQTGFuZG9uIFdvZXJkZW1hbjEeMBwGA1UEAwwVKi5sYW5kb253b2VyZGVt
                YW4uY29tMB4XDTIxMDEyODIzMDM0NFoXDTIxMDEyOTIzMDM0NFowZjELMAkGA1UE
                BhMCVVMxDTALBgNVBAgTBElvd2ExDTALBgNVBAcTBEFtZXMxGTAXBgNVBAoTEExh
                bmRvbiBXb2VyZGVtYW4xHjAcBgNVBAMMFSoubGFuZG9ud29lcmRlbWFuLmNvbTCC
                ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxG6PV40m3zK1xBGQH75BZq
                6MrUYav3m7/3Oi/d0UIoJ/QfzwqwFRIGh9aH8bZg07FHClSI3U5nqPYZzpPZ4FnS
                jgrGd94llld1ReGGCGoWRiRYp3z2B7FG9+XYKlwb/qL7WdXoczCAj1jDAOSYQ/sg
                RCsb4jSe6ppk3OERb3qk4sCVc4B4v0H5teq3BwiEqAaex3328jAm0MO1SuGaY20e
                B53Y84DHr0bwxAV3h5DF/h4miAl4Zk1/TzMLK0Vb1ygILXxevpK4qKLsyil1NQ+/
                yeBXTrFMRqDmeGIgs4AytI61hph+K4SZiHuifinJQzr5eHzXkAkXRrwZyYixQwcC
                AwEAAaMyMDAwDAYDVR0TAQH/BAIwADAgBgNVHREEGTAXghUqLmxhbmRvbndvZXJk
                ZW1hbi5jb20wDQYJKoZIhvcNAQELBQADggEBAG+8kqxUMwvYgoE4Nda+gxcNQU7U
                +d0T+P9yX9c5DC2RxzByfvgHK0zFbBH4snCOUHaorBTUXUIFh0wc0a2RygLauYS5
                CN8MLxsyR446OEYTDJCi5qbnM79TapU8kruoDyrCeLhYkU2CQofGJic2IRzROpTq
                +tawzPbVjeQw47H/vj/XDNxy3MWgYTCU1/ltcvGqQMi3zMuI+BPvfKk7PPMthnt6
                iRl2KuV6u7V7bEp+Ee4l9uMs52FRwDI5bhy6Bqohjy8rxFi3WjOJv5DJX17Lch8/
                3BeVhzfq0m9HejGE5pJL1bdNBZJ+ZTr8WGjTSk4LT9sEekpAqWC77kR8JrQ=
                -----END CERTIFICATE-----
            EOT -> null
          - filename = "cert.pem" -> null
        }
      + source {
          + content  = (known after apply)
          + filename = "cert.pem"
        }
    }

  # null_resource.do_nothing must be replaced
-/+ resource "null_resource" "do_nothing" {
      ~ id       = "4622476077227136761" -> (known after apply)
      ~ triggers = {
          - "always" = "2021-01-28T23:07:56Z"
        } -> (known after apply) # forces replacement
    }

  # tls_self_signed_cert.crt must be replaced
-/+ resource "tls_self_signed_cert" "crt" {
        allowed_uses          = []
      ~ cert_pem              = <<~EOT
            -----BEGIN CERTIFICATE-----
            MIIDiDCCAnCgAwIBAgIQDRlgKBlNd1owsExrFnpnGTANBgkqhkiG9w0BAQsFADBm
            MQswCQYDVQQGEwJVUzENMAsGA1UECBMESW93YTENMAsGA1UEBxMEQW1lczEZMBcG
            A1UEChMQTGFuZG9uIFdvZXJkZW1hbjEeMBwGA1UEAwwVKi5sYW5kb253b2VyZGVt
            YW4uY29tMB4XDTIxMDEyODIzMDM0NFoXDTIxMDEyOTIzMDM0NFowZjELMAkGA1UE
            BhMCVVMxDTALBgNVBAgTBElvd2ExDTALBgNVBAcTBEFtZXMxGTAXBgNVBAoTEExh
            bmRvbiBXb2VyZGVtYW4xHjAcBgNVBAMMFSoubGFuZG9ud29lcmRlbWFuLmNvbTCC
            ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMxG6PV40m3zK1xBGQH75BZq
            6MrUYav3m7/3Oi/d0UIoJ/QfzwqwFRIGh9aH8bZg07FHClSI3U5nqPYZzpPZ4FnS
            jgrGd94llld1ReGGCGoWRiRYp3z2B7FG9+XYKlwb/qL7WdXoczCAj1jDAOSYQ/sg
            RCsb4jSe6ppk3OERb3qk4sCVc4B4v0H5teq3BwiEqAaex3328jAm0MO1SuGaY20e
            B53Y84DHr0bwxAV3h5DF/h4miAl4Zk1/TzMLK0Vb1ygILXxevpK4qKLsyil1NQ+/
            yeBXTrFMRqDmeGIgs4AytI61hph+K4SZiHuifinJQzr5eHzXkAkXRrwZyYixQwcC
            AwEAAaMyMDAwDAYDVR0TAQH/BAIwADAgBgNVHREEGTAXghUqLmxhbmRvbndvZXJk
            ZW1hbi5jb20wDQYJKoZIhvcNAQELBQADggEBAG+8kqxUMwvYgoE4Nda+gxcNQU7U
            +d0T+P9yX9c5DC2RxzByfvgHK0zFbBH4snCOUHaorBTUXUIFh0wc0a2RygLauYS5
            CN8MLxsyR446OEYTDJCi5qbnM79TapU8kruoDyrCeLhYkU2CQofGJic2IRzROpTq
            +tawzPbVjeQw47H/vj/XDNxy3MWgYTCU1/ltcvGqQMi3zMuI+BPvfKk7PPMthnt6
            iRl2KuV6u7V7bEp+Ee4l9uMs52FRwDI5bhy6Bqohjy8rxFi3WjOJv5DJX17Lch8/
            3BeVhzfq0m9HejGE5pJL1bdNBZJ+ZTr8WGjTSk4LT9sEekpAqWC77kR8JrQ=
            -----END CERTIFICATE-----
        EOT -> (known after apply)
        dns_names             = [
            "*.landonwoerdeman.com",
        ]
        early_renewal_hours   = 0
      ~ id                    = "17411721654946504328367726288512378649" -> (known after apply)
        key_algorithm         = "RSA"
        private_key_pem       = (sensitive value)
      ~ ready_for_renewal     = false -> true
      ~ validity_end_time     = "2021-01-29T17:03:44.544971-06:00" -> (known after apply)
      ~ validity_period_hours = 24 -> 12 # forces replacement
      ~ validity_start_time   = "2021-01-28T17:03:44.544971-06:00" -> (known after apply)

      ~ subject {
            common_name    = "*.landonwoerdeman.com"
            country        = "US"
            locality       = "Ames"
            organization   = "Landon Woerdeman"
            province       = "Iowa"
          - street_address = [] -> null
        }
    }

Plan: 2 to add, 0 to change, 2 to destroy.

Resolves #46

@hashicorp-cla
Copy link

hashicorp-cla commented Jan 28, 2021
edited
Loading

CLA assistant check
All committers have signed the CLA.

Base automatically changed from master to main February 1, 2021 17:31
@R0flcopt3r
Copy link

Can we get some progress back on this? Would be fantastic to get this merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Feature Request: sensitive content
3 participants
@lwoerdeman @hashicorp-cla @R0flcopt3r