Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate private keys not hashed for aws_api_gateway_domain_name resource #9452

Closed
henrytk opened this issue Oct 19, 2016 · 5 comments
Closed

Certificate private keys not hashed for aws_api_gateway_domain_name resource #9452

henrytk opened this issue Oct 19, 2016 · 5 comments
Labels
enhancement provider/aws

Comments

@henrytk
Copy link

henrytk commented Oct 19, 2016
edited
Loading

Affected Resource(s)

  • aws_api_gateway_domain_name

Expected Behavior

Based on the behaviour of the aws_iam_server_certificate resource I would expect the certificate_private_key field to be hashed before being stored in the state file.

The expected implementation would be a StateFunc, such as the pre-existing normalizeCert function which is used to hash the private key of the aws_iam_server_certificate resource.

Actual Behavior

The certificate private key is stored as plain text.
@apparentlymart
Copy link
Contributor

Hi @henrytk,

There are some complexities around this technique of hashing things in the state... in general we can only do it for fields that are only dealt with on "create", e.g. on resources where all/most attributes "force new resource", because otherwise it breaks our ability to diff the state against the config and detect the need for an update.

I'm not sure if that's true in this case, but I just wanted to leave this note here for anyone who decides to try to tackle this issue... in general we won't be able to 100% guarantee that no secrets end up in the state, so in the long run I expect we'll look at ways to securely store the state itself.

@mkuzmin
Copy link
Contributor

mkuzmin commented Oct 22, 2016

I'm working on Docker provider in #9520, and met the same issue.

This is a direct promise of the interface:

// StateFunc is a function called to change the value of this before
// storing it in the state (and likewise before comparing for diffs).
// The use for this is for example with large strings, you may want
// to simply store the hash of it.

Why does it break an ability to diff the state? The function can be applied to a new value the same way, as it was applied in last run.

Secrets is an obvious use case, but for large file content it's also required.

@mkuzmin mkuzmin mentioned this issue Oct 22, 2016
Merged
@henrytk henrytk mentioned this issue Dec 1, 2016
Closed
@henrytk
Copy link
Author

henrytk commented Dec 1, 2016

Related to #10043

@ghost ghost mentioned this issue Nov 7, 2018
Closed
@ghost
Copy link

ghost commented Nov 7, 2018

This issue has been automatically migrated to hashicorp/terraform-provider-aws#6382 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to hashicorp/terraform-provider-aws#6382.

@ghost ghost closed this as completed Nov 7, 2018
@ghost
Copy link

ghost commented Mar 31, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Mar 31, 2020
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apparentlymart @jbardin @mkuzmin @henrytk