d/aws_ssm_parameter: Support returning raw encrypted SecureString value. #2777
Conversation
It is useful to have it for triggers or other purposes. Defaults to returning decrypted value as before.
I think there is no need to add another test case just for in parameter check. Simply randomize it to be 100% sure.
modax
force-pushed
the
d/aws-ssm-parameter-without-decryption
branch
from
6a4e6ee to
45112c8
Compare
jen20
added
the
enhancement
|
Hi @modax! Thanks for opening up a pull request for this. I'm going to leave this one to the core team of HashiCorp employees to look at to ensure it is compatible with whatever strategy they are using to reduce the number of potential secrets present in Terraform state. cc @radeksimko. |
|
@jen20, @radeksimko: Hi! Well, actually current behavior of this data source is to "leak" secret to tfstate as the value is always decrypted. My patch adds a possibility to return value encrypted. Sure, it is possible to decrypt it manually via KMS API calls but we intend to use it for detecting if value has changed. In either case, it is much better than having a secret leaked in plaintext in tfstate when you don't really need its value. Still, however, it is still far from perfect :/ Actually you got me thinking that it makes more sense to rely on SSM parameter metadata like version or last modified date for detection if the value has changed. But implementation for that would be much more complex and would be a topic of another PR I believe. |
There was a problem hiding this comment.
Thanks, this LGTM.
We have some long term plans around addressing sensitive data in general, but this doesn't seem to go against it in any way.
I just modified the test slightly to make it deterministic so that we can reproduce failures more easily if the tests does fail.
|
This has been released in terraform-provider-aws version 1.7.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
* commit 'b9284490eff637460fef663794a496d363e19f10': (190 commits) v1.7.0 Update CHANGELOG.md d/aws_ssm_parameter: Support returning raw encrypted SecureString value. (hashicorp#2777) Bump aws-sdk-go to v1.12.60 Update CHANGELOG.md Add acceptance test for import + randomization Removed reference to Core fixes Add instructions for vendor updates Use AWS example instead of Azure Update CHANGELOG for hashicorp#2833 Update CHANGELOG.md r/lb_target_group: Fix validation rules for LB's healthcheck Update CHANGELOG for hashicorp#2911 r/aws_guardduty_member: Provide given ID in error message when incorrect format Update CHANGELOG.md Update CHANGELOG with hashicorp#2888 r/aws_guardduty_member: hashicorp#2911 PR review r/aws_cloudwatch_event_permission: hashicorp#2888 PR review Makefile: Fixed test outputs resource/aws_lb+aws_elb: Fix regression with undefined 'name' ... # Conflicts: # .gitignore # aws/data_source_aws_s3_bucket_object.go # aws/resource_aws_elasticsearch_domain.go
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
It is useful to have it for triggers or other purposes. Defaults to
returning decrypted value as before.