terraform-provider-oci icon indicating copy to clipboard operation
terraform-provider-oci copied to clipboard

Published 20 hours ago verified publisher icon oracle

Extend oci_kms_key to allow to import External key

Open kostasns opened this issue 3 years ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

To be complaint with Schrems II we import Our own key as master key. It does not seem to be possible via Terraform provider.

New or Affected Resource(s)

oci_kms_key Data Source: oci_kms_vault

Potential Terraform Configuration

Don't have an example yet, but I would assume there would need to be an ability to retrieve Wrapping key from kms_vault data source. And of course ability to provide wrapped key to oci_kms_key

References

https://www.gdprsummary.com/schrems-ii/

kostasns avatar Feb 22 '21 12:02 kostasns

Thank you for your suggestion. We have opened a feature request with the KMS team.

zexinwanoci avatar Feb 22 '21 21:02 zexinwanoci

Hello @kostasns, for terraform to able to support this feature, we would store your key in the .tfstate file, which is a security violation so we can't not support this. Unfortunately we can not implement this. Let me know if you are satisfied so we can close this ticket.

zexinwanoci avatar Mar 01 '21 22:03 zexinwanoci

No offense, but this feels like made up reason. For example, you have no problem providing private key for certificates https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/load_balancer_certificate

also this https://www.hashicorp.com/blog/terraform-0-14-adds-the-ability-to-redact-sensitive-values-in-console-output

As you might’ve guessed - I’m not satisfied. So our option is to build a wrapper around TF to import key before running terraform itself?

kostasns avatar Mar 02 '21 05:03 kostasns

Hi @kostasns, To confirm, are you requesting this function https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/importingkeys.htm to be support by Terraform?

jotruon avatar Mar 03 '21 00:03 jotruon

Hi @jotruon, Yes, this is correct.

kostasns avatar Mar 03 '21 17:03 kostasns

Hi - I was pretty baffled myself not to have this API supported in Terraform. This severely undermines the usefulness of using Terraform at all for a few scenarios where BYOK is mandatory.

we would store your key in the .tfstate file, which is a security violation so we can't not support this. Unfortunately we can not implement this.

I agree with @kostasns, this doesn't make any sense. Please leave the user the choice of where and how to store their sensitive pieces of information, like Hashicorp does with some of their resource (eg. the tls_private_key resource).

blacksd avatar Aug 22 '22 08:08 blacksd