terraform-provider-oci
terraform-provider-oci copied to clipboard
Extend oci_kms_key to allow to import External key
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
To be complaint with Schrems II we import Our own key as master key. It does not seem to be possible via Terraform provider.
New or Affected Resource(s)
oci_kms_key Data Source: oci_kms_vault
Potential Terraform Configuration
Don't have an example yet, but I would assume there would need to be an ability to retrieve Wrapping key from kms_vault data source. And of course ability to provide wrapped key to oci_kms_key
References
https://www.gdprsummary.com/schrems-ii/
Thank you for your suggestion. We have opened a feature request with the KMS team.
Hello @kostasns, for terraform to able to support this feature, we would store your key in the .tfstate file, which is a security violation so we can't not support this. Unfortunately we can not implement this. Let me know if you are satisfied so we can close this ticket.
No offense, but this feels like made up reason. For example, you have no problem providing private key for certificates https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/load_balancer_certificate
also this https://www.hashicorp.com/blog/terraform-0-14-adds-the-ability-to-redact-sensitive-values-in-console-output
As you might’ve guessed - I’m not satisfied. So our option is to build a wrapper around TF to import key before running terraform itself?
Hi @kostasns, To confirm, are you requesting this function https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/importingkeys.htm to be support by Terraform?
Hi @jotruon, Yes, this is correct.
Hi - I was pretty baffled myself not to have this API supported in Terraform. This severely undermines the usefulness of using Terraform at all for a few scenarios where BYOK is mandatory.
we would store your key in the .tfstate file, which is a security violation so we can't not support this. Unfortunately we can not implement this.
I agree with @kostasns, this doesn't make any sense. Please leave the user the choice of where and how to store their sensitive pieces of information, like Hashicorp does with some of their resource (eg. the tls_private_key resource).