terraform-provider-oci icon indicating copy to clipboard operation
terraform-provider-oci copied to clipboard

Published 20 hours ago verified publisher icon oracle

No way to read vault secret data

Open ITD27M01 opened this issue 3 years ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

There is no way to read vault secret data from vault service all the resources and data sources provide only way to retrieve usefulness metadata. Currently I have to use some python hook:

def _get_secret_data(oci_config, secret):
    secret_bundle_client = _get_secret_bundle_client(oci_config)

    secret_bundle_response = secret_bundle_client.get_secret_bundle(secret_id=secret.id)
    if secret_bundle_response.status == 200:
        return b64decode(secret_bundle_response.data.secret_bundle_content.content).decode()
    else:
        raise ValueError("Something went wrong during secret data get")

New or Affected Resource(s)

oci_vault_secret_bundle oci_vault_secret

Potential Terraform Configuration

data "oci_vault_secret_bundle" "test_secret_bundle" {
    #Required
    secret_id = oci_vault_secret.test_secret.id
}

// data.oci_vault_secret_bundle.test_secret_bundle.data == "c29tZV9zdXBlcl9zZWNyZXQ="

References

https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/vault_secret

ITD27M01 avatar Apr 01 '21 08:04 ITD27M01

Hi @ITD27M01 -- Fetching secret data in terraform has been intentionally omitted. This is due to the fact that its a security concern. Implementing secrets in terraform results in secret content getting stored in terraform state file.

varmax2511 avatar Apr 09 '21 16:04 varmax2511

Hi @varmax2511

Due to the lack of such functionality, are there any suggestions to deal with sensitive params in terraform configuration?

For example, oci_load_balancer_certificate and oci_core_ipsec_connection_tunnel_management have such params as private_key and shared_secret and we need a way to pass this values in secure way.

[1] https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/load_balancer_certificate [2] https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_ipsec_connection_tunnel_management

ITD27M01 avatar Apr 09 '21 18:04 ITD27M01

Issues #1226 and #1266 (possibly others?) have asked this same question. In both of those, the same response "this would allow sensitive data in the state file; so 'no'" was offered. Then and now I've yet seen rationale for why only this specific case with secret bundles of "sensitive" information in the state file is excluded.

There are numerous other instances of sensitive data in the state for OCI as well as other providers (see issue #1266 for examples). In OCI we see database SYS passwords and TLS certificate private keys stored there to name a couple. Certainly the lesson is "protect the state file" whether Terraform is used across multiple providers or for OCI only.

Until then, suggesting that secret bundles alone are prohibited "for security" may leave a false impression that the state file doesn't contain sensitive information. Knowing that isn't true, it seems reasonable to me that secret bundles also be allowed like the other examples of sensitive information while simply emphasizing the same general warning to "protect the state file."

jeliker avatar Apr 12 '21 09:04 jeliker

Also, it would be nice to read the secret value from the vault in order to use as a "private" variable for example on oci when you create a database the sys/system password entered from a vault secret and i think that the data does not keep on the state file for example :

data "oci_vault_secret" "test_secret" { secret_id = var.mysecret }

resource "oci_database_db_system" "MYdb" { availability_domain = data.template_file.ad_names.0.rendered compartment_id = oci_identity_compartment.Database_compartment.id cpu_core_count = "2" data_storage_percentage = "80" data_storage_size_in_gb = "256" database_edition = "STANDARD_EDITION" db_home { database { admin_password = data.oci_vault_secret.test_secret.base64value << for example

ortiz-kuakside avatar Nov 17 '21 11:11 ortiz-kuakside

agree. This is how people use secret in AWS. save secret in vault and then read the value out to provision other resources in terraform - which is a must to have feature.

suyah avatar Feb 08 '22 23:02 suyah

We are very sorry that we couldn't respond to each and every issue reported on GitHub. Although we have refined the process to prioritize customer issues on GitHub, since this issue was reported a while ago, there is a good chance it may have been fixed in the latest version of Terraform Provider OCI.

If you are still experiencing this issue, please create a new issue and label it as Bug.

ravinitp avatar May 04 '23 07:05 ravinitp