[AWS] Extract tls_private_key resource from hashicorp/tls provider into an insecure module (#220)

* Extract `tls_private_key` resource from `hashicorp/tls` provider into an insecure module

* Address comment

Author: roger2hk

deployment/modules/aws/insecuretlskey/README.md

@@ -0,0 +1,3 @@
+# [WARNING]
+# This module will store unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.

deployment/modules/aws/insecuretlskey/main.tf

@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.6"
+    }
+  }
+}
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "tls_private_key" "ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}

deployment/modules/aws/insecuretlskey/outputs.tf

@@ -0,0 +1,9 @@
+output "tls_private_key_ecdsa_p256_public_key_pem" {
+  value     = tls_private_key.ecdsa_p256.public_key_pem
+  sensitive = true
+}
+
+output "tls_private_key_ecdsa_p256_private_key_pem" {
+  value     = tls_private_key.ecdsa_p256.private_key_pem
+  sensitive = true
+}

deployment/modules/aws/secretsmanager/main.tf

@@ -13,20 +13,6 @@ provider "aws" {
 }
 
 # Secrets Manager
-
-# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
-#
-# Security Notice
-# The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
-# recommended.
-#
-# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
-resource "tls_private_key" "sctfe_ecdsa_p256" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
 resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
   name = "${var.base_name}-ecdsa-p256-public-key"
 
@@ -36,8 +22,8 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
 }
 
 resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_public_key" {
-  secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
-  secret_string = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+  secret_id     = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
+  secret_string = var.tls_private_key_ecdsa_p256_public_key_pem
 }
 
 resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
@@ -49,6 +35,6 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
 }
 
 resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_private_key" {
-  secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
-  secret_string = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+  secret_id     = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
+  secret_string = var.tls_private_key_ecdsa_p256_private_key_pem
 }

deployment/modules/aws/secretsmanager/variables.tf

@@ -7,3 +7,15 @@ variable "region" {
   description = "Region in which to create resources"
   type        = string
 }
+
+variable "tls_private_key_ecdsa_p256_public_key_pem" {
+  description = "Public ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}
+
+variable "tls_private_key_ecdsa_p256_private_key_pem" {
+  description = "Private ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}

deployment/modules/aws/tesseract/test/main.tf

@@ -14,6 +14,15 @@ module "storage" {
 module "secretsmanager" {
   source = "../../secretsmanager"
 
-  base_name = var.base_name
-  region    = var.region
+  base_name                                  = var.base_name
+  region                                     = var.region
+  tls_private_key_ecdsa_p256_public_key_pem  = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
+  tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
+}
+
+# [WARNING]
+# This module will store unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
+module "insecuretlskey" {
+  source = "../../insecuretlskey"
 }