File tree 7 files changed +67
-17
lines changed 7 files changed +67
-17
lines changed Original file line number Diff line number Diff line change
1
+ # [ WARNING]
2
+ # This module will hardcode unencrypted private keys in the Terraform state file.
3
+ # DO NOT use this for production logs.
Original file line number Diff line number Diff line change
1
+ terraform {
2
+ required_providers {
3
+ tls = {
4
+ source = " hashicorp/tls"
5
+ version = " 4.0.6"
6
+ }
7
+ }
8
+ }
9
+
10
+ # ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
11
+ #
12
+ # Security Notice
13
+ # The private key generated by this resource will be stored unencrypted in your
14
+ # Terraform state file. Use of this resource for production deployments is not
15
+ # recommended.
16
+ #
17
+ # See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
18
+ resource "tls_private_key" "ecdsa_p256" {
19
+ algorithm = " ECDSA"
20
+ ecdsa_curve = " P256"
21
+ }
Original file line number Diff line number Diff line change
1
+ output "tls_private_key_ecdsa_p256_public_key_pem" {
2
+ value = tls_private_key. ecdsa_p256 . public_key_pem
3
+ sensitive = true
4
+ }
5
+
6
+ output "tls_private_key_ecdsa_p256_private_key_pem" {
7
+ value = tls_private_key. ecdsa_p256 . private_key_pem
8
+ sensitive = true
9
+ }
Original file line number Diff line number Diff line change @@ -14,19 +14,6 @@ resource "google_project_service" "secretmanager_googleapis_com" {
14
14
disable_on_destroy = false
15
15
}
16
16
17
- # ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
18
- #
19
- # Security Notice
20
- # The private key generated by this resource will be stored unencrypted in your
21
- # Terraform state file. Use of this resource for production deployments is not
22
- # recommended.
23
- #
24
- # See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
25
- resource "tls_private_key" "sctfe_ecdsa_p256" {
26
- algorithm = " ECDSA"
27
- ecdsa_curve = " P256"
28
- }
29
-
30
17
resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
31
18
secret_id = " ${ var . base_name } -ecdsa-p256-public-key"
32
19
@@ -44,7 +31,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
44
31
resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
45
32
secret = google_secret_manager_secret. sctfe_ecdsa_p256_public_key . id
46
33
47
- secret_data = tls_private_key . sctfe_ecdsa_p256 . public_key_pem
34
+ secret_data = var . tls_private_key_ecdsa_p256_public_key_pem
48
35
}
49
36
50
37
resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
@@ -64,5 +51,5 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
64
51
resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
65
52
secret = google_secret_manager_secret. sctfe_ecdsa_p256_private_key . id
66
53
67
- secret_data = tls_private_key . sctfe_ecdsa_p256 . private_key_pem
54
+ secret_data = var . tls_private_key_ecdsa_p256_private_key_pem
68
55
}
Original file line number Diff line number Diff line change @@ -2,3 +2,15 @@ variable "base_name" {
2
2
description = " Base name to use when naming resources"
3
3
type = string
4
4
}
5
+
6
+ variable "tls_private_key_ecdsa_p256_public_key_pem" {
7
+ description = " Public ECDSA key with P256 elliptic curve in PEM format."
8
+ type = string
9
+ sensitive = true
10
+ }
11
+
12
+ variable "tls_private_key_ecdsa_p256_private_key_pem" {
13
+ description = " Private ECDSA key with P256 elliptic curve in PEM format."
14
+ type = string
15
+ sensitive = true
16
+ }
Original file line number Diff line number Diff line change @@ -14,7 +14,16 @@ module "storage" {
14
14
module "secretmanager" {
15
15
source = " ../../secretmanager"
16
16
17
- base_name = var. base_name
17
+ base_name = var. base_name
18
+ tls_private_key_ecdsa_p256_public_key_pem = module. insecuretlskey . tls_private_key_ecdsa_p256_public_key_pem
19
+ tls_private_key_ecdsa_p256_private_key_pem = module. insecuretlskey . tls_private_key_ecdsa_p256_private_key_pem
20
+ }
21
+
22
+ # [WARNING]
23
+ # This module will hardcode unencrypted private keys in the Terraform state file.
24
+ # DO NOT use this for production logs.
25
+ module "insecuretlskey" {
26
+ source = " ../../insecuretlskey"
18
27
}
19
28
20
29
module "cloudrun" {
Original file line number Diff line number Diff line change @@ -14,5 +14,14 @@ module "storage" {
14
14
module "secretmanager" {
15
15
source = " ../../secretmanager"
16
16
17
- base_name = var. base_name
17
+ base_name = var. base_name
18
+ tls_private_key_ecdsa_p256_public_key_pem = module. insecuretlskey . tls_private_key_ecdsa_p256_public_key_pem
19
+ tls_private_key_ecdsa_p256_private_key_pem = module. insecuretlskey . tls_private_key_ecdsa_p256_private_key_pem
20
+ }
21
+
22
+ # [WARNING]
23
+ # This module will hardcode unencrypted private keys in the Terraform state file.
24
+ # DO NOT use this for production logs.
25
+ module "insecuretlskey" {
26
+ source = " ../../insecuretlskey"
18
27
}
You can’t perform that action at this time.
0 commit comments