Skip to content

Commit ed315fc

Browse files
committed
Extract tls_private_key resource from hashicorp/tls provider into an insecure module
1 parent 2940bba commit ed315fc

File tree

7 files changed

+67
-17
lines changed

7 files changed

+67
-17
lines changed
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
# [WARNING]
2+
# This module will hardcode unencrypted private keys in the Terraform state file.
3+
# DO NOT use this for production logs.
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
terraform {
2+
required_providers {
3+
tls = {
4+
source = "hashicorp/tls"
5+
version = "4.0.6"
6+
}
7+
}
8+
}
9+
10+
# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
11+
#
12+
# Security Notice
13+
# The private key generated by this resource will be stored unencrypted in your
14+
# Terraform state file. Use of this resource for production deployments is not
15+
# recommended.
16+
#
17+
# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
18+
resource "tls_private_key" "ecdsa_p256" {
19+
algorithm = "ECDSA"
20+
ecdsa_curve = "P256"
21+
}
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
output "tls_private_key_ecdsa_p256_public_key_pem" {
2+
value = tls_private_key.ecdsa_p256.public_key_pem
3+
sensitive = true
4+
}
5+
6+
output "tls_private_key_ecdsa_p256_private_key_pem" {
7+
value = tls_private_key.ecdsa_p256.private_key_pem
8+
sensitive = true
9+
}

deployment/modules/gcp/secretmanager/main.tf

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -14,19 +14,6 @@ resource "google_project_service" "secretmanager_googleapis_com" {
1414
disable_on_destroy = false
1515
}
1616

17-
# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
18-
#
19-
# Security Notice
20-
# The private key generated by this resource will be stored unencrypted in your
21-
# Terraform state file. Use of this resource for production deployments is not
22-
# recommended.
23-
#
24-
# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
25-
resource "tls_private_key" "sctfe_ecdsa_p256" {
26-
algorithm = "ECDSA"
27-
ecdsa_curve = "P256"
28-
}
29-
3017
resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
3118
secret_id = "${var.base_name}-ecdsa-p256-public-key"
3219

@@ -44,7 +31,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
4431
resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
4532
secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
4633

47-
secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
34+
secret_data = var.tls_private_key_ecdsa_p256_public_key_pem
4835
}
4936

5037
resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
@@ -64,5 +51,5 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
6451
resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
6552
secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
6653

67-
secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
54+
secret_data = var.tls_private_key_ecdsa_p256_private_key_pem
6855
}

deployment/modules/gcp/secretmanager/variables.tf

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,15 @@ variable "base_name" {
22
description = "Base name to use when naming resources"
33
type = string
44
}
5+
6+
variable "tls_private_key_ecdsa_p256_public_key_pem" {
7+
description = "Public ECDSA key with P256 elliptic curve in PEM format."
8+
type = string
9+
sensitive = true
10+
}
11+
12+
variable "tls_private_key_ecdsa_p256_private_key_pem" {
13+
description = "Private ECDSA key with P256 elliptic curve in PEM format."
14+
type = string
15+
sensitive = true
16+
}

deployment/modules/gcp/tesseract/conformance/main.tf

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,16 @@ module "storage" {
1414
module "secretmanager" {
1515
source = "../../secretmanager"
1616

17-
base_name = var.base_name
17+
base_name = var.base_name
18+
tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
19+
tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
20+
}
21+
22+
# [WARNING]
23+
# This module will hardcode unencrypted private keys in the Terraform state file.
24+
# DO NOT use this for production logs.
25+
module "insecuretlskey" {
26+
source = "../../insecuretlskey"
1827
}
1928

2029
module "cloudrun" {

deployment/modules/gcp/tesseract/test/main.tf

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,5 +14,14 @@ module "storage" {
1414
module "secretmanager" {
1515
source = "../../secretmanager"
1616

17-
base_name = var.base_name
17+
base_name = var.base_name
18+
tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
19+
tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
20+
}
21+
22+
# [WARNING]
23+
# This module will hardcode unencrypted private keys in the Terraform state file.
24+
# DO NOT use this for production logs.
25+
module "insecuretlskey" {
26+
source = "../../insecuretlskey"
1827
}

0 commit comments

Comments
 (0)