Extract tls_private_key resource from hashicorp/tls provider into an insecure module

roger2hk · roger2hk · commit ed315fcfa4ee · 2025-03-26T18:59:30.000Z
diff --git a/deployment/modules/gcp/insecuretlskey/README.md b/deployment/modules/gcp/insecuretlskey/README.md
@@ -0,0 +1,3 @@
+# [WARNING]
+# This module will hardcode unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
diff --git a/deployment/modules/gcp/insecuretlskey/main.tf b/deployment/modules/gcp/insecuretlskey/main.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.6"
+    }
+  }
+}
+
+# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
+#
+# Security Notice
+# The private key generated by this resource will be stored unencrypted in your 
+# Terraform state file. Use of this resource for production deployments is not 
+# recommended.
+#
+# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
+resource "tls_private_key" "ecdsa_p256" {
+  algorithm   = "ECDSA"
+  ecdsa_curve = "P256"
+}
diff --git a/deployment/modules/gcp/insecuretlskey/outputs.tf b/deployment/modules/gcp/insecuretlskey/outputs.tf
@@ -0,0 +1,9 @@
+output "tls_private_key_ecdsa_p256_public_key_pem" {
+  value     = tls_private_key.ecdsa_p256.public_key_pem
+  sensitive = true
+}
+
+output "tls_private_key_ecdsa_p256_private_key_pem" {
+  value     = tls_private_key.ecdsa_p256.private_key_pem
+  sensitive = true
+}
diff --git a/deployment/modules/gcp/secretmanager/main.tf b/deployment/modules/gcp/secretmanager/main.tf
@@ -14,19 +14,6 @@ resource "google_project_service" "secretmanager_googleapis_com" {
   disable_on_destroy = false
 }
 
-# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
-#
-# Security Notice
-# The private key generated by this resource will be stored unencrypted in your 
-# Terraform state file. Use of this resource for production deployments is not 
-# recommended.
-#
-# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
-resource "tls_private_key" "sctfe_ecdsa_p256" {
-  algorithm   = "ECDSA"
-  ecdsa_curve = "P256"
-}
-
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
   secret_id = "${var.base_name}-ecdsa-p256-public-key"
 
@@ -44,7 +31,7 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_public_key" {
 resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_public_key" {
   secret = google_secret_manager_secret.sctfe_ecdsa_p256_public_key.id
 
-  secret_data = tls_private_key.sctfe_ecdsa_p256.public_key_pem
+  secret_data = var.tls_private_key_ecdsa_p256_public_key_pem
 }
 
 resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
@@ -64,5 +51,5 @@ resource "google_secret_manager_secret" "sctfe_ecdsa_p256_private_key" {
 resource "google_secret_manager_secret_version" "sctfe_ecdsa_p256_private_key" {
   secret = google_secret_manager_secret.sctfe_ecdsa_p256_private_key.id
 
-  secret_data = tls_private_key.sctfe_ecdsa_p256.private_key_pem
+  secret_data = var.tls_private_key_ecdsa_p256_private_key_pem
 }
diff --git a/deployment/modules/gcp/secretmanager/variables.tf b/deployment/modules/gcp/secretmanager/variables.tf
@@ -2,3 +2,15 @@ variable "base_name" {
   description = "Base name to use when naming resources"
   type        = string
 }
+
+variable "tls_private_key_ecdsa_p256_public_key_pem" {
+  description = "Public ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}
+
+variable "tls_private_key_ecdsa_p256_private_key_pem" {
+  description = "Private ECDSA key with P256 elliptic curve in PEM format."
+  type        = string
+  sensitive   = true
+}
diff --git a/deployment/modules/gcp/tesseract/conformance/main.tf b/deployment/modules/gcp/tesseract/conformance/main.tf
@@ -14,7 +14,16 @@ module "storage" {
 module "secretmanager" {
   source = "../../secretmanager"
 
-  base_name = var.base_name
+  base_name                                  = var.base_name
+  tls_private_key_ecdsa_p256_public_key_pem  = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
+  tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
+}
+
+# [WARNING]
+# This module will hardcode unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
+module "insecuretlskey" {
+  source = "../../insecuretlskey"
 }
 
 module "cloudrun" {
diff --git a/deployment/modules/gcp/tesseract/test/main.tf b/deployment/modules/gcp/tesseract/test/main.tf
@@ -14,5 +14,14 @@ module "storage" {
 module "secretmanager" {
   source = "../../secretmanager"
 
-  base_name = var.base_name
+  base_name                                  = var.base_name
+  tls_private_key_ecdsa_p256_public_key_pem  = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
+  tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
+}
+
+# [WARNING]
+# This module will hardcode unencrypted private keys in the Terraform state file.
+# DO NOT use this for production logs.
+module "insecuretlskey" {
+  source = "../../insecuretlskey"
 }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# [WARNING]`
	`2`	`+# This module will hardcode unencrypted private keys in the Terraform state file.`
	`3`	`+# DO NOT use this for production logs.`