From 3a9d025f40fa37cc173794b71ce9c9cd94bb9869 Mon Sep 17 00:00:00 2001 From: Roger Ng Date: Wed, 26 Mar 2025 17:52:04 +0000 Subject: [PATCH 1/2] Extract `tls_private_key` resource from `hashicorp/tls` provider into an insecure module --- .../modules/aws/insecuretlskey/README.md | 3 +++ deployment/modules/aws/insecuretlskey/main.tf | 21 ++++++++++++++++++ .../modules/aws/insecuretlskey/outputs.tf | 9 ++++++++ deployment/modules/aws/secretsmanager/main.tf | 22 ++++--------------- .../modules/aws/secretsmanager/variables.tf | 12 ++++++++++ deployment/modules/aws/tesseract/test/main.tf | 13 +++++++++-- 6 files changed, 60 insertions(+), 20 deletions(-) create mode 100644 deployment/modules/aws/insecuretlskey/README.md create mode 100644 deployment/modules/aws/insecuretlskey/main.tf create mode 100644 deployment/modules/aws/insecuretlskey/outputs.tf diff --git a/deployment/modules/aws/insecuretlskey/README.md b/deployment/modules/aws/insecuretlskey/README.md new file mode 100644 index 00000000..ce683cca --- /dev/null +++ b/deployment/modules/aws/insecuretlskey/README.md @@ -0,0 +1,3 @@ +# [WARNING] +# This module will hardcode unencrypted private keys in the Terraform state file. +# DO NOT use this for production logs. diff --git a/deployment/modules/aws/insecuretlskey/main.tf b/deployment/modules/aws/insecuretlskey/main.tf new file mode 100644 index 00000000..d84f23fd --- /dev/null +++ b/deployment/modules/aws/insecuretlskey/main.tf @@ -0,0 +1,21 @@ +terraform { + required_providers { + tls = { + source = "hashicorp/tls" + version = "4.0.6" + } + } +} + +# ECDSA key with P256 elliptic curve. Do NOT use this in production environment. +# +# Security Notice +# The private key generated by this resource will be stored unencrypted in your +# Terraform state file. Use of this resource for production deployments is not +# recommended. +# +# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key. +resource "tls_private_key" "ecdsa_p256" { + algorithm = "ECDSA" + ecdsa_curve = "P256" +} diff --git a/deployment/modules/aws/insecuretlskey/outputs.tf b/deployment/modules/aws/insecuretlskey/outputs.tf new file mode 100644 index 00000000..dccf986b --- /dev/null +++ b/deployment/modules/aws/insecuretlskey/outputs.tf @@ -0,0 +1,9 @@ +output "tls_private_key_ecdsa_p256_public_key_pem" { + value = tls_private_key.ecdsa_p256.public_key_pem + sensitive = true +} + +output "tls_private_key_ecdsa_p256_private_key_pem" { + value = tls_private_key.ecdsa_p256.private_key_pem + sensitive = true +} diff --git a/deployment/modules/aws/secretsmanager/main.tf b/deployment/modules/aws/secretsmanager/main.tf index 50a7b79a..02e4557e 100644 --- a/deployment/modules/aws/secretsmanager/main.tf +++ b/deployment/modules/aws/secretsmanager/main.tf @@ -13,20 +13,6 @@ provider "aws" { } # Secrets Manager - -# ECDSA key with P256 elliptic curve. Do NOT use this in production environment. -# -# Security Notice -# The private key generated by this resource will be stored unencrypted in your -# Terraform state file. Use of this resource for production deployments is not -# recommended. -# -# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key. -resource "tls_private_key" "sctfe_ecdsa_p256" { - algorithm = "ECDSA" - ecdsa_curve = "P256" -} - resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" { name = "${var.base_name}-ecdsa-p256-public-key" @@ -36,8 +22,8 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" { } resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_public_key" { - secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id - secret_string = tls_private_key.sctfe_ecdsa_p256.public_key_pem + secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id + secret_string = var.tls_private_key_ecdsa_p256_public_key_pem } resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" { @@ -49,6 +35,6 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" { } resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_private_key" { - secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id - secret_string = tls_private_key.sctfe_ecdsa_p256.private_key_pem + secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id + secret_string = var.tls_private_key_ecdsa_p256_private_key_pem } diff --git a/deployment/modules/aws/secretsmanager/variables.tf b/deployment/modules/aws/secretsmanager/variables.tf index 8dc3538d..cad751fe 100644 --- a/deployment/modules/aws/secretsmanager/variables.tf +++ b/deployment/modules/aws/secretsmanager/variables.tf @@ -7,3 +7,15 @@ variable "region" { description = "Region in which to create resources" type = string } + +variable "tls_private_key_ecdsa_p256_public_key_pem" { + description = "Public ECDSA key with P256 elliptic curve in PEM format." + type = string + sensitive = true +} + +variable "tls_private_key_ecdsa_p256_private_key_pem" { + description = "Private ECDSA key with P256 elliptic curve in PEM format." + type = string + sensitive = true +} diff --git a/deployment/modules/aws/tesseract/test/main.tf b/deployment/modules/aws/tesseract/test/main.tf index 7097200b..f886115c 100644 --- a/deployment/modules/aws/tesseract/test/main.tf +++ b/deployment/modules/aws/tesseract/test/main.tf @@ -14,6 +14,15 @@ module "storage" { module "secretsmanager" { source = "../../secretsmanager" - base_name = var.base_name - region = var.region + base_name = var.base_name + region = var.region + tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem + tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem +} + +# [WARNING] +# This module will hardcode unencrypted private keys in the Terraform state file. +# DO NOT use this for production logs. +module "insecuretlskey" { + source = "../../insecuretlskey" } From 98feac937c82b7e1a6dcb42b2ce4fc055e4d4803 Mon Sep 17 00:00:00 2001 From: Roger Ng Date: Wed, 2 Apr 2025 10:32:49 +0000 Subject: [PATCH 2/2] Address comment --- deployment/modules/aws/insecuretlskey/README.md | 2 +- deployment/modules/aws/tesseract/test/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/modules/aws/insecuretlskey/README.md b/deployment/modules/aws/insecuretlskey/README.md index ce683cca..71ec8b26 100644 --- a/deployment/modules/aws/insecuretlskey/README.md +++ b/deployment/modules/aws/insecuretlskey/README.md @@ -1,3 +1,3 @@ # [WARNING] -# This module will hardcode unencrypted private keys in the Terraform state file. +# This module will store unencrypted private keys in the Terraform state file. # DO NOT use this for production logs. diff --git a/deployment/modules/aws/tesseract/test/main.tf b/deployment/modules/aws/tesseract/test/main.tf index f886115c..a479898a 100644 --- a/deployment/modules/aws/tesseract/test/main.tf +++ b/deployment/modules/aws/tesseract/test/main.tf @@ -21,7 +21,7 @@ module "secretsmanager" { } # [WARNING] -# This module will hardcode unencrypted private keys in the Terraform state file. +# This module will store unencrypted private keys in the Terraform state file. # DO NOT use this for production logs. module "insecuretlskey" { source = "../../insecuretlskey"