Skip to content

[AWS] Extract tls_private_key resource from hashicorp/tls provider into an insecure module #220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions deployment/modules/aws/insecuretlskey/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# [WARNING]
# This module will store unencrypted private keys in the Terraform state file.
# DO NOT use this for production logs.
21 changes: 21 additions & 0 deletions deployment/modules/aws/insecuretlskey/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
terraform {
required_providers {
tls = {
source = "hashicorp/tls"
version = "4.0.6"
}
}
}

# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
#
# Security Notice
# The private key generated by this resource will be stored unencrypted in your
# Terraform state file. Use of this resource for production deployments is not
# recommended.
#
# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
resource "tls_private_key" "ecdsa_p256" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}
9 changes: 9 additions & 0 deletions deployment/modules/aws/insecuretlskey/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
output "tls_private_key_ecdsa_p256_public_key_pem" {
value = tls_private_key.ecdsa_p256.public_key_pem
sensitive = true
}

output "tls_private_key_ecdsa_p256_private_key_pem" {
value = tls_private_key.ecdsa_p256.private_key_pem
sensitive = true
}
22 changes: 4 additions & 18 deletions deployment/modules/aws/secretsmanager/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -13,20 +13,6 @@ provider "aws" {
}

# Secrets Manager

# ECDSA key with P256 elliptic curve. Do NOT use this in production environment.
#
# Security Notice
# The private key generated by this resource will be stored unencrypted in your
# Terraform state file. Use of this resource for production deployments is not
# recommended.
#
# See https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key.
resource "tls_private_key" "sctfe_ecdsa_p256" {
algorithm = "ECDSA"
ecdsa_curve = "P256"
}

resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
name = "${var.base_name}-ecdsa-p256-public-key"

Expand All @@ -36,8 +22,8 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_public_key" {
}

resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_public_key" {
secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
secret_string = tls_private_key.sctfe_ecdsa_p256.public_key_pem
secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_public_key.id
secret_string = var.tls_private_key_ecdsa_p256_public_key_pem
}

resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
Expand All @@ -49,6 +35,6 @@ resource "aws_secretsmanager_secret" "sctfe_ecdsa_p256_private_key" {
}

resource "aws_secretsmanager_secret_version" "sctfe_ecdsa_p256_private_key" {
secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
secret_string = tls_private_key.sctfe_ecdsa_p256.private_key_pem
secret_id = aws_secretsmanager_secret.sctfe_ecdsa_p256_private_key.id
secret_string = var.tls_private_key_ecdsa_p256_private_key_pem
}
12 changes: 12 additions & 0 deletions deployment/modules/aws/secretsmanager/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,15 @@ variable "region" {
description = "Region in which to create resources"
type = string
}

variable "tls_private_key_ecdsa_p256_public_key_pem" {
description = "Public ECDSA key with P256 elliptic curve in PEM format."
type = string
sensitive = true
}

variable "tls_private_key_ecdsa_p256_private_key_pem" {
description = "Private ECDSA key with P256 elliptic curve in PEM format."
type = string
sensitive = true
}
13 changes: 11 additions & 2 deletions deployment/modules/aws/tesseract/test/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@ module "storage" {
module "secretsmanager" {
source = "../../secretsmanager"

base_name = var.base_name
region = var.region
base_name = var.base_name
region = var.region
tls_private_key_ecdsa_p256_public_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_public_key_pem
tls_private_key_ecdsa_p256_private_key_pem = module.insecuretlskey.tls_private_key_ecdsa_p256_private_key_pem
}

# [WARNING]
# This module will store unencrypted private keys in the Terraform state file.
# DO NOT use this for production logs.
module "insecuretlskey" {
source = "../../insecuretlskey"
}
Loading