According to Terraform docs, the generated private key will be stored in cleartext in the terraform.state file.
It would be better if this module optionally accepts an existing private key (in fact, the privkey, pubkey, and optionally a parent CA cert to be complete) or a name/ARN of an existing cert in ACM -- and only falls back to the auto-generated privkey if none of those are passed in. That will make this more production strength.
Motivation
Avoid putting secrets into the terraform.state file.
Alternatives
No response
Additional Context
No response
Code of Conduct
[X] I agree to follow this project's Code of Conduct
agree with your assessment but it's not something we are looking to implement at this moment, feel free to send PR if you have this implemented in your fork.
Summary
Consider this block of code:
According to Terraform docs, the generated private key will be stored in cleartext in the
terraform.state
file.It would be better if this module optionally accepts an existing private key (in fact, the privkey, pubkey, and optionally a parent CA cert to be complete) or a name/ARN of an existing cert in ACM -- and only falls back to the auto-generated privkey if none of those are passed in. That will make this more production strength.
Motivation
Avoid putting secrets into the
terraform.state
file.Alternatives
No response
Additional Context
No response
Code of Conduct