search

Venafi / terraform-provider-venafi

HashiCorp Terraform provider that uses Venafi to streamline machine identity (certificate and key) acquisition.
https://www.terraform.io/docs/providers/venafi/
Mozilla Public License 2.0
16 stars 20 forks source link

The certificates are emitted to stdout and no properly obfuscated #131

Open justinmchase opened 3 months ago

justinmchase commented 3 months ago

PROBLEM SUMMARY When my certificate is updated, the old certificate is emitted to stdout of my CI logs and appears not to be treated as sensitive.

Screenshot 2024-05-07 at 3 51 28 PM

STEPS TO REPRODUCE

resource "time_rotating" "monthly" {
  rotation_minutes = 1
}

resource "random_password" "certificate_password" {
  length      = 12
  upper       = true
  lower       = true
  numeric     = true
  special     = false
  min_numeric = 1
  min_lower   = 1
  min_upper   = 1

  keepers = {
    time = time_rotating.monthly.id
  }
}

resource "venafi_certificate" "cert" {
  algorithm         = "RSA"
  custom_fields     = {}
  ecdsa_curve       = "P521"
  expiration_window = 72
  rsa_bits          = 2048
  valid_days        = 365
  common_name       = "example"
  san_dns           = "example.com"
  key_password      = random_password.certificate_password.result
}
  1. Apply the template twice, 1 minute or more apart.

EXPECTED RESULTS The secret values of the previous fields is obfuscated.

ACTUAL RESULTS The entire certificate in its various forms is emitted to stdout.

ENVIRONMENT DETAILS N/A

COMMENTS/WORKAROUNDS