reCAPTCHA does not return the Legacy reCAPTCHA secret key

[bretep]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

The Legacy reCAPTCHA secret key is not depreciated or has a plan for removal. There are a lot of 3rd party applications require this secret key because they use the non-enterprise javascript reCAPTCHA client.

The console offers this key, but it should be available via automation.

New or Affected Resource(s)

• google_recaptcha_enterprise_key

Potential Terraform Configuration

resource "google_recaptcha_enterprise_key" "example" {
  display_name = "example"

  project = "example-project"

  web_settings {
    integration_type              = "CHECKBOX"
    allow_all_domains             = true
    allow_amp_traffic             = false
    allowed_domains               = []
  }
}

locals {
  legacy_key = google_recaptcha_enterprise_key.example.secret_key
}

References

• 0000

b/314616535

[straub]

I needed this to avoid some significant manual effort this week. I managed to hack around the issue using the Terraform external provider, Node.js, and the @google-cloud/recaptcha-enterprise package:

data "external" "retrieve_legacy_secret_key" {
  for_each = {
    checkbox_aka_v2 = google_recaptcha_enterprise_key.checkbox_aka_v2.id
    scoring_aka_v3  = google_recaptcha_enterprise_key.scoring_aka_v3.id
  }

  program = ["node", "--input-type=module", "--eval", <<EOF
import { setTimeout } from 'timers/promises';
import { v1 } from '@google-cloud/recaptcha-enterprise';
const { RecaptchaEnterpriseServiceClient } = v1;

const recaptchaenterpriseClient = new RecaptchaEnterpriseServiceClient();

async function retryRequest () {
  try {
    return await recaptchaenterpriseClient.retrieveLegacySecretKey({
      key: "${each.value}",
    });
  }
  catch (err) {
    if (err.reason === 'RATE_LIMIT_EXCEEDED') {
      // Wait one minute for rate limit to reset.
      await setTimeout(60000);
      return retryRequest();
    }
    throw err;
  }
}

const [response] = await retryRequest();

console.log(JSON.stringify(response));
EOF
  ]
}

# data.external.retrieve_legacy_secret_key["checkbox_aka_v2"].result.legacySecretKey
# data.external.retrieve_legacy_secret_key["scoring_aka_v3"].result.legacySecretKey

Obviously, not ideal, but perhaps someone will find it useful!

Edit 2023-06-09: adjusted to retry rate limit errors. Edit 2023-06-12: removed redundant delay.

[akshoyduya]

You can achieve it using HTTP request. It is a workaround for now.

Please make sure gcloud is installed in your system and you are already authenticated.

// In main.tf

terraform {
  required_providers {
    http = {
      source  = "hashicorp/http"
      version = "3.4.0"
    }
  }
}

data "external" "get_gcloud_token" {
  program = ["bash", "-c", "echo '{\"token\": \"'$(gcloud auth print-access-token)'\"}'"]
}

data "http" "retrieve_recaptcha_secret" {
  url = "https://recaptchaenterprise.googleapis.com/v1/projects/${var.project_id}/keys/${google_recaptcha_enterprise_key.recaptcha_key.name}:retrieveLegacySecretKey"

  request_headers = {
    "Authorization" = "Bearer ${data.external.get_gcloud_token.result["token"]}"
    "Content-Type"  = "application/json"
  }
}

output "recaptcha_secret_key" {
  description = "reCAPTCHA v3 secret key"
  value       = jsondecode(data.http.retrieve_recaptcha_secret.response_body)["legacySecretKey"]
}