search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
459 stars 540 forks source link

[Bug]: vault_jwt_auth_backend leaks oidc_client_secret #2206

Open R0flcopt3r opened 6 months ago

R0flcopt3r commented 6 months ago

Terraform Core Version

1.7.3

Terraform Vault Provider Version

3.25.0

Vault Server Version

1.15.5

Affected Resource(s)

Expected Behavior

Secrets should not be visible in Terraform state

Actual Behavior

Secrets are visible in state.

Relevant Error/Panic Output Snippet

{
  "mode": "managed",
  "type": "vault_jwt_auth_backend",
  "name": "azure_ad",
  "provider": "provider[\"registry.terraform.io/hashicorp/vault\"]",
  "instances": [
        {
          "schema_version": 1,
          "attributes": {
            "oidc_client_id": "[REDACTED]",
            "oidc_client_secret": "[REDACTED]", # <------- Leaked secret 
            "oidc_discovery_ca_pem": "",
            "oidc_discovery_url": "[REDACTED]",
....
  ]
}

Terraform Configuration Files


resource "vault_jwt_auth_backend" "auth" {
  description = "auth backend"
  path = "oidc"
  oidc_client_id = var.oidc_client_id
  oidc_client_secret = var.oidc_client_secret
  oidc_discovery_url= local.oidc_discovery_url
  default_role = local.oidc_default_role
}

resource "vault_jwt_auth_backend_role" "auth" {
  backend = vault_jwt_auth_backend.auth.path
  role_name = local.oidc_default_role
  user_claim = "email"
  groups_claim = "groups"
  token_policies = ["default"]
  verbose_oidc_logging = true
  oidc_scopes = local.oidc_scopes
  allowed_redirect_uris = local.allowed_redirect_uris
}

resource "vault_identity_group" "group" {
  name = "vault"
  type = "external"
  policies = ["default"]
  metadata = {
    version = "2"
  }
}

resource "vault_identity_group_alias" "group" {
  name = "vault"
  mount_accessor = vault_jwt_auth_backend.auth.accessor
  canonical_id = vault_identity_group.group.id
}

Steps to Reproduce

  1. terraform apply given config with valid variables
  2. inspect terraform state for leaked secrets

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

No

fairclothjm commented 6 months ago

Hello @R0flcopt3r this is documented behavior as per https://registry.terraform.io/providers/hashicorp/vault/latest/docs

Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. For any Terraform module that reads or writes Vault secrets, these files should be treated as sensitive and protected accordingly.

More discussion here: https://github.com/hashicorp/terraform/issues/516