search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
592 stars 291 forks source link

The private_key schema element of the keycloak_realm_keystore_rsa resource must be sensitive #962

Open laszlomiklosik opened 1 month ago

laszlomiklosik commented 1 month ago

The below schema definition (see https://github.com/mrparkers/terraform-provider-keycloak/blob/3f6b75b79ada48eddb41de6055f57a357d9b691c/provider/resource_keycloak_realm_keystore_rsa.go#L60 for full context) is not declaring the private_key schema element as sensitive, thus one can list the related secret with terraform state show keycloak_realm_keystore_rsa.keystore_rsa

            "private_key": {
                Type:        schema.TypeString,
                Required:    true,
                Description: "Private RSA Key encoded in PEM format",
            },

Besides allowing to list this information in the terraform console using terraform state show and being visible in the terraform plan's output this can also force us in some situations to use the nonsensitive function, otherwise one can't pass this value using a data source linked to a secrets management tool (Azure KeyVault or AWS Secrets Manager or Hashicorp Vault).

laszlomiklosik commented 1 month ago

Would be great to have this reviewed and if appropriate merged soon. thanks!