Closed poblin-orange closed 6 years ago
workaround: delete credhub value then set new value. Might be an issue with credhub versioning ? (we are using credhub bosh release 1.0.2 )
By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).
@poblin-orange
There is a current limitation within terraform support for datasources as documented into the hashicorp vault provider, see
Important Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. [...] Currently Terraform has no mechanism to redact or protect secrets that are returned via data sources, so secrets read via this provider will be persisted into the Terraform state, into any plan files, and in some cases in the console output produced while planning and applying. These artifacts must therefore all be protected accordingly.
https://github.com/terraform-providers/terraform-provider-google/issues/927#issuecomment-366933976 mentions
the prevalent recommendation among the Terraform team is to store your state in remote backends, which can then be encrypted.
as well as https://www.terraform.io/docs/state/sensitive-data.html
Terraform state can contain sensitive data [...] Recommendations: Storing state remotely may provide you encryption at rest depending on the backend you choose. [...] Long term, the Terraform project wants to further improve the ability to secure sensitive data. There are plans to provide a generic mechanism for specific state attributes to be encrypted or even completely omitted from the state. These do not exist yet except on a resource-by-resource basis if documented.
In our case this may mean using the orange-cloudfoundry/terraform-secure-backend for storing TF state.
The terraform-provider-credhub provider however attempts to workaround this limitation for:
Data from credentials are never stored in your tfstate either, this provider creates a fingerprint of this data to determine if it should be updated or not.
Root cause likely to come from outdated credhub server versio 1.0.2 and mismatch with credhub cli used. Pending upgrade to 1.7.1 credhub version should confirm, and we'll then be able to close this issue.
@poblin-orange
By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).
this can't be avoid, this is made by terraform.
After updating credhub client version to 1.7.2 on this provider all works fine, suggestion by @gberche-orange was correct.
I'm closing this issue.
Seems that the credhub terraform plugin does not retrieve value version from credhub (ie: value has been updated with credhub cli, the plugin seem to retrieve a previous version)
config:
credhub cli value
terraform log
terraform state
By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).