search

orange-cloudfoundry / terraform-provider-credhub

This terraform provider let you create and retrieve credentials from credhub
Apache License 2.0
8 stars 2 forks source link

credhub plugin does not retrieve updated version #2

Closed poblin-orange closed 6 years ago

poblin-orange commented 6 years ago

Seems that the credhub terraform plugin does not retrieve value version from credhub (ie: value has been updated with credhub cli, the plugin seem to retrieve a previous version)

config: 

data "credhub_value" "intranet_interco_ips_net_id" {
  name = "/secrets/intranet_interco_ips_net_id"
}

credhub cli value

$ credhub get --name="/secrets/intranet_interco_ips_net_id"
id: b798d461-8907-4f84-b0c2-386cef9a5fb0
name: /secrets/intranet_interco_ips_net_id
type: value
value: 0130df67-7374-458a-b9c1-265892e7190d
version_created_at: 2018-02-26T09:44:39Z

terraform log 

+ terraform version
Terraform v0.11.2
+ provider.credhub v0.10.0

Your version of Terraform is out of date! The latest version
is 0.11.3. You can update by downloading from www.terraform.io/downloads.html
+ pwd
+ CURRENT_DIR=/tmp/build/6d6ccb0c
+ find secret-state-resource/master-depls/terraform-config -type f -exec cp {} generated-files/ ;
+ find terraform-tfvars -type f -exec cp {} generated-files/ ;
+ find spec-resource/master-depls/terraform-config/spec -mindepth 1 -maxdepth 1 -exec cp --verbose -r {} spec-applied/ ;
'spec-resource/master-depls/terraform-config/spec/intranet-interco-vrrp-ports.tf' -> 'spec-applied/intranet-interco-vrrp-ports.tf'
PROVIDER_CREDHUB_VERSION=0.10.0
TERRAFORM_ZIP=terraform_0.11.2_linux_amd64.zip
SPEC_PATH=master-depls/terraform-config/spec
....
21172   /.terraform/plugins/linux_amd64/terraform-provider-credhub_v0.10.0
...
288548  /.terraform/plugins/linux_amd64
288552  /.terraform/plugins
288556  /.terraform
+ terraform init -input=false -upgrade -get-plugins=false -plugin-dir=/.terraform/plugins/linux_amd64 ../spec-applied/

Initializing provider plugins...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.credhub: version = "~> 0.10"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
+ terraform plan -input=false ../spec-applied/
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.credhub_value.intranet_interco_ips_net_id: Refreshing state...
------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

terraform state

{
    "version": 3,
    "terraform_version": "0.11.2",
    "serial": 1,
    "lineage": "a7040192-db17-42d7-a37c-337f1393fb09",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
...

                "data.credhub_value.intranet_interco_ips_net_id": {
                    "type": "credhub_value",
                    "depends_on": [],
                    "primary": {
                        "id": "bc987039-2276-43df-b333-5b5e3ce1266b",
                        "attributes": {
                            "id": "bc987039-2276-43df-b333-5b5e3ce1266b",
                            "name": "/secrets/intranet_interco_ips_net_id",
                            "type": "value",
                            "value": "43acffd0-a978-4ad5-a1a9-f9b70365bb72"
                        },
                        "meta": {},
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.credhub"
                },

By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).

poblin-orange commented 6 years ago

workaround: delete credhub value then set new value. Might be an issue with credhub versioning ? (we are using credhub bosh release 1.0.2 )

gberche-orange commented 6 years ago

By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).

@poblin-orange

There is a current limitation within terraform support for datasources as documented into the hashicorp vault provider, see

Important Interacting with Vault from Terraform causes any secrets that you read and write to be persisted in both Terraform's state file and in any generated plan files. [...] Currently Terraform has no mechanism to redact or protect secrets that are returned via data sources, so secrets read via this provider will be persisted into the Terraform state, into any plan files, and in some cases in the console output produced while planning and applying. These artifacts must therefore all be protected accordingly.

https://github.com/terraform-providers/terraform-provider-google/issues/927#issuecomment-366933976 mentions

the prevalent recommendation among the Terraform team is to store your state in remote backends, which can then be encrypted.

as well as https://www.terraform.io/docs/state/sensitive-data.html

Terraform state can contain sensitive data [...] Recommendations: Storing state remotely may provide you encryption at rest depending on the backend you choose. [...] Long term, the Terraform project wants to further improve the ability to secure sensitive data. There are plans to provide a generic mechanism for specific state attributes to be encrypted or even completely omitted from the state. These do not exist yet except on a resource-by-resource basis if documented.

In our case this may mean using the orange-cloudfoundry/terraform-secure-backend for storing TF state.

The terraform-provider-credhub provider however attempts to workaround this limitation for:

Data from credentials are never stored in your tfstate either, this provider creates a fingerprint of this data to determine if it should be updated or not.

gberche-orange commented 6 years ago

Root cause likely to come from outdated credhub server versio 1.0.2 and mismatch with credhub cli used. Pending upgrade to 1.7.1 credhub version should confirm, and we'll then be able to close this issue.

ArthurHlt commented 6 years ago

@poblin-orange

By the way, the value seem to be stored in terraform tfstate. Is it required ? (as credhub offers update timestamp, guess the plugin could check freshness without storing the credhub values).

this can't be avoid, this is made by terraform.

After updating credhub client version to 1.7.2 on this provider all works fine, suggestion by @gberche-orange was correct.

I'm closing this issue.