search

scottwinkler / terraform-provider-shell

Terraform provider for executing shell commands and saving output to state file
Mozilla Public License 2.0
279 stars 60 forks source link

Random characters getting marked as sensitive (and sensitive inputs not being obscured) #47

Closed annedroiid closed 4 years ago

annedroiid commented 4 years ago

I'm using v1.3.1 of the provider and tf 0.12.24.

In my uat environment it looks like the letter m is being treated as a secret and masked as ***** when put to stdout. Because the output of the resource comes from stdout, this then means that I'm getting incorrect output. None of the sensitive_environment values are just the letter m.

In addition, the actual private key/client cert themselves aren't being obscured. If I print them out to stdout the only thing obscured in them is the letter m.

Here is the resource

resource "shell_script" "create_kafka_stores" {
  lifecycle_commands {
    create = file("${path.module}/create_stores.sh")
    delete = "echo {}"
  }

  environment = {
    ID = random_integer.id.result
  }

  sensitive_environment = {
    KAFKA_PRIVATE_KEY        = var.access_key
    KAFKA_CLIENT_CERTIFICATE = var.access_cert
    KEYSTORE_PASSWORD        = random_string.ssl_password.result
    TRUSTSTORE_PASSWORD       = random_string.ssl_password.result
    KAFKA_SERVICE_CERTIFICATE = var.kafka_ca_certificate
  }
}

and here is my script

#!/bin/sh

#Exit if there are any errors.
abort()
{
    echo >&2 '
***************
*** ABORTED ***
***************
'
    echo "An error occurred. Exiting..." >&2
    exit 1
}

trap 'abort' 0
set -e

echo "$KAFKA_SERVICE_CERTIFICATE" > /tmp/ca.txt

echo "$KAFKA_PRIVATE_KEY" > /tmp/compositefile-$ID.txt
echo "$KAFKA_CLIENT_CERTIFICATE" >> /tmp/compositefile-$ID.txt
openssl pkcs12 -export -in /tmp/compositefile-$ID.txt -out /tmp/keyStore-$ID.p12 -password pass:$KEYSTORE_PASSWORD

#`python -m base64 -d` base64 decoding to be able to run on Mac and Linux the same way
echo "$KAFKA_SERVICE_CERTIFICATE" | python -m base64 -d | keytool -keystore /tmp/trustStore-$ID.jks -alias CARoot12384912 -import -storepass $TRUSTSTORE_PASSWORD -noprompt

KEYSTORE_BINARY=$(base64 /tmp/keyStore-$ID.p12)
TRUSTSTORE_BINARY=$(base64 /tmp/trustStore-$ID.jks)

trap : 0

jq -n --arg keyStoreBinary "$KEYSTORE_BINARY" --arg trustStoreBinary "$TRUSTSTORE_BINARY" '{"base64_encoded_keystore":$keyStoreBinary, "base64_encoded_truststore":$trustStoreBinary}' >&1

I can send you the contents of the sensitive variables to your email (I'd rather not post them publicly to github even though it's only uat and I'm going to rotate them once this is resolved). I'm not quite sure where the sensitivity around the letter m is coming from.

annedroiid commented 4 years ago

Looking at the contents of the SSL password I think it's the issue. From the looks of it the provider isn't dealing very well with having special characters within a variable.

annedroiid commented 4 years ago

Also worth mentioning is that the script works fine in our dev environment where the SSL password doesn't have any special characters in it.

scottwinkler commented 4 years ago

Hmm okay I'll take a look at it. Thanks for bringing this to my attention

scottwinkler commented 4 years ago

fixed as part of release 1.5.0. Sorry it took so long