tmichel
commented
7 years ago Thanks for reporting this. I'll look into it when I'll have some time.
If you'd like to give it a try and fix the issue I can give you some pointers where to start.
Closed jmarrama-nuna closed 6 years ago
tmichel
commented
7 years ago Thanks for reporting this. I'll look into it when I'll have some time.
If you'd like to give it a try and fix the issue I can give you some pointers where to start.
clarkem
commented
7 years ago Hi @tmichel, any points would be appreciated!
tmichel
commented
6 years ago I think the original assessment is right and we are affected by the change for the hmac field from string to binary in DynamoDB causes the issue.
The relevant functions are here: https://github.com/sspinc/terraform-provider-credstash/blob/6a6dd0488d1a09347dcc24791325b40464d6e34a/credstash/secret.go#L158-L209. We need to handle both string and binary formats. The commit from credstash that fixes the issue.
nickheiner-usds
commented
6 years ago For what it's worth, my team just stopped using this provider because of this issue. We're calling credstash directly and loading the values as env vars instead.
That said, thank you for your open source work! :smile:
tmichel
commented
6 years ago This is fixed now. Interestingly no one bumped into this here at Secret Sauce.
Whenever I try to decrypt secrets in terraform that were generated by credstash 1.13.1 and above, I get the following error:
data.credstash_secret.<name>: Computed HMAC on <name> does not match stored HMACThis is caused by a breaking change documented in https://github.com/fugue/credstash/issues/154 where the HMAC encoding was switched. The terraform plugin should be able to handle both types of HMAC encodings.