tls_self_signed_cert's returns hash instead of value for private_key_pem attribute #87
Description
When the private_key_pem attribute is set on a tls_self_signed_cert, and the provided value is read back out of the resource, the returned result is a hash of the supplied private key instead of the supplied private key itself.
Terraform Version
- Terraform v0.13.5
- registry.terraform.io/hashicorp/tls v3.0.0
Affected Resource(s)
tls_locally_signed_cert.cert_request_pem.ca_private_key_pem.ca_cert_pem.private_key_pem
tls_self_signed_cert.private_key_pem
Terraform Configuration Files
N/A
Debug Output
https://gist.github.com/jgoldschrafe/6c619e5e0e36d396aaf4a9cec502a70b
Expected Behavior
The private_key_pem attribute should contain the value that was set on the resource.
Actual Behavior
The private_key_pem attribute contains a hash of the value that was set on the resource.
Steps to Reproduce
resource "tls_private_key" "root_ca" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "root_ca" {
key_algorithm = "RSA"
private_key_pem = tls_private_key.root_ca.private_key_pem
subject {
common_name = "blah"
}
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
"cert_signing",
"crl_signing",
]
is_ca_certificate = true
validity_period_hours = 2160
}
resource "local_file" "original_value" {
filename = "original-value.log"
content = tls_private_key.root_ca.private_key_pem
}
resource "local_file" "reread_value" {
filename = "reread-value.log"
content = tls_self_signed_cert.root_ca.private_key_pem
}
$ terraform apply -auto-approve
...
$ cat original-value.log
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA6Ec9vmKkZMyG+kYLDIoq+KM2h4n3dWNui9RZzF+0e9PkKLWO
BoSxsSeH/TKmlFsx2Ulsk7CBktclquh3Cmphp8cKE+n87Q1afodfrRpaoouWygoS
UDqcxknCrlF3qhuEbWb4g2UVrUJgIwKBCTdB+/l78RceAlQPhImnT1eSAltc4/t7
CgHB5A0NUK+ZfiPtu6Lls5+PGUXf7mgCc1Wh/lXopZllc8U1HgynXd9jEpNzM/tN
0k1pC5mv79bbkBwx1cIf2B9vtA3ISxWTShVuh8i3O+SwoDjfPWzHNHd+SvDQDpvX
2WLulKp4QDFf9+BuJaVATLNEYidiHNfKJ+AFvwIDAQABAoIBAQDjco9FVHZBtf0e
KWQ8XTeCzN9ijXjhXAItrjxYYgbrkitCqbVvMJSHMnx5NRXlA/+mE73cSOQ4k7Bw
0L1wV4dUsRRvN5rRzVeluo23hazmqeV35bDVGu/VQvj9lQymZ9efAUur7lnxlKNq
5NLR4WgdgskY5VgfU4z2bYyFpux0nIB5+M43cgodku3nvDU//4Io+6d59MuSIRgi
PqFM8gbMtNdgRM2oPBJoBwsTo0RYG6ZZcOGttU5tF0hDi0v9ebO/5t5x+k3nTAJk
bY7ntnyE2sbX1bwV4HaU/vduo3gMuN+B4y3FZy6nVaCIizu0eOa7OKTQ2ZA7PtpL
Mlbgv3nBAoGBAPozLYZicaeOdSZZmMN5asBDlKnWkdQOScUtk1DF9bjTv0NZfzlQ
YDe4wZi/vsTXnf66ULLim6yitbPFG/raILR3MJxVxBT59HPg5XDh2vWnwXGUYwaJ
RDFlqJrG93fFUwEDVdd7cz6NxhGIRaPc+iVRGDmpxtlJDAFE9cZQkXQvAoGBAO2p
tOk4etm0H8p0v0Mc7zri8yEzl+B/VG5qmzAu2W3wPpjEU5/gHU9ldoKzCYVdShxq
EF00rcUtIlqigIrQNVPcHt87gaijAIjOfdRwIyibpCKD8eM7W84LopVJyRytS/+O
nht1fg9v/UUpNrjPq26C50Ks2uCx83j+UeDqZ9NxAoGBANvu6uDLXo7kihRJBCEo
dO9HOMJGzG+0k6JRWsLRERwEfodsf4pZHgs9TGjCfKY5xzeofdGRoziQ2tqItPzA
i6k3cLKsLa4mvnyyP94Hm1r/uOrnfli7hwdJDnnn1pchDMLCNM4zRW3CYE7/FABj
+judWoctt48/R99ByC4omoOfAoGBALuhK66kZHjTd/XCTe2SPlxjKEeiD9mxLNsv
Vu2nTwk4jnLVLKAfs4QnOnTdHDsp94SPR/QNztLIW0Lq4Ei3MCLQuZ7LwAV/CsD3
JOg+z8MTfXWybZlUF5qIHQd3hUsaldFgqvpKvAc8Btw/OXCWo2VP+3vsM7EJTIrN
XZ8P8IBBAoGAGeYKfFAMa9zOB3T8mrzm+BL5z6OqeuQ72De6nr7nOCC9aSc/udn+
Z3kUsqk/ntjLQGBod/lSW6iNz8kUGS/fDFE65af01Ut7nuRVQZt6NpAgFQmxLUpF
WdKA4xtm3Ae91+jMdd7u+8l6tvOBZkJaDNszccdi5Hbks3h8g9ZkFGY=
-----END RSA PRIVATE KEY-----
$ cat reread-value.log
1372d7d00099cdea83e13bff4a1892daa201ee6f
Important Factoids
This does not appear to be an issue related to the general handling of sensitive attribute values in Terraform; I was unable to reproduce it using a different provider that permits setting and re-reading sensitive attributes, like local_file.
References
N/A