artifactory_keypair: GPG validate warning prints private key in clear text.
Closed this issue · 3 comments
Describe the bug
The warning regarding the inability to validate GPG keys will print the private key in clear text when running terraform plan
or terraform validate
.
Requirements for and issue
Terraform v1.8.4
Artifactory provider v10.8.1
resource "artifactory_keypair" "some-keypair-6543461672124900137" {
pair_name = "some-keypair-6543461672124900137"
pair_type = "GPG"
alias = "some-alias-6543461672124900137"
private_key = file("samples/gpg.priv")
public_key = file("samples/gpg.pub")
}
Output, actual key redacted:
│ Warning: Usage of GPG can't be validated.
│
│ with artifactory_keypair.some-keypair-6543461672124900137,
│ on cdk.tf.json line 2802, in resource.artifactory_keypair.some-keypair-6543461672124900137:
│ 2802: "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK----- <redacted> -----END PGP PRIVATE KEY BLOCK-----",
│
│ Due to limitations of go libraries, your GPG key can't be validated client
│ side.
Expected behavior
The private key should be masked in the output from terraform plan
Workaround
- Do not run
terraform validate
. - Run
terraform plan
with the-compact-warnings
flag.
@nbaju1 The attribute is already marked as "Sensitive" (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L114). The error message you see is created by the Terraform core so I think the bug belongs there. I'll see if there's an existing GitHub issue related to this. If not, I'll open a new issue.
@alexhung - side note:
https://pkg.go.dev/golang.org/x/crypto/openpgp
This was updated as recent as a week ago. There may now be support.