jfrog/terraform-provider-artifactory

artifactory_keypair: GPG validate warning prints private key in clear text.

Closed this issue · 3 comments

nbaju1 commented

Describe the bug
The warning regarding the inability to validate GPG keys will print the private key in clear text when running terraform plan or terraform validate.

Requirements for and issue
Terraform v1.8.4
Artifactory provider v10.8.1

resource "artifactory_keypair" "some-keypair-6543461672124900137" {
  pair_name   = "some-keypair-6543461672124900137"
  pair_type   = "GPG"
  alias       = "some-alias-6543461672124900137"
  private_key = file("samples/gpg.priv")
  public_key  = file("samples/gpg.pub")
}

Output, actual key redacted:

│ Warning: Usage of GPG can't be validated.
│ 
│   with artifactory_keypair.some-keypair-6543461672124900137,
│   on cdk.tf.json line 2802, in resource.artifactory_keypair.some-keypair-6543461672124900137:
│ 2802:         "private_key": "-----BEGIN PGP PRIVATE KEY BLOCK-----  <redacted> -----END PGP PRIVATE KEY BLOCK-----",
│ 
│ Due to limitations of go libraries, your GPG key can't be validated client
│ side.

Expected behavior
The private key should be masked in the output from terraform plan

Workaround

  • Do not run terraform validate.
  • Run terraform plan with the -compact-warnings flag.
alexhung commented

@nbaju1 Thanks for the suggestion! I'll add this to our plan.

alexhung commented

@nbaju1 The attribute is already marked as "Sensitive" (https://github.com/jfrog/terraform-provider-artifactory/blob/master/pkg/artifactory/resource/security/resource_artifactory_keypair.go#L114). The error message you see is created by the Terraform core so I think the bug belongs there. I'll see if there's an existing GitHub issue related to this. If not, I'll open a new issue.

  • 👍1
chb0github commented

@alexhung - side note:
https://pkg.go.dev/golang.org/x/crypto/openpgp

This was updated as recent as a week ago. There may now be support.