State transmitted in cleartext for azurerm backend with SAS token #23493
Labels
backend/azure
bug
security
Auto-pinning
v0.12
Issues (primarily bugs) reported against v0.12 releases
Milestone
Terraform Version
Terraform Configuration Files
Expected Behavior
Terraform should transfer state over HTTPS
Actual Behavior
Terraform transmits the state over HTTP
Steps to Reproduce
spr
set tohttps,http
or not presentplan
using the SAS token for authenticatingAdditional Context
This was originally discovered under the azure provider as hashicorp/terraform-provider-azurerm#4912 and is related to Azure/azure-sdk-for-go#4870. Terraform is still using an older version of the SDK which doesn't have this fix. Workarounds are to set the
spr
tohttps
or use an access key instead.With the SDK fix, if
spr
ishttps,http
, then HTTP is also used instead of HTTPS.References
The text was updated successfully, but these errors were encountered: