State transmitted in cleartext for azurerm backend with SAS token

[phekmat]

Terraform Version

Terraform version: 0.12.16

Terraform Configuration Files

provider "azurerm" {
  version = "~> 1.36.1"
}
terraform {
  backend "azurerm" {
    storage_account_name = "<REDACTED>"
    container_name       = "tfstate"
    key                  = "terraform.tfstate"
  }
}

Expected Behavior

Terraform should transfer state over HTTPS

Actual Behavior

Terraform transmits the state over HTTP

Steps to Reproduce

1. Create a SAS token for the storage account with either the spr set to https,http or not present
2. Run a plan using the SAS token for authenticating

Additional Context

This was originally discovered under the azure provider as hashicorp/terraform-provider-azurerm#4912 and is related to Azure/azure-sdk-for-go#4870. Terraform is still using an older version of the SDK which doesn't have this fix. Workarounds are to set the spr to https or use an access key instead.

With the SDK fix, if spr is https,http, then HTTP is also used instead of HTTPS.

References

• Backend is not using a secure connection terraform-provider-azurerm#4912
• fix a bug when spr parameter is missing Azure/azure-sdk-for-go#4870

[pkolyvas]

Thanks for submitting this issue report. We take security concerns very seriously. This issue is in triage and we will post an update here shortly.

[pkolyvas]

We have reproduced this issue and are working on a fix.

[danieldreier]

We have a fix pending in the linked PR. We're expecting to merge it and release it in v0.12.17 on Monday. @phekmat and @giggio thank you for reporting this issue!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.