Support https endpoint

[ghost]

Hello,

Please add support for https connection in provider configuration. Currently, all requests to AliCloud API are sent via HTTP protocol which is not secure and contains sensitive data like access key.

Example:

provider "alicloud" {
   access_key = "..."
   secret_key = "..."
   region = "...region..."
   https = true
}

This issue is very urgent from a security perspective.

Thanks,

[ozbillwang]

I am curious. May I know how you get the endpoint url? How do you know it is http, not https?

When I enable debug (TF_LOG=DEBUG terraform apply) I can see some extra debug logs, but these logs are not that much.

[ghost]

I did Wireshark inspections to see the requests designated to AliCloud endpoints and found that they are http based.

I would be a nice feature in terraform to include request logs if TF_LOG debug applied.

[chanind]

Wow that's scary! I tried to fix this in a PR here: #613. Does this fix the https issues you saw?

[xiaozhu36]

HI @ninja-at-work Currently, all of services have supported https and please update to release 1.27.0.

[chanind]

It looks like OTS is still using HTTP fd70bf9. Maybe we should update the docs with a warning that using OTS resources is insecure?

[xiaozhu36]

Hi @chanind I am sorry. I am working on resolving ots supports https and it will support in the next version.

[chanind]

Ok thanks for your hard work @xiaozhu36!