azurerm_key_vault_certificate: Certificate password on import is plain text visible on plan output

[bcline760]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

Terraform v0.11.11
+ provider.azurerm v1.23.0
+ provider.null v2.1.0
+ provider.random v2.1.0

Affected Resource(s)

• azurerm_key_vault_certificate

Terraform Configuration Files

resource "azurerm_key_vault_certificate" "external-certificate" {
  name         = "o360-splunk-external-certificate"
  key_vault_id = "${azurerm_key_vault.splunk_keyvault.id}"

  certificate {
    contents = "${base64encode(file("${var.certificate-path}/cert-${var.certificate_name}.pfx"))}"
    password = "${var.certificate_password}"
  }

  certificate_policy {
    issuer_parameters {
      name = "Self"
    }

    key_properties {
      exportable = true
      key_size   = 2048
      key_type   = "RSA"
      reuse_key  = false
    }

    secret_properties {
      content_type = "application/x-pkcs12"
    }
  }
}

Expected Behavior

I should expect to see any sensitive materials such as keys and passwords to be masked with "<sensitive>" in the Terraform plan output.

Actual Behavior

certificate.0.password:                                                "[REDACTED]"
certificate_data:                                                      <computed>
certificate_policy.#:                                                  "1"

The certificate password specified to the terraform plan is plain text visible in the output. This is potentially dangerous to any CI/CD platforms that capture output for display and/or logging purposes.

EDIT: It is also plain text visible when the plan is being applied.

Steps to Reproduce

1. Create an Azure Key Vault using azurerm_key_vault
2. Have a certificate on the ready to import with a password and then set the password in the configuration using resource azurerm_key_vault_certificate
3. terraform init, terraform plan, terraform apply

[Lucretius]

This is addressed by #3064 which should be available in the next release.

[tombuildsstuff]

hey @bcline760

Thanks for opening this issue :)

As @Lucretius has mentioned this has been fixed via #3064 (thanks again @Lucretius!) and will be available in the next release of the AzureRM Provider (v1.24) in the near future. Since this has been fixed I'm going to close this issue for the moment - however I've assigned this to the v1.24 milestone so that you'll get a notification here when that's released.

Thanks!

[ghost]

This has been released in version 1.24.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
	version = "~> 1.24.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!