From 5105e5831f037f1680e4747a181c11e936a68f37 Mon Sep 17 00:00:00 2001 From: Jeff Albert Date: Wed, 28 Nov 2018 14:49:33 -0500 Subject: [PATCH] Updated to not save the password in plaintext --- ..._arm_azuread_service_principal_password.go | 22 +++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/azurerm/resource_arm_azuread_service_principal_password.go b/azurerm/resource_arm_azuread_service_principal_password.go index f1c3bdf3f57c..3d961198ab8e 100644 --- a/azurerm/resource_arm_azuread_service_principal_password.go +++ b/azurerm/resource_arm_azuread_service_principal_password.go @@ -1,6 +1,8 @@ package azurerm import ( + "crypto/sha256" + "encoding/base64" "fmt" "log" "strings" @@ -40,10 +42,11 @@ func resourceArmActiveDirectoryServicePrincipalPassword() *schema.Resource { }, "value": { - Type: schema.TypeString, - Required: true, - ForceNew: true, - Sensitive: true, + Type: schema.TypeString, + Required: true, + ForceNew: true, + Sensitive: true, + DiffSuppressFunc: resourceArmActiveDirectoryServicePrincipalPasswordDiff, }, "start_date": { @@ -120,6 +123,8 @@ func resourceArmActiveDirectoryServicePrincipalPasswordCreate(d *schema.Resource return fmt.Errorf("Error creating Password Credential %q for Service Principal %q: %+v", keyId, objectId, err) } + d.Set("value", resourceArmActiveDirectoryServicePrincipalPasswordHash(value)) + d.SetId(fmt.Sprintf("%s/%s", objectId, keyId)) return resourceArmActiveDirectoryServicePrincipalPasswordRead(d, meta) @@ -239,3 +244,12 @@ func resourceArmActiveDirectoryServicePrincipalPasswordDelete(d *schema.Resource return nil } + +func resourceArmActiveDirectoryServicePrincipalPasswordHash(password string) string { + hash := sha256.Sum256([]byte(password)) + return base64.StdEncoding.EncodeToString(hash[:]) +} + +func resourceArmActiveDirectoryServicePrincipalPasswordDiff(k, old, new string, d *schema.ResourceData) bool { + return old == resourceArmActiveDirectoryServicePrincipalPasswordHash(new) +}