Write-only attribute support for TLS managed resources

[JonasNuvibit]

Terraform CLI and Provider Versions

terraform >= 1.10
tls provider: v4.1.0 (to be relased) https://github.com/hashicorp/terraform-provider-tls/milestone/8
Tested with open PR: #637 #637
https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert

Use Cases or Problem Statement

With ephemeral resources comming to the provider, write-only attribute support should be added to the existing resources.

While testing the ephemeral.tls_private_key feature I noticed that the tls_cert_request does not support the ephemeral key as private_key_pem attribute.

This impacts the following resources:

• tls_cert_request
• tls_locally_signed_cert
• tls_self_signed_cert

Proposal

Write-only attribute support (private_key_pem) for the following resources:

• tls_cert_request
• tls_locally_signed_cert
• tls_self_signed_cert

How much impact is this issue causing?

High

Additional Information

To reproduce

# The private key is generated using ephemeraltls provider
ephemeral "ephemeraltls_private_key" "key" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "tls_cert_request" "csr" {
  private_key_pem = ephemeral.ephemeraltls_private_key.key.private_key_pem
  subject {
    common_name = "foo-bar"
  }
}

Error message

Error: Invalid use of ephemeral value

Ephemeral values are not valid for "private_key_pem", because it is not a
write-only attribute and must be persisted to state.

Code of Conduct

• I agree to follow this project's Code of Conduct

[JoseThen]

If this was set, we could avoid using local exec to provision this outside

[sanderjochems-capgemini]

@lonegunmanb I see you made a lot of work on the ephemeral resources for this provider. Thank you for that! Would you be able to take a look at this issue and maybe even create a PR, please?

[mvanholsteijn]

I will try to fix this one.

[tobywan]

I have found that I cannot use an ephemeral azure keyvault secret to provide the private_key_pem of a data.tls_public_key resource,

e.g. in file secrets.tf

ephemeral "azurerm_key_vault_secret" "example" {
  name         = "existing_secret"
  key_vault_id = azurerm_key_vault.example.id
}

data "tls_public_key" "example" {
  private_key_pem = ephemeral.azurerm_key_vault_secret.example.value
}

gives

 Error: Invalid use of ephemeral value

   with data.tls_public_key.example,
   on secrets.tf line xx, in data "tls_public_key" "example":
   xx:   private_key_pem = ephemeral.azurerm_key_vault_secret.example.value

 Ephemeral values are not valid for "private_key_pem", because it is not a write-only
 attribute and must be persisted to state.

So I think it follows from the discussion above, that if tls_public_key had an ephemeral version, then it would be able to provide the public key part, but it wouldn't store the pem data in the state.

Would this be covered in the work of this issue, or does it need an additional PR/Issue to track?

[mvanholsteijn]

@tobywan AFAICS you would need to open another case to provide the ephemeral tls_public_key resource

[paragor]

Hi @bbasata
I’d like to ask if the maintainer team has any plans to review the 3 related pull requests [/pull/689] [/pull/695] [/pull/696] — they all seem ready to review.
This feature is quite important for security teams, as currently the community has to rely on a number of dirty workarounds (like using local-exec or custom scripts) to achieve similar behavior.

Thanks in advance for your time and for maintaining the provider!