Terraform: Decryption of aws_kms_secret is not correct when using it in other resources
Terraform Version
Terraform v0.9.2
Affected Resource(s)
Please list the resources as a list, for example:
- aws_kms_secret
Terraform Configuration Files
provider "aws" {
region = "eu-west-1"
}
data "aws_kms_secret" "mysql_password" {
secret {
name = "db_user"
payload = "<encrypted_key>"
context {
mysql = "password"
}
}
}
provider "mysql" {
endpoint = "127.0.0.1:3306"
username = "root"
password = "myrootpassword"
}
resource "mysql_user" "user" {
user = "db_user"
host = "%"
password = "${data.aws_kms_secret.mysql_password.db_user}"
}
output "db_password"{
value = "${data.aws_kms_secret.mysql_password.db_user}"
}
Expected Behavior
The user gets created and we are able to login with the password we encrypted with KMS
Actual Behavior
The user gets created correctly but we are not able to login with the mysql password we generated and that was encrypted with KMS. The output of Terraform matches with the original key and gets decrypted correctly. There is probably something wrong with the pass from the data source to the mysql_user user.
When we give the password in plain text to the mysql_user resource it works without any problems and we are able to login to mysql with that user.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
- Create KMS key
- Encrypt password
echo 'password' > /tmp/plaintext-password
aws kms encrypt --key-id keyid --plaintext fileb:///tmp/plaintext-password --encryption-context mysql=password --output text --query CiphertextBlob --region eu-west-1
rm /tmp/plaintext-password
- Fill the encrypted value in the terraform example
- terraform plan
- terraform apply
- mysql -u db_user -p
MattiasGees
All 4 comments
I ran into this same issue today, however it generated a slightly different exception which strongly indicates that the KMS ciphertext payload is being passed as the password value without being decrypted first.
* aws_db_instance.instance: Error creating DB Instance: InvalidParameterValue: The parameter MasterUserPassword is not a valid password. Only printable ASCII characters besides '/', '@', '"', ' ' may be used.
patrickod
on 27 Apr 2017
@patrickod indeed we had the same problem when trying to give it to RDS as a root password.
MattiasGees
on 27 Apr 2017
Maybe related to this: When using the output db_password from the example above as remote state, there appears to be a newline character in the string.
Import the state of the original example as mysql, and using the password output as input somewhere:
resource "aws_lambda_function" "example" {
function_name = "example"
role = "${aws_iam_role.role.arn}"
runtime = "nodejs4.3"
filename = "placeholder_lambda.zip"
environment {
variables = {
SQL_PASSWORD = "${data.terraform_remote_state.mysql.db_password}"
}
}
}
results in environment.0.variables.SQL_PASSWORD: "" => "expectedpassword\n"
alternatively hardcoding the password results in a change:
environment.0.variables.SQL_PASSWORD: "expectedpassword\n" => "expectedpassword"
SamClinckspoor
on 11 May 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 9 Apr 2020
Related issues
allomov
ยท
3Comments
larstobi
ยท
3Comments
shanmugakarna
ยท
3Comments
pawelsawicz
ยท
3Comments
darron
ยท
3Comments
Most helpful comment
@patrickod indeed we had the same problem when trying to give it to RDS as a root password.