-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support to data source "google_secret_manager_secret_version" for binary secret values #17321
Add support to data source "google_secret_manager_secret_version" for binary secret values #17321
Comments
@cghislai this looks like something we've come across before, where the data is being corrupted when treated as binary vs a string. Could you take a look at this comment and see if it helps you resolve? #10835 (comment) |
@roaks3 its similar. A new feature to expose the secret data as base64-encoded string in the "google_secret_manager_secret_version" and 'google_secret_manager_secret_version_access" datasources is probably required as well. The resource 'google_secret_manager_secret_version' already has a flag to handle binary data: is_secret_data_base64 - (Optional) If set to 'true', the secret data is expected to be base64-encoded string and would be sent as is. However, for binary secrets created outside of terraform, the datasources have no way to obtain usable data. |
labeling as an enhancement based on #10835 |
Just to clarify for the service team before forwarding: this appears to be missing behavior specifically for the datasources (not the resource). |
Hi, Is there any update or workarounds for this? my use-case is basically the same:
using doing this works however just fine, and get a usable jks file:
ps. didn't create another issue to not duplicate thanks |
Yea, unfortunately I don't think we have a good workaround for this one. Once the data is available from the resource (either using outputs or TF state directly), it is already corrupt, and I'm not aware of a clean way to get it back into a usable format. I believe |
As a workaround, we base64 binaries before placing them in Secret Manager - this is not something the GCP UI does when using the file picker - then, the secret_data you get from the data block doesn't seem to be corrupted.
where binary_data from docs is: |
Note from triage: Keeping this an enhancement as a request for a new field that allows binary content to behave as expected, since it likely can't be handled in the same way as string fields. |
Community Note
to expedite investigation and resolution of this issue.
Terraform Version
Terraform v1.7.2
on linux_amd64
Affected Resource(s)
data source google_secret_manager_secret_version
Terraform Configuration
Debug Output
No response
Expected Behavior
The binary content of the secret version uploaded on gcp secretmanager is preserved
eg;
Actual Behavior
The binary content of the secret version data is altered.
Steps to reproduce
terraform apply
terraform state show template_file.text
; and compare the binary contentImportant Factoids
I can get the binary data from a secret version using gcloud:
The data is decodable into a zip file:
I can also get the text content of the secret using gcloud, and encode it using base64:
In this case, the binary content is altered, and I cannot recreate a readable zip archive from this.
However, it is the exact same content that terraform provides in its secret_data field:
So it seems that terraform interprets the secret data as a string, resulting in the corruption of binary data.
The gcloud secret version acess documentation mentions:
References
No response
b/326473689
The text was updated successfully, but these errors were encountered: