Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

serverless (function/container/namespace): import resources with secret environment variables #2382

Open
norbjd opened this issue Jan 30, 2024 · 0 comments · May be fixed by #2434
Open

serverless (function/container/namespace): import resources with secret environment variables #2382

norbjd opened this issue Jan 30, 2024 · 0 comments · May be fixed by #2434
Assignees
Labels
container Container issues, bugs and feature requests enhancement function Serverless function issues, bugs and feature requests priority:high New features

Comments

@norbjd
Copy link
Contributor

norbjd commented Jan 30, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Context

We can't really import serverless resources (namespaces, functions, containers) who have secret environment variables. By their nature, secret environment variables are sensitive, and therefore, not returned in plain text when GETting the resource.

However, a value hashed with Argon2id algorithm is returned by the API (see for example the documentation for functions):

{
  "name": "func1",
  "secret_environment_variables": [
    {
      "key": "env_var_1",
      "hashed_value": "$argon2id$v=19$m=65536,t=1,p=2$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG"
    }
  ]
}

Sadly, instead of leveraging this hashed value, the current implementation of the Terraform provider discards the secret environment variables: after importing a resource, the secret_environment_variables field will always be null.

This is unfortunate, as running terraform import followed by terraform apply will redeploy the resource, as secret_environment_variables changed from null to a non-null value. Thus, it will always trigger an unnecessary deployment, in the case of function and container. Or even worse, in the namespace case, as updating secrets of a namespace will redeploy all functions/containers inside.

After the first apply and the "unnecessary" redeployment, the secret environment variables will be stored in the state, so the next apply operations will behave correctly though, because now the variables are stored in the state. However, another issue is that these variables values are stored in plain text in the state, while we can technically reuse the hashed value to compare, and this would simplify managing the secrets in the import case.

Description

We could actually solve both issues (import does not set secrets + secrets values stored in plain text in the state) at the same time:

  1. instead of storing the real secret value in the state, store its hashed value returned by the API
  2. when importing a resource with secrets, just fill the secret_environment_variables field with the values returned by the API
  3. when updating a resource, check if the secrets match the existing ones. As the hashed values are hashed with Argon2 algorithm, we can use this library and ComparePasswordAndHash method to decide if one of the values has changed. If a single value of a secret has changed, we can update the secrets; if not, we don't have to update

I don't think that changing the state internal values is a breaking change (but I might be wrong).

New or Affected Resource(s)

  • scaleway_function_namespace
  • scaleway_function
  • scaleway_container_namespace
  • scaleway_container

Potential Terraform Configuration

Experience should be the same as today.

@yfodil yfodil added container Container issues, bugs and feature requests function Serverless function issues, bugs and feature requests priority:high New features labels Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
container Container issues, bugs and feature requests enhancement function Serverless function issues, bugs and feature requests priority:high New features
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants