google_compute_ssl_certificate Secret Manager Version Support

[wilsonfv]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

These resources accept plain text of TLS certificate private key hence they will store private key in Terraform state file.

Terraform state file is NOT compliance to general Secret Management practice.

There have been a few issues raised discussing similar things. (see reference)

The preference place to store TLS certificate private key is on GCP Secret Manager so we could add support to these 2 resources to accept GCP Secret Manager secret version as input to create GCP Compute SSL Certificate.

It would be quite similar to existing google_cloudbuildv2_connection

private_key_secret_version - (Optional) SecretManager resource containing the private key of the GitHub App, formatted as projects//secrets//versions/*.

Both TLS certificate private key and certificate public key can be retrieved from GCP Secret manager.

These 2 new added fields will be conflict to existing fields

• private_key
• certificate

So the resources will create SSL compute certificate when either one of the pairs presents

New or Affected Resource(s)

• google_compute_ssl_certificate
• google_compute_region_ssl_certificate

Potential Terraform Configuration

 resource "google_compute_ssl_certificate" "default" {
  name_prefix = "my-certificate-"
  private_key_secret_version = "projects/[Project ID]/secrets/[Secret Name]/versions/latest"
  certificate_secret_version = "projects/[Project ID]/secrets/[Secret Name]/versions/latest
  lifecycle {
    create_before_destroy = true
  }
}

 resource "google_compute_regional_ssl_certificate" "default" {
  name_prefix = "my-certificate-"
  region = "europe-west2"
  private_key_secret_version = "projects/[Project ID]/secrets/[Secret Name]/versions/latest"
  certificate_secret_version = "projects/[Project ID]/secrets/[Secret Name]/versions/latest
  lifecycle {
    create_before_destroy = true
  }
}

References

• Don't store SSL private_key in the tfstate file #6119
• Don't store SSL private_key in the tfstate file #927
• Don't store SSL private_key in the tfstate file #927

[SarahFrench]

Note from triage: We prefer to keep resources matching what the API defines and features like this should be addressed at the Core level - hashicorp/terraform#516

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.