Cannot set binary secret using google_secret_manager_secret_version

[devqore]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

$ terraform version
Terraform v1.0.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.78.0
+ provider registry.terraform.io/hashicorp/google-beta v3.78.0

Affected Resource(s)

• google_secret_manager_secret_version

Terraform Configuration Files

Currently, there is no possibility to save binary secret in Google Secret Manager using terraform, because file function cannot be used and proposed filebase64 saves file literally content as base64

resource "google_secret_manager_secret" "cert-pfx" {
  secret_id = "cert-pfx"

  replication {
    automatic = true
  }
}

resource "google_secret_manager_secret_version" "cert-pfx" {
  secret      = google_secret_manager_secret.cert-pfx.id
  secret_data = file("mycert.pfx")
}

That returns expected failure:

$ terraform plan
╷
│ Error: Error in function call
│ 
│   on 13_google_secrets.tf line 98, in resource "google_secret_manager_secret_version" "cert-pfx":
│   98:   secret_data = file("mycert.pfx")
│ 
│ Call to function "file" failed: contents of mycert.pfx are not valid UTF-8; use the filebase64 function to obtain the Base64
│ encoded contents or the other file functions (e.g. filemd5, filesha256) to obtain file hashing results instead.

With filebase64 apply is working without issues:

...

resource "google_secret_manager_secret_version" "cert-pfx" {
  secret      = google_secret_manager_secret.cert-pfx.id
  secret_data = filebase64("mycert.pfx")
}

but it contains a plain base64 file (this base64 content is self-generated pfx certificate):

$ gcloud secrets versions access 1 --secret=cert-pfx
MIIKOQIBAzCCCf8GCSqGSIb3DQEHAaCCCfAEggnsMIIJ6DCCBJ8GCSqGSIb3DQEHBqCCBJAwggSMAgEAMIIEhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQImJp8c05/+DUCAggAgIIEWDnaCzphgNBLABxT3hXxudygn75cN2oYoifHqFBOOc5ipo4BXyDHW+Ye1H0KRmym09wISmzgVATxsf5/JK+MdjRjV4p6uV9Pd+/ZltxmfRI3B1T3ieatgwufj5CI/I8v5AhycqLaEm4dRkX70D45QvJIdahsmQ+LIRPCJODZt+5KOnXZFBh/TFwQYE+yRp+6fUPXcAFv2nFZn7c34BR7Ktk0ZaOxpCEPFJD2g9xaY9UAgtAXXbrIDCLcl0h4mdGBFjxSQNvcCOle0X1ECbqsIXL9iprAh0a4JB9VT5cU4lTf8NLhLzOsgienBnSx9NnyjPkt859XchwnR2aJmwg0GLstdOInzmtXCVEKpXRF2x8c570gTWgLFosQaCT3ZJafGRERjwRYi7BZKq2nFY6Sd8Gn+y3mNWKrJV0xXk2v+kbv3Dh1m8VC/fXfYgoyoH6icrIxROl43h2NPI0q+wTIRspMjrRhmVAw++bG4Z4M8DY+t8zi3ExoMvBPoC4KkW+oIbNRrGn7LU+rP7AWPC0/FYFYwmyFyvMBnnBo6J21iTkPQ9s1GCmV+/uPg2aH3yZ8iNa1FJ0PGbw8NXMtR/tfFiFAemYHOZ3ealovnkEJnFP0FBoCj49fZOcEhHREKPkZnwOyVQL1fAM0jwES7PSMFred6DI6vTyvGxUbjOXfP7MLyYtM69dSJWmVbnk3HJcBLmP4obwPGPSzbSl5PSIwNFYPOB6FAl4x5v3zLjFcKvqKDfSntD4QFU6QvntuhsrjSsZ+0WrQRyXbThKOF3L+HZk3N5R4lfFPFguhbhFN8ZY+/Dw4IePz24iidIu4Sbwo1fMmWsakIdmNSxFLmcEkhqz1IeUx8isUyi5N+4kkjmGU4Dabw0pHq/AWDTK+Dl1XFc4HNG6GVnu2Ir3uzx1o5bBm23Q/CJkF7CZuaKWtNGljn7STlewhgpDOhzhLgaXjLffQicML6baHVv79FNvsPA1g8C5jgxkMN7ghSNSoGQF3Z1rwwRDsbLofuUQrHQoa3GN5wXlO1zcNTbi3OQxIEkipH/cQgVRvxDJm3Hh0kQFWuzdqAiG7ONcYogD1/w7ko5tqUJy/0AtwKizLnMehowg47FIUy7xhAHYdvbcb1xIZ8NHSd8iclDBcJXaXEGRnfSWFWQOHCJuvD3efWJKmOzhzQN/GxqyUcibjk5l1QFnKv+6mwGebQiAoaLazJTSYy8+WObctPBFB06knaRPmj07cDlfEV1dFQuy3LvnCp/BShXDzcy0JO2ewPu9kRe7hxvV/TfJFSEErocMxnSayXENA8k/chmfPi5zwSjVVJ0ezObhcgRFK/LanxHQo34IlZt9GAJzwIu0GkU49CPuAs9hb+Yi0PFq9vN/FZdHRzvwTvbocqumlv1VVO2+Sk1AafKFcXkr+MX8Z1+aegVGQTob/2/3NPs/vmOaldd8FgN5kwEhYoFDLw24UyBXM69XVIamZGNWyFYdNMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECPmbvzwrvqtZAgIIAASCBMih3hoezkNLEOsBzxU61roP6dcNIUHCHNEZJnnuBKdVlHpYS/R0Q9k5zlz6eKgwEgtSzEadQXp4kijERqXgUnv4GYBHWC1V3A2zyhFehWngX6Ysbw3ASUKhtSISVKaraNYEGwLb7lJwURcjICVejXNyzKmAjn1/5aDfOdQEKquu4D+wo0ng78OClblwGUDfRj/0z11wHrSPP9627k5kREodIX3ibsx6UTP1RZ1d2x0Sm98o/ObV5ycOOMVJ9zoAYJgB5hmxtjnqzl6mNg1604QCsKJZ1Jx9Xl/kicyJN8wUOV65Lt8Bb2LEG6rKQVwqm7jnCeRv2Kl8UuRgQ+noat2egD77TQxFQlg9mdOapCdkH8JT3sYfMu9WUx7k7gEePIWm7r1B15bgwvBYPGUwE311ZPktKyR8Vxra9hYaYBdr14xOLFTyQ5YeBrC/iJj8rFqnQNzW0XA71ytxM9HuheA6JfViE+MeqxY73ekwHNiKFuwr7RAfgHnUhitMdnSNtl7B8GXUVeT2FIliSxfsEwpLD2tZZeifFzB48aU5uVZmiaYaHwDdLa5052xRt11Qo/8KY22o0c0nPmf5x1jI+qFuCQoCeB1D84fd5kEZptv1o+Hl9iaRd1qDdUAdk3Oeo9yLHKxczd8pXyEDLYlJXvLnb+VbC4E4qTaLkQq/x62gMwZGhXYQr00g0It7CKt5ewtdh6FCb+VWf6lcm0nDcSe3+lzA2SAZZG1za42GA4OJOx/xkT5/NZ6kaVdU92frUfkIRQtrlQxIc7KA9HSK+cucTs6ycPq3jU66PSNtbr2lXvo/5wWMxiKEy57CAXK71pEzyvDLHDwclHaas/3kfJl6rcRB23u1LETZRbU39yBl5jG8OT0zsvz2S2uDOiTUt2RntV5qJQJa+uwJ2KCjZoI2fex4Hegu2AkfvZ8ruyK/EhrzAHGAFsAq3imwCtmSdcLdUro1o/+O+RtMcjz7MBMZST4CP+mtv2H0SbdbXhf7vTYkUPJZlgQjYRY38MZBuDOJwzvoU4/LsrCCUpPtp//5x1aUMoz6dtc1jAar1ZBQV+TBHpeqsjgdZuBFinA0WlPZea0iz/3Q7ySXEda8I6VsdkZRv7zxpv218UDsBVOxy9IEF548uOYDl/NN5n95Z4nR0hFNrx46IWCBy81YXu7e67imfYKj9nyuzF+XkYsqDz+3qVpF9D6UwA7ReuKZoiGIKoSiBdlSb3AWHX7h0gKp/tRPJGAGEkIVEcaGAP2WGSVueKa5rGt4VAKpHsAcdaThI4F3ius4k2IPa3A8sOp0nOP2noVtFjJLXluCCzyEPAPhytq13Q3DSIj/LdWNI+f4CuIh3aQu3YE9CH6mjLExqkMx/Z1jg5JAYqZZDR5sdarJbvO4+iNH1iDbF8xH3ujfxNCDv9vLEBFhp0VMtGojsinVvYtbl9wULvha9/4AXrzEY+BQtHaDvtH/pVmkmN22ud0nmLTDfXcPdM++SsEpwWiFf20ZwTmaw13RYxfAzggEB3b3wDPQkSHIQ5i4v9jtWgxE5aj8Seoup0VX/JwA7ResuOnwhCIlvZvbsAJgExL0sX/IgMn5vqht0ntrktXdbFw3Qv/mew/DzhEuAYWbspGw3y4rZP8xJTAjBgkqhkiG9w0BCRUxFgQUExNyu+cI2HJzVT5U09TWUKZtAHQwMTAhMAkGBSsOAwIaBQAEFFp+4Ae00i29tlkL03ebNgE5ngPuBAgt3UIeHIJSqQICCAA=

Expected Behavior

There should be a possibility to save a binary file in Google Secret Manager using terraform, maybe with an additional parameter like secret_data_base64 or some kind of detection in the secret_data parameter.

[edwardmedia]

@devqore error appears to indicate this failure was in the function file. Can you follow its suggestion to test?

Call to function "file" failed: contents of mycert.pfx are not valid UTF-8; use the filebase64 function to obtain the Base64
encoded contents or the other file functions (e.g. filemd5, filesha256) to obtain file hashing results instead.

[devqore]

@edwardmedia sure, I followed this suggestion and that created a plain text file with base64 content (output with content already described in the above comment #10129 (comment)).

But I think there should be a possibility to save secret as a binary file, as binary files are supported by Google Secret Manager. It would be great to do this using terraform as it's possible to do this using gcloud.

[edwardmedia]

@devqore I think the error is in the file. What do you see after you resolve that issue? Please provide the debug log so I can take a look

[devqore]

@edwardmedia it creates plain text file encoded as base64 instead of binary file:

$ gcloud secrets versions access 1 --secret=cert-pfx
MIIKOQIBAzCCCf8GCSqGSIb3DQEHAaCCCfAEggnsMIIJ6DCCBJ8GCSqGSIb3DQEHBqCCBJAwggSMAgEAMIIEhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQImJp8c05/+DUCAggAgIIEWDnaCzphgNBLABxT3hXxudygn75cN2oYoifHqFBOOc5ipo4BXyDHW+Ye1H0KRmym09wISmzgVATxsf5/JK+MdjRjV4p6uV9Pd+/ZltxmfRI3B1T3ieatgwufj5CI/I8v5AhycqLaEm4dRkX70D45QvJIdahsmQ+LIRPCJODZt+5KOnXZFBh/TFwQYE+yRp+6fUPXcAFv2nFZn7c34BR7Ktk0ZaOxpCEPFJD2g9xaY9UAgtAXXbrIDCLcl0h4mdGBFjxSQNvcCOle0X1ECbqsIXL9iprAh0a4JB9VT5cU4lTf8NLhLzOsgienBnSx9NnyjPkt859XchwnR2aJmwg0GLstdOInzmtXCVEKpXRF2x8c570gTWgLFosQaCT3ZJafGRERjwRYi7BZKq2nFY6Sd8Gn+y3mNWKrJV0xXk2v+kbv3Dh1m8VC/fXfYgoyoH6icrIxROl43h2NPI0q+wTIRspMjrRhmVAw++bG4Z4M8DY+t8zi3ExoMvBPoC4KkW+oIbNRrGn7LU+rP7AWPC0/FYFYwmyFyvMBnnBo6J21iTkPQ9s1GCmV+/uPg2aH3yZ8iNa1FJ0PGbw8NXMtR/tfFiFAemYHOZ3ealovnkEJnFP0FBoCj49fZOcEhHREKPkZnwOyVQL1fAM0jwES7PSMFred6DI6vTyvGxUbjOXfP7MLyYtM69dSJWmVbnk3HJcBLmP4obwPGPSzbSl5PSIwNFYPOB6FAl4x5v3zLjFcKvqKDfSntD4QFU6QvntuhsrjSsZ+0WrQRyXbThKOF3L+HZk3N5R4lfFPFguhbhFN8ZY+/Dw4IePz24iidIu4Sbwo1fMmWsakIdmNSxFLmcEkhqz1IeUx8isUyi5N+4kkjmGU4Dabw0pHq/AWDTK+Dl1XFc4HNG6GVnu2Ir3uzx1o5bBm23Q/CJkF7CZuaKWtNGljn7STlewhgpDOhzhLgaXjLffQicML6baHVv79FNvsPA1g8C5jgxkMN7ghSNSoGQF3Z1rwwRDsbLofuUQrHQoa3GN5wXlO1zcNTbi3OQxIEkipH/cQgVRvxDJm3Hh0kQFWuzdqAiG7ONcYogD1/w7ko5tqUJy/0AtwKizLnMehowg47FIUy7xhAHYdvbcb1xIZ8NHSd8iclDBcJXaXEGRnfSWFWQOHCJuvD3efWJKmOzhzQN/GxqyUcibjk5l1QFnKv+6mwGebQiAoaLazJTSYy8+WObctPBFB06knaRPmj07cDlfEV1dFQuy3LvnCp/BShXDzcy0JO2ewPu9kRe7hxvV/TfJFSEErocMxnSayXENA8k/chmfPi5zwSjVVJ0ezObhcgRFK/LanxHQo34IlZt9GAJzwIu0GkU49CPuAs9hb+Yi0PFq9vN/FZdHRzvwTvbocqumlv1VVO2+Sk1AafKFcXkr+MX8Z1+aegVGQTob/2/3NPs/vmOaldd8FgN5kwEhYoFDLw24UyBXM69XVIamZGNWyFYdNMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECPmbvzwrvqtZAgIIAASCBMih3hoezkNLEOsBzxU61roP6dcNIUHCHNEZJnnuBKdVlHpYS/R0Q9k5zlz6eKgwEgtSzEadQXp4kijERqXgUnv4GYBHWC1V3A2zyhFehWngX6Ysbw3ASUKhtSISVKaraNYEGwLb7lJwURcjICVejXNyzKmAjn1/5aDfOdQEKquu4D+wo0ng78OClblwGUDfRj/0z11wHrSPP9627k5kREodIX3ibsx6UTP1RZ1d2x0Sm98o/ObV5ycOOMVJ9zoAYJgB5hmxtjnqzl6mNg1604QCsKJZ1Jx9Xl/kicyJN8wUOV65Lt8Bb2LEG6rKQVwqm7jnCeRv2Kl8UuRgQ+noat2egD77TQxFQlg9mdOapCdkH8JT3sYfMu9WUx7k7gEePIWm7r1B15bgwvBYPGUwE311ZPktKyR8Vxra9hYaYBdr14xOLFTyQ5YeBrC/iJj8rFqnQNzW0XA71ytxM9HuheA6JfViE+MeqxY73ekwHNiKFuwr7RAfgHnUhitMdnSNtl7B8GXUVeT2FIliSxfsEwpLD2tZZeifFzB48aU5uVZmiaYaHwDdLa5052xRt11Qo/8KY22o0c0nPmf5x1jI+qFuCQoCeB1D84fd5kEZptv1o+Hl9iaRd1qDdUAdk3Oeo9yLHKxczd8pXyEDLYlJXvLnb+VbC4E4qTaLkQq/x62gMwZGhXYQr00g0It7CKt5ewtdh6FCb+VWf6lcm0nDcSe3+lzA2SAZZG1za42GA4OJOx/xkT5/NZ6kaVdU92frUfkIRQtrlQxIc7KA9HSK+cucTs6ycPq3jU66PSNtbr2lXvo/5wWMxiKEy57CAXK71pEzyvDLHDwclHaas/3kfJl6rcRB23u1LETZRbU39yBl5jG8OT0zsvz2S2uDOiTUt2RntV5qJQJa+uwJ2KCjZoI2fex4Hegu2AkfvZ8ruyK/EhrzAHGAFsAq3imwCtmSdcLdUro1o/+O+RtMcjz7MBMZST4CP+mtv2H0SbdbXhf7vTYkUPJZlgQjYRY38MZBuDOJwzvoU4/LsrCCUpPtp//5x1aUMoz6dtc1jAar1ZBQV+TBHpeqsjgdZuBFinA0WlPZea0iz/3Q7ySXEda8I6VsdkZRv7zxpv218UDsBVOxy9IEF548uOYDl/NN5n95Z4nR0hFNrx46IWCBy81YXu7e67imfYKj9nyuzF+XkYsqDz+3qVpF9D6UwA7ReuKZoiGIKoSiBdlSb3AWHX7h0gKp/tRPJGAGEkIVEcaGAP2WGSVueKa5rGt4VAKpHsAcdaThI4F3ius4k2IPa3A8sOp0nOP2noVtFjJLXluCCzyEPAPhytq13Q3DSIj/LdWNI+f4CuIh3aQu3YE9CH6mjLExqkMx/Z1jg5JAYqZZDR5sdarJbvO4+iNH1iDbF8xH3ujfxNCDv9vLEBFhp0VMtGojsinVvYtbl9wULvha9/4AXrzEY+BQtHaDvtH/pVmkmN22ud0nmLTDfXcPdM++SsEpwWiFf20ZwTmaw13RYxfAzggEB3b3wDPQkSHIQ5i4v9jtWgxE5aj8Seoup0VX/JwA7ResuOnwhCIlvZvbsAJgExL0sX/IgMn5vqht0ntrktXdbFw3Qv/mew/DzhEuAYWbspGw3y4rZP8xJTAjBgkqhkiG9w0BCRUxFgQUExNyu+cI2HJzVT5U09TWUKZtAHQwMTAhMAkGBSsOAwIaBQAEFFp+4Ae00i29tlkL03ebNgE5ngPuBAgt3UIeHIJSqQICCAA=

There should be binary content. I've attached pfx mycert.zip from example, after unzipping try to do:

$ cat mycert.pfx

and you will see a lot of !@? as this is a binary file, but the provider saves this as base64 (same as base64 mycert.pfx) which requires extra decoding (echo "somebase64content==" | base64 -d > mycert.pfx).

I'm aware that may be hard to detect if the secret is given as base64 and should be decoded or not so maybe there should be an additional parameter secret_data_base64 which will put any data to the secret manager after decoding base64 (no matter binary or not, just decode data and put to the secret manager and keep in the state base64 content)

[devqore]

@edwardmedia what response is needed here? as I'm seeing added label, without a question.

[edwardmedia]

@devqore sorry I refreshed the page, somehow the new label was added for me.

I am not quite sure if I fully understand the issue here. If you run below config, do you see the issue10129-secret-data somewhere? Or if you replace the data with some string data, do you see the same data?

resource "google_secret_manager_secret_version" "cert-pfx" {
  secret      = google_secret_manager_secret.cert-pfx.id
  secret_data = "issue10129-secret-data"
}

[devqore]

@edwardmedia this is working properly as this is plain text (not binary data). I applied the above secret_data and in the state I'm seeing:

{
    "mode": "managed",
    "type": "google_secret_manager_secret_version",
    "name": "cert-pfx",
    "provider": "provider[\"registry.terraform.io/hashicorp/google\"]",
    "instances": [
    {
        "schema_version": 0,
        "attributes": {
        "create_time": "2021-09-23T18:26:43.525816Z",
        "destroy_time": "",
        "enabled": true,
        "id": "projects/XXX/secrets/cert-pfx/versions/1",
        "name": "projects/XXX/secrets/cert-pfx/versions/1",
        "secret": "projects/XXX/secrets/cert-pfx",
        "secret_data": "issue10129-secret-data",
        "timeouts": null
        },
        "sensitive_attributes": [],
        "private": "XXX",
        "dependencies": [
        "google_secret_manager_secret.cert-pfx"
        ]
    }
    ]
},

also gcloud returns properly:

$ gcloud secrets versions access 1 --secret=cert-pfx
issue10129-secret-data

---

The problem is how to save binary data like for example pfx/zip or something different, as binary data is supported by Google Secret Manager.

For simplicity, you can use this zip file and try to save it like this:

resource "google_secret_manager_secret_version" "hello-zip-from-tf" {
  secret      = google_secret_manager_secret.hello-zip-from-tf.id
  secret_data = filebase64("hello.zip")
}

and then get secret with:

$ gcloud secrets versions access 1 --secret=hello-zip-from-tf
UEsDBBQAAAAAALZ6NVMhDtujBgAAAAYAAAAJAAAAaGVsbG8udHh0aG93ZGkKUEsBAj8DFAAAAAAAtno1UyEO26MGAAAABgAAAAkAAAAAAAAAAAAAAKSBAAAAAGhlbGxvLnR4dFBLBQYAAAAAAQABADcAAAAtAAAAAAA=

After that create the secret with exactly the same file using gcloud, for example like this:

$ gcloud secrets create hello-zip-gcloud --data-file=hello.zip 
Created version [1] of the secret [hello-zip-gcloud].

Finally, try to download the secret with gcloud command and you will see binary content

Is now more clear for you where there is a problem?

[edwardmedia]

@devqore I see. Do you lock down the state in a secure location? If the state does not match what you have in the config, what do you expect every time when you run tf plan or/and tf apply? Do you expect the resource to be an encryption tool?

[devqore]

@edwardmedia for now I would like to only store binary credentials using tf like I can do this with plain text as this is supported by Google Secret Manager.

I'm aware that the state needs to be stored securely. Also, I would expect that tf plan and tf apply would work like it always does - every change will be applied. I do not expect that resource to be an encryption tool, as this is not the subject of the issue.

[edwardmedia]

@devqore currently this is by design. Not sure if that is possible for what you expected. @melinath what do you think?

[melinath]

This is probably an enhancement request.

It looks like the issue is basically:

1. Secrets Manager lets you set secret values with a base64-encoded string
2. Our implementation allows secret_data as a literal string, which we then base64 encode/decode to communicate with the API.
3. So, you can't provide a literal base64 string to send as-is.

The ideal solution might have been to treat secret_data as a base64 string, though that might have made it more annoying for folks trying to use the output value inside their TF configurations?

A new field might be a reasonable solution.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.