Skip to content

Commit

Permalink
Added data encryption and decryption functions (#81)
Browse files Browse the repository at this point in the history 
* Added encryption and decryption functions

* Update README file
  • Loading branch information
@delinea-sagar
delinea-sagar authored Sep 18, 2024
1 parent ebd5b56 commit 02b0698
Show file tree
Hide file tree
Showing 8 changed files with 219 additions and 24 deletions.
31 changes: 28 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Delinea Secret Server - Terraform Provider

The [Delinea](https://delinea.com/) [Secret Server](https://delinea.com/products/secret-server/) [Terraform](https://www.terraform.io/) Provider allows you to access and reference Secrets in your vault for use in Terraform configurations.
The [Delinea](https://delinea.com/) [Secret Server](https://delinea.com/products/secret-server/) [Terraform](https://www.terraform.io/) Provider allows you to access and reference Secrets in your vault for use in Terraform configurations. Detail documentation of this integration is available [here](https://docs.delinea.com/online-help/integrations/terraform/configure.htm)

## Install via Registry

Expand All @@ -23,7 +23,7 @@ Terraform 0.13 uses a different file system layout for 3rd party providers. More
└───terraform.delinea.com
DelineaXPM
└───tss
└───2.0.7
└───2.0.8
└───windows_amd64
```

Expand All @@ -34,7 +34,7 @@ Terraform 0.13 uses a different file system layout for 3rd party providers. More
└───terraform.delinea.com
DelineaXPM
└───tss
└───2.0.7
└───2.0.8
├───linux_amd64
```

Expand Down Expand Up @@ -156,3 +156,28 @@ Alternatively, the domain can be provided with an environment variable:
```sh
$ export TSS_DOMAIN="mycompany.com"
```

## Encrypt terraform state file using script wrapper

Terraform supports multiple backends to securely store state files, such as AWS S3, Azure Blob Storage, and others. These backends also include built-in state locking mechanisms. However, when storing state files on a local machine drive, you need to manually encrypt the state file data to keep it secure.

To encrypt or decrypt state file data during the Terraform workflow, you must perform encryption before executing Terraform commands and decryption afterward. This can be achieved by creating script wrappers around Terraform commands like terraform init, terraform apply, and terraform destroy.

To use these script wrappers, place the script files in the Terraform executable directory and set the required user credentials in environment variables. For instructions on setting environment variables, refer to the section titled "Environment Variables" above.

Scripts for reference and more detailed information are available [here](https://docs.delinea.com/online-help/integrations/terraform/index.htm). You can modify file paths in these scripts as needed.

You can then execute the script wrappers as shown below:

Usage (For Linux)
```
$ sh terraform_init.sh
$ sh terraform_apply.sh
$ sh terraform_destroy.sh
```
Usage (For Windows)
```
> terraform_init.bat
> terraform_apply.bat
> terraform_destroy.bat
```
136 changes: 136 additions & 0 deletions delinea/encryption_helper.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
package delinea

import (
"crypto/aes"
"crypto/cipher"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"io"
"log"
"os"

"golang.org/x/crypto/pbkdf2"
)

// Define constants for salt length and key length
const saltLength = 16
const keyLength = 32
const iterations = 100000

func fileExists(filename string) bool {
_, err := os.Stat(filename)
if os.IsNotExist(err) {
return false
}
return err == nil
}

// EncryptFile encrypts the file content
func EncryptFile(passphrase, stateFile string) error {
if !fileExists(stateFile) {
return nil
}

// Read the input file
data, err := os.ReadFile(stateFile)
if err != nil {
return fmt.Errorf("failed to read input file: %v", err)
}

// Generate a random salt
salt := make([]byte, saltLength)
if _, err := rand.Read(salt); err != nil {
return fmt.Errorf("failed to generate salt: %v", err)
}

// Derive the encryption key using PBKDF2
key := pbkdf2.Key([]byte(passphrase), salt, iterations, keyLength, sha256.New)

// Encrypt the data
block, err := aes.NewCipher(key)
if err != nil {
return fmt.Errorf("failed to create cipher block: %v", err)
}

gcm, err := cipher.NewGCM(block)
if err != nil {
return fmt.Errorf("failed to create GCM: %v", err)
}

nonce := make([]byte, gcm.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return fmt.Errorf("failed to generate nonce: %v", err)
}

// Encrypt the data using GCM
encryptedData := gcm.Seal(nonce, nonce, data, nil)

// Prepend the salt to the encrypted data
finalData := append(salt, encryptedData...)

// Write the encrypted data to the state file
err = os.WriteFile(stateFile, []byte(base64.StdEncoding.EncodeToString(finalData)), 0644)
if err != nil {
return fmt.Errorf("failed to write encrypted data to state file: %v", err)
}

log.Printf("[DEBUG] File encrypted successfully: %s\n", stateFile)
return nil
}

// DecryptFile decrypts the content of the state file
func DecryptFile(passphrase, stateFile string) error {
if !fileExists(stateFile) {
return nil
}

// Read the encrypted file
encryptedBase64Data, err := os.ReadFile(stateFile)
if err != nil {
return fmt.Errorf("failed to read encrypted file: %v", err)
}

// Decode the base64-encoded encrypted data
encryptedData, err := base64.StdEncoding.DecodeString(string(encryptedBase64Data))
if err != nil {
return fmt.Errorf("failed to decode base64 data: %v", err)
}

// Extract the salt and encrypted data
salt := encryptedData[:saltLength]
encryptedContent := encryptedData[saltLength:]

// Derive the decryption key using PBKDF2
key := pbkdf2.Key([]byte(passphrase), salt, iterations, keyLength, sha256.New)

// Decrypt the data
block, err := aes.NewCipher(key)
if err != nil {
return fmt.Errorf("failed to create cipher block: %v", err)
}

gcm, err := cipher.NewGCM(block)
if err != nil {
return fmt.Errorf("failed to create GCM: %v", err)
}

nonceSize := gcm.NonceSize()
nonce, ciphertext := encryptedContent[:nonceSize], encryptedContent[nonceSize:]

// Decrypt the data using GCM
decryptedData, err := gcm.Open(nil, nonce, ciphertext, nil)
if err != nil {
return fmt.Errorf("failed to decrypt data: %v", err)
}

// Write the decrypted data to the state file
err = os.WriteFile(stateFile, decryptedData, 0644)
if err != nil {
return fmt.Errorf("failed to write decrypted data to state file: %v", err)
}

log.Printf("[DEBUG] File decrypted successfully: %s\n", stateFile)
return nil
}
3 changes: 1 addition & 2 deletions examples/secrets/secret_create.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
tss = {
source = "DelineaXPM/tss"
version = "2.0.7"
version = "2.0.8"
}
}
}
Expand Down Expand Up @@ -49,7 +49,6 @@ provider "tss" {
server_url = var.tss_server_url
}


resource "tss_resource_secret" "secret_name" {
name = var.tss_secret_name
folderid = var.tss_secret_folderid
Expand Down
2 changes: 1 addition & 1 deletion examples/secrets/secret_get.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
tss = {
source = "DelineaXPM/tss"
version = "2.0.7"
version = "2.0.8"
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion examples/secrets/secrets_get.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ terraform {
required_providers {
tss = {
source = "DelineaXPM/tss"
version = "2.0.7"
version = "2.0.8"
}
}
}
Expand Down
12 changes: 7 additions & 5 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ module github.com/DelineaXPM/terraform-provider-tss/v2
require (
github.com/DelineaXPM/tss-sdk-go/v2 v2.0.1
github.com/hashicorp/terraform-plugin-sdk/v2 v2.34.0
golang.org/x/crypto v0.27.0
)

require (
Expand Down Expand Up @@ -36,11 +37,12 @@ require (
github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
github.com/zclconf/go-cty v1.14.4 // indirect
golang.org/x/mod v0.16.0 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/sys v0.20.0 // indirect
golang.org/x/text v0.15.0 // indirect
golang.org/x/tools v0.13.0 // indirect
golang.org/x/mod v0.17.0 // indirect
golang.org/x/net v0.25.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.25.0 // indirect
golang.org/x/text v0.18.0 // indirect
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240227224415-6ceb2ff114de // indirect
google.golang.org/grpc v1.63.2 // indirect
Expand Down
26 changes: 14 additions & 12 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,20 +102,22 @@ github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b h1:FosyBZYxY3
github.com/zclconf/go-cty-debug v0.0.0-20191215020915-b22d67c1ba0b/go.mod h1:ZRKQfBXbGkpdV6QMzT3rU1kSTAnfu1dO8dPKjYprgj8=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.27.0 h1:GXm2NjJrPaiv/h1tb2UH8QfgC/hOf/+z0p6PT8o1w7A=
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic=
golang.org/x/mod v0.16.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
Expand All @@ -128,22 +130,22 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.25.0 h1:r+8e+loiHxRqhXVl6ML1nO3l1+oFoWbnlu2Ehimmi34=
golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/text v0.18.0 h1:XvMDiNzPAl0jr17s6W9lcaIhGUfUORdGCNsuLmPG224=
golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
Expand Down
31 changes: 31 additions & 0 deletions main.go
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,43 @@
package main

import (
"log"
"os"

"github.com/DelineaXPM/terraform-provider-tss/v2/delinea"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
"github.com/hashicorp/terraform-plugin-sdk/v2/plugin"
)

func main() {

if len(os.Args) >= 2 {
action := os.Args[1]
stateFile := os.Args[2]

passphrase := os.Getenv("TFSTATE_PASSPHRASE")
if passphrase == "" {
log.Println("Passphrase not set in TFSTATE_PASSPHRASE environment variable")
return
}

switch action {
case "encrypt":
err := delinea.EncryptFile(passphrase, stateFile)
if err != nil {
log.Printf("[DEBUG] Error encrypting file: %v\n", err)
}
case "decrypt":
err := delinea.DecryptFile(passphrase, stateFile)
if err != nil {
log.Printf("[DEBUG] Error decrypting file: %v\n", err)
}
default:
log.Println("[DEBUG] Invalid action. Use 'encrypt' or 'decrypt'.")
}
return
}

plugin.Serve(&plugin.ServeOpts{
ProviderFunc: func() *schema.Provider {
return delinea.Provider()
Expand Down

0 comments on commit 02b0698

Please sign in to comment.