Terraform – FotD – rsadecrypt()

This is part of an ongoing series of posts documenting the built-in interpolation functions in Terraform. For more information, check out the beginning post. In this post I am going to cover the rsadecrypt() function. The example file is on GitHub here.

What is it?

Function name: rsadecrypt(string, key)

Returns: Takes a base64 encoded string that has been encrypted with an RSA key and decrypts it using the supplied RSA key. Returns the decrypted string.

Example:

# Returns decrypted string
output "rsadecrypt_output" {
  value = "${rsadecrypt(file("path_to_encrypted_file"),file("path_to_rsa_key"))}"
}

Example file:

##############################################
# Function: rsadecrypt
##############################################
##############################################
# Variables
##############################################
variable "encrypted_string_path" {}

variable "private_key_path" {}


##############################################
# Resources
##############################################
##############################################
# Outputs
##############################################
output "rsadecrypt_output" {
  value = "${rsadecrypt(file(var.encrypted_string_path),file(var.private_key_path))}"
}

Run the following from the rsadecrypt folder to get example output for a number of different cases:

#We have to generate a key pair first
#You will need openssl to do this
openssl genrsa -out private.key 2048

#Then we have to encrypt a string
openssl rsautl -encrypt -inkey .\private.key -in .\cleartext.txt -out encrypted.txt

#And base64 encode it
openssl enc -a -in .\encrypted.txt -out .\encrypted64.txt -none

#Now we can use Terraform to decrypt
terraform apply -var "encrypted_string_path=encrypted64.txt" -var "private_key_path=private.key"

Why use it?

I am guessing that you are getting the encrypted string from some parameter store and then getting the RSA key from some secure location and decrypting the value. This could probably be used to store passwords in a key value store, and decrypt them at runtime with an RSA key that was stored somewhere else. I’d rather use Vault for storing sensitive data, or Azure Key Vault, or AWS Secrets Manager. What I am saying, is that there are options, ones that are likely better than this. This function was added in version 11.2 with the reasoning: “This is particularly useful for decrypting the password for a Windows instance on AWS EC2, but is generic and may find other uses too.” That is a legitimate use case, but a better plan would be to store the password on one of the secure options I listed above.

Lessons Learned

Getting this to work as an example was a bit of a challenge. I don’t exactly use openssl everyday. But after about 20 minutes of furious Google-Fu and general messing around, I was able to work out some simple commands to see this bad boy in action. You will need openssl installed on your local machine to work through the example. If you don’t already have it installed, you probably should. I used Chocolately to install it: choco install OpenSSL.Light -y

If you’re on Linux, just hit up your package manager.

Coming up next is a triple threat, I’m going to combine the sha1(), sha256(), and sha512() functions into a single post. Because I am crazy efficient.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.