Certificate private keys not hashed for aws_api_gateway_domain_name resource

[ghost]

This issue was originally opened by @henrytk as hashicorp/terraform#9452. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Affected Resource(s)

• aws_api_gateway_domain_name

Expected Behavior

Based on the behaviour of the aws_iam_server_certificate resource I would expect the certificate_private_key field to be hashed before being stored in the state file.

The expected implementation would be a StateFunc, such as the pre-existing normalizeCert function which is used to hash the private key of the aws_iam_server_certificate resource.

Actual Behavior

The certificate private key is stored as plain text.

[bflad]

Hi @henrytk 👋 Thank you for submitting this.

We do not intend to add attribute value hashing to additional attributes. There are a few issues and unexpected behaviors that occur when the values are hashed in the Terraform state:

• Any references to the attribute in other providers/resources will only contain the hashed value
• Any update calls that require the information have no way of retrieving the actual value to successfully update
• Hashing is not commonly applied across all sensitive values and mostly unknown as an issue until it is an issue

Some of these issues can be seen here:

• resource/aws_sns_platform_application: Remove hashing StateFunc on platform credential and principal #3894
• resource/aws_acm_certificate: Error with chain argument when updating an imported certificate #10847

The Terraform state should be wholly treated as sensitive content and protected by any means as appropriate in your organization including but not limited to whole state encryption provided by many Terraform Backends and restricting access to the state location (e.g. restrictive policies on the state storage).

Since we don't intend on changing this position with regards to hashing values at this time, we are going to close this for now. If there are other enhancements which do not have the same problematic characteristics and are scalable across Terraform resources, we would recommend submitting a new feature request or adding to the discussion on some existing feature requests surrounding state encryption such as hashicorp/terraform#9556. Thank you again for submitting this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!