fix: handle unencrypted secrets (#139)

3d0509bb · Nikolay Kolev · GitHub · a59da0dd · 3d0509bb
Commit 3d0509bb authored Mar 04, 2021 by Nikolay Kolev Committed by GitHub Mar 04, 2021
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 28 deletions

outputs.tf modules/iam-user/outputs.tf +17 -28

No files found.
--- a/modules/iam-user/outputs.tf
+++ b/modules/iam-user/outputs.tf
+locals {
+  has_encrypted_password = length(compact(aws_iam_user_login_profile.this.*.encrypted_password)) > 0
+  has_encrypted_secret   = length(compact(aws_iam_access_key.this.*.encrypted_secret)) > 0
+}
+
 output "this_iam_user_name" {
  description = "The user's name"
  value       = element(concat(aws_iam_user.this.*.name, [""]), 0)
@@ -15,18 +20,12 @@ output "this_iam_user_unique_id" {

 output "this_iam_user_login_profile_key_fingerprint" {
  description = "The fingerprint of the PGP key used to encrypt the password"
-  value = element(
-    concat(aws_iam_user_login_profile.this.*.key_fingerprint, [""]),
-    0,
-  )
+  value       = element(concat(aws_iam_user_login_profile.this.*.key_fingerprint, [""]), 0)
 }

 output "this_iam_user_login_profile_encrypted_password" {
  description = "The encrypted password, base64 encoded"
-  value = element(
-    concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
-    0,
-  )
+  value       = element(concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]), 0)
 }

 output "this_iam_access_key_id" {
@@ -37,7 +36,7 @@ output "this_iam_access_key_id" {
      aws_iam_access_key.this_no_pgp.*.id,
      [""],
    ),
-    0,
+    0
  )
 }

@@ -64,7 +63,7 @@ output "this_iam_access_key_ses_smtp_password_v4" {
      aws_iam_access_key.this_no_pgp.*.ses_smtp_password_v4,
      [""],
    ),
-    0,
+    0
  )
 }

@@ -76,7 +75,7 @@ output "this_iam_access_key_status" {
      aws_iam_access_key.this_no_pgp.*.status,
      [""],
    ),
-    0,
+    0
  )
 }

@@ -87,26 +86,20 @@ output "pgp_key" {

 output "keybase_password_decrypt_command" {
  description = "Decrypt user password command"
-  value = <<EOF
-echo "${element(
-  concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
-  0,
-)}" | base64 --decode | keybase pgp decrypt
+  value       = !local.has_encrypted_password ? null : <<EOF
+echo "${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]), 0)}" | base64 --decode | keybase pgp decrypt
 EOF

 }

 output "keybase_password_pgp_message" {
  description = "Encrypted password"
-  value = <<EOF
+  value       = !local.has_encrypted_password ? null : <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
 Comment: https://keybase.io/crypto

-${element(
-  concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]),
-  0,
-)}
+${element(concat(aws_iam_user_login_profile.this.*.encrypted_password, [""]), 0)}
 -----END PGP MESSAGE-----
 EOF

@@ -114,7 +107,7 @@ EOF

 output "keybase_secret_key_decrypt_command" {
  description = "Decrypt access secret key command"
-  value       = <<EOF
+  value       = !local.has_encrypted_secret ? null : <<EOF
 echo "${element(concat(aws_iam_access_key.this.*.encrypted_secret, [""]), 0)}" | base64 --decode | keybase pgp decrypt
 EOF

@@ -122,7 +115,7 @@ EOF

 output "keybase_secret_key_pgp_message" {
  description = "Encrypted access secret key"
-  value       = <<EOF
+  value       = !local.has_encrypted_secret ? null : <<EOF
 -----BEGIN PGP MESSAGE-----
 Version: Keybase OpenPGP v2.0.76
 Comment: https://keybase.io/crypto
@@ -135,14 +128,10 @@ EOF

 output "this_iam_user_ssh_key_ssh_public_key_id" {
  description = "The unique identifier for the SSH public key"
-  value = element(
-    concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, [""]),
-    0,
-  )
+  value       = element(concat(aws_iam_user_ssh_key.this.*.ssh_public_key_id, [""]), 0)
 }

 output "this_iam_user_ssh_key_fingerprint" {
  description = "The MD5 message digest of the SSH public key"
  value       = element(concat(aws_iam_user_ssh_key.this.*.fingerprint, [""]), 0)
 }
-