Using base64

hashicorp · Oct 4, 2018 · 96f23ca · 96f23ca
1 parent 8aa2435
commit 96f23ca
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 6 deletions.
diff --git a/aws/resource_aws_secretsmanager_secret_version.go b/aws/resource_aws_secretsmanager_secret_version.go
@@ -5,6 +5,8 @@ import (
 	"log"
 	"strings"
 
+	"encoding/base64"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/secretsmanager"
 	"github.com/hashicorp/terraform/helper/schema"
@@ -71,7 +73,18 @@ func resourceAwsSecretsManagerSecretVersionCreate(d *schema.ResourceData, meta i
 	}
 
 	if v, ok := d.GetOk("secret_binary"); ok {
-		input.SecretBinary = []byte(v.(string))
+		vs := []byte(v.(string))
+
+		if !isBase64Encoded(vs) {
+			fmt.Errorf("expected base64 in secret_binary")
+		}
+
+		var err error
+		input.SecretBinary, err = base64.StdEncoding.DecodeString(v.(string))
+
+		if err != nil {
+			return fmt.Errorf("error decoding secret binary value: %s", err)
+		}
 	}
 
 	if v, ok := d.GetOk("version_stages"); ok {
@@ -120,7 +133,7 @@ func resourceAwsSecretsManagerSecretVersionRead(d *schema.ResourceData, meta int
 
 	d.Set("secret_id", secretID)
 	d.Set("secret_string", output.SecretString)
-	d.Set("secret_binary", fmt.Sprintf("%s", output.SecretBinary))
+	d.Set("secret_binary", base64Encode(output.SecretBinary))
 	d.Set("version_id", output.VersionId)
 	d.Set("arn", output.ARN)
 

diff --git a/aws/resource_aws_secretsmanager_secret_version_test.go b/aws/resource_aws_secretsmanager_secret_version_test.go
@@ -43,7 +43,7 @@ func TestAccAwsSecretsManagerSecretVersion_BasicString(t *testing.T) {
 	})
 }
 
-func TestAccAwsSecretsManagerSecretVersion_BasicBinary(t *testing.T) {
+func TestAccAwsSecretsManagerSecretVersion_Base64Binary(t *testing.T) {
 	var version secretsmanager.GetSecretValueOutput
 	rName := acctest.RandomWithPrefix("tf-acc-test")
 	resourceName := "aws_secretsmanager_secret_version.test"
@@ -57,7 +57,7 @@ func TestAccAwsSecretsManagerSecretVersion_BasicBinary(t *testing.T) {
 				Config: testAccAwsSecretsManagerSecretVersionConfig_SecretBinary(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckAwsSecretsManagerSecretVersionExists(resourceName, &version),
-					resource.TestCheckResourceAttr(resourceName, "secret_binary", "test-binary"),
+					resource.TestCheckResourceAttr(resourceName, "secret_binary", base64Encode([]byte("test-binary"))),
 					resource.TestCheckResourceAttrSet(resourceName, "version_id"),
 					resource.TestCheckResourceAttr(resourceName, "version_stages.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "version_stages.3070137", "AWSCURRENT"),
@@ -229,7 +229,7 @@ resource "aws_secretsmanager_secret" "test" {
 
 resource "aws_secretsmanager_secret_version" "test" {
   secret_id     = "${aws_secretsmanager_secret.test.id}"
-  secret_binary = "test-binary"
+  secret_binary = "${base64encode("test-binary")}"
 }
 `, rName)
 }

diff --git a/website/docs/r/secretsmanager_secret_version.html.markdown b/website/docs/r/secretsmanager_secret_version.html.markdown
@@ -51,7 +51,7 @@ The following arguments are supported:
 
 * `secret_id` - (Required) Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
 * `secret_string` - (Optional) Specifies text data that you want to encrypt and store in this version of the secret. This is required if secret_binary is not set.
-* `secret_binary` - (Optional) Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set.
+* `secret_binary` - (Optional) Specifies binary data that you want to encrypt and store in this version of the secret. This is required if secret_string is not set. Needs to be encoded to base64.
 * `version_stages` - (Optional) Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label `AWSCURRENT` to this new version on creation.
 
 ~> **NOTE:** If `version_stages` is configured, you must include the `AWSCURRENT` staging label if this secret version is the only version or if the label is currently present on this secret version, otherwise Terraform will show a perpetual difference.