-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlicense.tf
49 lines (41 loc) · 1.65 KB
/
license.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
resource "random_password" "passphrase" {
length = 32
special = false
}
resource "random_id" "encryption_salt" {
byte_length = 8
}
data "local_sensitive_file" "license_file" {
count = local.license_activation_code ? 0 : 1
filename = var.license
}
locals {
license_passphrase = random_password.passphrase.result
encrypted_license = data.external.encrypted_license.result.cipher_text
license_activation_code = !fileexists(var.license)
license_content = local.license_activation_code ? var.license : data.local_sensitive_file.license_file[0].content
license_params = "${local.license_activation_code ? "--flex" : "--encLic"}=${local.encrypted_license} --passPhrase=${local.license_passphrase}"
}
locals {
cmd = <<EOF
cipher_text=$(echo '${local.license_content}' | openssl aes-256-cbc -S ${random_id.encryption_salt.hex} -pass pass:${random_password.passphrase.result} -md md5 | base64 | tr -d "\n" )
# Add cipher text Salt prefix in case it wasn't created (happens in OpenSSL 3.0.2)
if [[ ! "$cipher_text" == "U2FsdGVkX1"* ]]; then # "U2FsdGVkX1" is b64 encoded cipher text header - "Salted__"
# Encode the concatenated binary data as base64
cipher_text=$((echo -n "Salted__"; echo -n ${random_id.encryption_salt.b64_std} | base64 -d; echo -n "$cipher_text" | base64 -d) | base64 | tr -d "\n")
fi
echo '{"cipher_text": "'$cipher_text'"}'
EOF
}
data "external" "encrypted_license" {
program = ["bash", "-c", local.cmd]
query = {
cipher_text = "cipher_text"
}
lifecycle {
postcondition {
condition = self.result.cipher_text != ""
error_message = "Failed to encrypt license"
}
}
}