newrelic_synthetics_private_location data source returning masked keys about terraform-provider-newrelic HOT 4 CLOSED

Hi @ttangsv - thanks for the feedback. We comprehend with what you've mentioned - however, owing to a broader context of security measures being implemented, this would continue to be the case with the key of the private location. We're looking into opening a conversation with them to understand the decision better or to see if this can be reconsidered, so we can provide better context, however, this would take us time as we're juggling a couple of other issues at the moment. We shall keep you posted on this once we have an update. Thank you for understanding.

from terraform-provider-newrelic.

Hi @ttangsv, this shall continue to be the case with keys returned by Private Locations, as I've mentioned in my previous comment. We learn from Synthetics that the key would continue to be treated a sensitive field, to prevent any unauthorized use that can be led to with the key. I shall be closing this issue. Thank you for understanding.

from terraform-provider-newrelic.

Hi @ttangsv, thank you for reporting this issue. I've been working on identifying why the private location resource and data source have been returning masked keys since the recent past, while they were being returned them without any obfuscation earlier - and have discovered that it is an alteration of the backing NerdGraph API query that has led to this behaviour.

Owing to a recent security consideration made by New Relic Synthetics, it was inferred that the NerdGraph API is expected to return the key of a private location in a masked format, and this change was made - as a result of which this behaviour is seen with the private location data source and resource in the Terraform Provider, which rely on the aforementioned NerdGraph query. Upon having a word with them, we obtain that this would continue to be the case, so we would probably not be able to return the key in an unmasked format, prior to how this functioned earlier. Thank you for identifying this behaviour and letting us know about this.

from terraform-provider-newrelic.

Thank you @pranav-new-relic - I think this is an unnecessary security measure that makes automation difficult. We have automation that relies on retrieving private location keys via Terraform. The key is also stored in Hashicorp Vault through Terraform as you can see from my example above. We also automated the configuration of synthetic job manager to retrieve the key from Vault. During such process, the key is never exposed to human. This key is for PRIVATE locations which should be managed by New Relic customers. I don't understand why New Relic is taking such security measure to mask such important information from its customers. I am probably biased here and I may not see the big picture your Synthetics team sees in terms of security, but I hope they can see my use case and reconsider the decision.

from terraform-provider-newrelic.