Terraform fot d base64sha256() and base64sha512()

This is part of an ongoing series of posts documenting the built-in interpolation functions in Terraform. For more information, check out the beginning post. In this post I am going to cover the base64sha256() function and the base64sha512() function. Double feature! The example files are on GitHub for base64sha256 and base64sha512.

What is it?

Function name: base64sha256(string)

Returns: The base64sha256 function takes a string and creates a sha-256 hash from it in raw byte form. The raw byte form is then encoded using base64 and returned as a string value.

Example:

variable "base64sha256" {
  default = "1234"
}

# Returns A6xnQhbz4Vx2HuGl4lXwZ5U2I8iziLRFnhP5eNfIRvQ=
output "base64sha256" {
  value = "${base64sha256(var.base64sha256)}"
}

Example file:

##############################################
# Function: base64sha256
##############################################
##############################################
# Variables
##############################################
variable "base64sha256" {
  default = "So long, and thanks for all the fish!"
}

##############################################
# Resources
##############################################
##############################################
# Outputs
##############################################
output "base64sha256_output" {
  value = "${base64sha256(var.base64sha256)}"
}

output "sha256_output" {
  value = "${sha256(var.base64sha256)}"
}

output "decoded_output" {
  value = "${base64decode(base64sha256(var.base64sha256))}"
}

Run the following from the base64sha256 folder to get example output for a number of different cases:

#Start with the default variable
terraform apply

#Try submitting a string
terraform apply -var 'base64sha256="Oh freddled gruntbuggly, Thy micturations are to me, As plurdled gabbleblotchits on a lurgid bee."'

#Empty string test - sha256(string) does NOT like this!
terraform apply -var "base64sha256="

Function name: base64sha512(string)

Returns: The base64sha512 function takes a string and creates a sha-512 hash from it in raw byte form. The raw byte form is then encoded using base64 and returned as a string value.

Example:

variable "base64sha512" {
  default = "1234"
}

# Returns 1ARVn2Auq2/WAqx2gNrL+q3RNjAzXpUfCXrzkA6d4Xa22yhRLy4AC50E+6UTPoscbo31nbOoq51gvkuXzJ6B2w==
output "base64sha512" {
  value = "${base64sha512(var.base64sha512)}"
}

Example file:

##############################################
# Function: base64sha512
##############################################
##############################################
# Variables
##############################################
variable "base64sha512" {
  default = "So long, and thanks for all the fish!"
}

##############################################
# Resources
##############################################
##############################################
# Outputs
##############################################
output "base64sha512_output" {
  value = "${base64sha512(var.base64sha512)}"
}

output "sha512_output" {
  value = "${sha512(var.base64sha512)}"
}

output "decoded_output" {
  value = "${base64decode(base64sha512(var.base64sha512))}"
}

Run the following from the base64sha512 folder to get example output for a number of different cases:

#Start with the default variable
terraform apply

#Try submitting a string
terraform apply -var 'base64sha512="Oh freddled gruntbuggly, Thy micturations are to me, As plurdled gabbleblotchits on a lurgid bee."'

#Empty string test
terraform apply -var "base64sha512="

Why use it?

Sha-256 and sha-512 hashes are often used to validate passwords or ensure that files haven’t been tampered with. I couldn’t find a provider that would require either of these functions explicitly, so if you know of one please let me know and I’ll add it to the examples. I can envision using this with the HTTP or External provider to get information and validate it.

Lessons learned

According to the documentation, the base64sha256 and base64sha512 functions are not equivalent to running base64encode(sha256(string)) or base64encode(sha512(string)) since both sha256() and sha512() return a hexadecimal string and not the raw bytes that are encoded in the these functions. I added an output that decodes the string to show what the bytes look like. It’s, well, it’s not pretty. I also learned that the base64sha256 function does not like being fed an empty string. The configuration will hang on that output till you cancel it.

Finally we are done with the base64 functions. Hooray! Coming up next is bcrypt(password, cost). I have no idea what bcrypt does, so exciting times are ahead.