slide

Terraform fot d sha1() and sha256() and sha512()

Ned Bellavance
3 min read

Cover

This is part of an ongoing series of posts documenting the built-in interpolation functions in Terraform. For more information, check out the beginning post. In this post I am going to cover the sha1(), sha256(), and sha512() functions. The example file is on GitHub here.

What is it?

Function names: sha1(string) sha256(string) sha512(string)

Returns: Takes a string and returns a hash in hexadecimal form of the string based on which function is used.

Example:

# Returns 92cfceb39d57d914ed8b14d0e37643de0797ae56
output "sha1_output" {
  value = "${sha1("42")}"
}

Example file:

##############################################
# Function: sha1, sha256, sha512
##############################################
##############################################
# Variables
##############################################
variable "string" {
  default = "So long, and thanks for all the fish!"
}

##############################################
# Resources
##############################################
##############################################
# Outputs
##############################################
output "sha1_output" {
  value = "${sha1(var.string)}"
}

output "sha256_output" {
  value = "${sha256(var.string)}"
}
output "sha512_output" {
  value = "${sha512(var.string)}"
}

Run the following from the sha folder to get example output for a number of different cases:

#Start with the default variable
terraform apply

#Try submitting a string
terraform apply -var 'string="Oh freddled gruntbuggly, Thy micturations are to me, As plurdled gabbleblotchits on a lurgid bee."'

#Empty string test
terraform apply -var "string="

Why use it?

You use it to generate a SHA hash of some kind. There are some resources that require a SHA-1 or SHA-2 hash of a string or file. That hash would be compared to a value held by the resource to confirm validity. Usually this is for submitting a secret or password that the other side knows the hash of. That way you don’t have to send the sensitive data in the clear.

Lessons Learned

Don’t use sha1 unless you have to. It’s not considered secure. I realize the function had to be in there for backwards compatibility, but if your resource or data source is using SHA-1, then it’s probably time to question whether you really want to use that resource. All three functions work the same, no surprise there. Sha256 used to choke on an empty string, as I found out when doing the base64sha256 post. But it would appear that bug has been fixed in the most recent versions of Terraform. Speaking of those functions, it’s important to remember that the sha functions all return a hexadecimal representation of the hash, not its raw form. The base64sha256 and base64sha512 functions take the raw output of the sha hash and base64 encode it. You will not get the same output if you run base64encode on the output of one of the sha functions. Terraform’s docs have that in bold, so I figured I’d mention it too.

Coming up next is the signum() function.