Skip to content

Secrets Terraform Recipe double encodes key value when encoding is string #53

Open
Open
Secrets Terraform Recipe double encodes key value when encoding is string#53
Labels
triagedThis item has been triaged by project maintainers and is in the backlog
@zachcasper

Description

@zachcasper
zachcasper
opened on Sep 18, 2025

Steps to reproduce

Deploy a secret using the Secrets Terraform Recipe with a key whose encoding property is set to string. For example:

resource testSecret 'Radius.Security/secrets@2025-08-01-preview' = {
  name: 'testsecret'
  properties: {
    environment: environment
    application: testApp.id
    data: {
      stringData: {
        value: 'this is a string'
      }
    }
  }
}
  1. After deployment, run these commands:
$ kubectl get secret testsecret -n dev-testapp -o jsonpath={.data.stringData}                   
ZEdocGN5QnBjeUJoSUhOMGNtbHVadz09

$ kubectl get secret testsecret -n dev-testapp -o jsonpath={.data.stringData} | base64 --decode
dGhpcyBpcyBhIHN0cmluZw==

$ kubectl get secret testsecret -n dev-testapp -o jsonpath={.data.stringData} | base64 --decode | base64 --decode
this is a string

Observed behavior

When a secret is deployed with a key whose encoding property is string, the value is base64 encoded twice. This results in an incorrect value being stored in the Kubernetes Secret, which is not the original string the user provided.

For example, the value in the secret is:

ZEdocGN5QnBjeUJoSUhOMGNtbHVadz09

Decoding once yields:

dGhpcyBpcyBhIHN0cmluZw==

Decoding twice yields:

this is a string

The expected result is the last output which returns 'this is a string'.

Desired behavior

When the encoding property is string, the value should only be encoded once so that the resulting value in the Kubernetes Secret matches the original input string. The expected result is to get the original string value when decoding once, not twice.

Workaround

No current workaround except to avoid using the string encoding for now and use raw/base64 instead if possible.

rad Version

CLI Version Information:
RELEASE VERSION BICEP COMMIT
edge 88f5941 0.37.4 88f5941567333e5a63484c2f61e4e62610a3cc0f

Control Plane Information:
STATUS VERSION
Installed edge

Operating system

Mac OS 15.6.1

Additional context

This issue applies to the Terraform recipe at Security/secrets/recipes/kubernetes/terraform.
View the current Terraform recipe code here: https://github.com/radius-project/resource-types-contrib/tree/main/Security/secrets/recipes/kubernetes/terraform

The problem appears to be that the value is base64 encoded twice when encoding is set to string.

Would you like to support us?

  • Yes, I would like to support you

AB#17117

Metadata

Metadata

Assignees

No one assigned

    Labels

    triagedThis item has been triaged by project maintainers and is in the backlog

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions