azure-machine-sensitive-data

Ensure that no sensitive credentials are exposed in VM custom_data

You may need to inject a script or other metadata into a Microsoft Azure virtual machine at provisioning time. This is commonly done by executing a "user data" or "custom data" script during the machine startup process. If these startup scripts require SSL Certificates or Passwords, then these should be obtained from Key Vault instead of storing them in plain text within the virtual machine configuration.

Examples

Insecure Example

locals {
  custom_data <<EOB
  #!/bin/bash

  cat <<EOF>/etc/ssl/my.key
-----BEGIN RSA PRIVATE KEY-----
MIIBOQIBAAJBAIOLepgdqXrM07O4dV/nJ5gSA12jcjBeBXK5mZO7Gc778HuvhJi+
RvqhSi82EuN9sHPx1iQqaCuXuS1vpuqvYiUCAwEAAQJATRDbCuFd2EbFxGXNxhjL
loj/Fc3a6UE8GeFoeydDUIJjWifbCAQsptSPIT5vhcudZgWEMDSXrIn79nXvyPy5
BQIhAPU+XwrLGy0Hd4Roug+9IRMrlu0gtSvTJRWQ/b7m0fbfAiEAiVB7bUMynZf4
SwVJ8NAF4AikBmYxOJPUxnPjEp8D23sCIA3ZcNqWL7myQ0CZ/W/oGVcQzhwkDbck
3GJEZuAB/vd3AiASmnvOZs9BuKgkCdhlrtlM6/7E+y1p++VU6bh2+mI8ZwIgf4Qh
u+zYCJfIjtJJpH1lHZW+A60iThKtezaCk7FiAC4=
----END RSA PRIVATE KEY-----
  EOF
  EOB
}

resource "azurerm_linux_virtual_machine" "cloudinit" {
  name                = "cloudinit-machine"
  resource_group_name = azurerm_resource_group.cloudinit.name
  location            = azurerm_resource_group.cloudinit.location
  size                = "Standard_B1s"
  admin_username      = "cloudinit"
  admin_password      = "HKKRoD24XLBzxdD"

  custom_data = base64encode(local.custom_data)
  # Abbreviated
}

More information

• AWS Docs
• Terraform Docs