An AWS EC2 instance creates a new user during its cloud-init startup process, and sets the password for that new user. Terraform is being used to trigger the creation of the new EC2 instance, which runs Amazon Linux 2. The password is being sent into the instance via a Terraform variable whose value is interpolated into the bash USERDATA script that is run by cloud-init.
The problem is that the cloud-init log file ( /var/log/cloud-init-output.log ) is printing out the password value in the persisted logs.
What specific syntax needs to be changed in the code below so that the password is NOT persisted in the cloud-init log file?
The line of code in the bash cloud-init userdata file that is causing this insecure log entry is currently written as:
echo "${var.vm_username}":"${var.vm_pwd}" | chpasswd
NOTE: You can ignore the Terraform element if you simply want to consider how to obscure the password from the logs if the command were as follows:
echo myusername:mypassword | chpasswd
The only reason this OP mentions Terraform is to point out that the password is not being persisted in the cloud-init userdata script.
chapsswdwith an encrypted password (-e, --encrypted), some ways to do are mentioned in answer to my question https://unix.stackexchange.com/questions/158400/etc-shadow-how-to-generate-6-s-encrypted-password (as you are generating EC2 instances from script, using python/shell to encrypt a string should be a trivial matter to you). – Archemar Nov 25 '20 at 17:38/var/lib/cloud/instance/scripts. Store the password encrypted in AWS secrets manager or EC2 parameter store and then fetch it using awscli from the userdata script – jordanm Nov 25 '20 at 20:57