Affected version
Reported by customer specifically while using 1.8.1.
File
010_prepare_config_files.tf
Summary
The null_resource.generate_independent_config_files provisioner writes several private keys to disk by interpolating them directly into a local-exec command string via echo, instead of writing them via a mechanism that keeps the secret out of process arguments and provisioner logs.
# line 117
echo "${tls_private_key.ec2_ssh_key.private_key_pem}" > ${path.module}/${local.ssh_key_name}
# line 122
echo '${tls_private_key.connect_pem.private_key_pem}' > ${path.module}/assets/target/tower_config/data-studios-rsa.pem &
# lines 125-126
echo '${tls_private_key.connect_ssh_host_key.private_key_openssh}' > ${path.module}/assets/target/tower_config/connect_proxy_ssh_host_key
chmod 644 ${path.module}/assets/target/tower_config/connect_proxy_ssh_host_key
Impact
- ps exposure — local-exec runs as a literal bash -c "" invocation. For the process's lifetime, the fully-interpolated command — including full PEM/OpenSSH private key material — is visible to any local user/process able to read ps aux or /proc//cmdline on the host running terraform apply.
- TRACE log exposure — with TF_LOG=TRACE (or provisioner-level trace logging), Terraform logs the fully-interpolated command string, writing the private key(s) to disk in plaintext.
- Three keys affected here: tls_private_key.ec2_ssh_key, tls_private_key.connect_pem, tls_private_key.connect_ssh_host_key.
Suggested remediation
- Don't interpolate secrets into the local-exec command string. Options:
- Use local_file / sensitive_content (or an equivalent write mechanism not executed as a shell command).
- If local-exec must be used, pass secrets via the provisioner's environment block (mark the corresponding variables sensitive = true) and reference as "$ENV_VAR_NAME" in-script rather than interpolating directly.
- Prefer writing via stdin from a file/env var (e.g. printf '%s' "$SECRET" > file) rather than embedding the literal secret in the command text.
Affected version
Reported by customer specifically while using 1.8.1.
File
010_prepare_config_files.tfSummary
The
null_resource.generate_independent_config_filesprovisioner writes several private keys to disk by interpolating them directly into alocal-execcommand string viaecho, instead of writing them via a mechanism that keeps the secret out of process arguments and provisioner logs.Impact
Suggested remediation