Skip to content

[ Enhancement ] Private keys exposed via command-line echo in local-exec (010_prepare_config_files.tf) #428

Description

@schaluva

Affected version

Reported by customer specifically while using 1.8.1.

File

010_prepare_config_files.tf

Summary

The null_resource.generate_independent_config_files provisioner writes several private keys to disk by interpolating them directly into a local-exec command string via echo, instead of writing them via a mechanism that keeps the secret out of process arguments and provisioner logs.

# line 117
echo "${tls_private_key.ec2_ssh_key.private_key_pem}" > ${path.module}/${local.ssh_key_name}

# line 122
echo '${tls_private_key.connect_pem.private_key_pem}' > ${path.module}/assets/target/tower_config/data-studios-rsa.pem &

# lines 125-126
echo '${tls_private_key.connect_ssh_host_key.private_key_openssh}' > ${path.module}/assets/target/tower_config/connect_proxy_ssh_host_key
chmod 644 ${path.module}/assets/target/tower_config/connect_proxy_ssh_host_key

Impact

  • ps exposure — local-exec runs as a literal bash -c "" invocation. For the process's lifetime, the fully-interpolated command — including full PEM/OpenSSH private key material — is visible to any local user/process able to read ps aux or /proc//cmdline on the host running terraform apply.
  • TRACE log exposure — with TF_LOG=TRACE (or provisioner-level trace logging), Terraform logs the fully-interpolated command string, writing the private key(s) to disk in plaintext.
  • Three keys affected here: tls_private_key.ec2_ssh_key, tls_private_key.connect_pem, tls_private_key.connect_ssh_host_key.

Suggested remediation

  • Don't interpolate secrets into the local-exec command string. Options:
    • Use local_file / sensitive_content (or an equivalent write mechanism not executed as a shell command).
    • If local-exec must be used, pass secrets via the provisioner's environment block (mark the corresponding variables sensitive = true) and reference as "$ENV_VAR_NAME" in-script rather than interpolating directly.
    • Prefer writing via stdin from a file/env var (e.g. printf '%s' "$SECRET" > file) rather than embedding the literal secret in the command text.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions