Secrets are being revealed by EC2 user data. Make sure that secrets are not revealed by EC2 user data.
1resource "aws_instance" "chroma_instance" {
2 ami = data.aws_ami.ubuntu.id
3 instance_type = var.instance_type
4 key_name = "chroma-keypair"
5 security_groups = [aws_security_group.chroma_sg.name]
6 metadata_options {
7 http_endpoint = "enabled"
8 http_tokens = "required"
9 }
10 monitoring = true
11 ebs_optimized = true
12 ebs_block_device {
13 volume_type = "gp2"
14 volume_size = var.ebs_volume_size
15 device_name = "/dev/xvdb"
16 encrypted = true
17 }
18
19 root_block_device {
20 volume_type = "gp2"
21 volume_size = var.root_volume_size
22 encrypted = true
23 }
24 iam_instance_profile = "test"
25 # Noncompliant: Hard-coded secrets exist in EC2 user data.
26 user_data = <<EOF
27 #! /bin/bash
28 sudo apt-get update
29 sudo apt-get install -y apache2
30 sudo systemctl start apache2
31 sudo systemctl enable apache2
32 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMAAA
33 export AWS_SECRET_ACCESS_KEY=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
34 export AWS_DEFAULT_REGION=us-west-2
35 echo "<h1>Deployed via Terraform</h1>" | sudo tee /var/www/html/index.html
36 EOF
37
38 tags = local.tags
39}
1resource "aws_instance" "chroma_instance" {
2 ami = data.aws_ami.ubuntu.id
3 instance_type = var.instance_type
4 key_name = "chroma-keypair"
5 security_groups = [aws_security_group.chroma_sg.name]
6 metadata_options {
7 http_endpoint = "enabled"
8 http_tokens = "required"
9 }
10 monitoring = true
11 ebs_optimized = true
12 ebs_block_device {
13 volume_type = "gp2"
14 volume_size = var.ebs_volume_size
15 device_name = "/dev/xvdb"
16 encrypted = true
17 }
18
19 root_block_device {
20 volume_type = "gp2"
21 volume_size = var.root_volume_size
22 encrypted = true
23 }
24 iam_instance_profile = "test"
25 # Compliant: Hard-coded secrets don't exist in EC2 user data.
26 tags = local.tags
27}