Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make additional_unattend_config.content sensitive to hide AutoLogon Password #1471

Conversation

StefanScherer
Copy link
Contributor

Creating Windows VM's in Azure RM sometimes needs the AutoLogon feature. Terraform currently shows the password in the console output. This PR hides sensitive information by setting the content to Sensitive: true.

Input os_profile_windows_config

  os_profile_windows_config {
    provision_vm_agent        = true
    enable_automatic_upgrades = true

    additional_unattend_config {
      pass         = "oobeSystem"
      component    = "Microsoft-Windows-Shell-Setup"
      setting_name = "AutoLogon"
      content      = "<AutoLogon><Password><Value>${var.admin_password[count.index]}</Value></Password><Enabled>true</Enabled><LogonCount>1</LogonCount><Username>${var.admin_username}</Username></AutoLogon>"
    }

    additional_unattend_config {
      pass         = "oobeSystem"
      component    = "Microsoft-Windows-Shell-Setup"
      setting_name = "FirstLogonCommands"
      content      = "${file("./FirstLogonCommands.xml")}"
    }
  }

Before:

The admin_password is hidden as sensitive, but the additional_unattend_config.0.content shows the plaintext Password1234!.

  os_profile.#:                                                                   "" => "1"
  os_profile.3976634070.admin_password:                                           "<sensitive>" => "<sensitive>"
  os_profile.3976634070.admin_username:                                           "" => "training"
  os_profile.3976634070.computer_name:                                            "" => "ba-01"
  os_profile.3976634070.custom_data:                                              "" => "c81bdf1953fd9d0c6788387f9c148de62396cd24"
  os_profile_windows_config.#:                                                    "" => "1"
  os_profile_windows_config.1060902566.additional_unattend_config.#:              "" => "2"
  os_profile_windows_config.1060902566.additional_unattend_config.0.component:    "" => "Microsoft-Windows-Shell-Setup"
  os_profile_windows_config.1060902566.additional_unattend_config.0.content:      "" => "<AutoLogon><Password><Value>Password1234!</Value></Password><Enabled>true</Enabled><LogonCount>1</LogonCount><Username>training</Username></AutoLogon>"
  os_profile_windows_config.1060902566.additional_unattend_config.0.pass:         "" => "oobeSystem"
  os_profile_windows_config.1060902566.additional_unattend_config.0.setting_name: "" => "AutoLogon"
  os_profile_windows_config.1060902566.additional_unattend_config.1.component:    "" => "Microsoft-Windows-Shell-Setup"
  os_profile_windows_config.1060902566.additional_unattend_config.1.content:      "" => "<FirstLogonCommands>\n    <SynchronousCommand>\n        <CommandLine>cmd /c \"copy C:\\AzureData\\CustomData.bin C:\\provision.ps1\"</CommandLine\n        ><Description>CopyScript</Description>\n        <Order>11</Order>\n    </SynchronousCommand>\n    <SynchronousCommand>\n        <CommandLine>powershell.exe -sta -ExecutionPolicy Unrestricted -file C:\\provision.ps1</CommandLine\n        ><Description>RunScript</Description>\n        <Order>12</Order>\n    </SynchronousCommand>\n</FirstLogonCommands>\n"
  os_profile_windows_config.1060902566.additional_unattend_config.1.pass:         "" => "oobeSystem"
  os_profile_windows_config.1060902566.additional_unattend_config.1.setting_name: "" => "FirstLogonCommands"
  os_profile_windows_config.1060902566.enable_automatic_upgrades:                 "" => "true"
  os_profile_windows_config.1060902566.provision_vm_agent:                        "" => "true"
  os_profile_windows_config.1060902566.winrm.#:                                   "" => "0"

After:

      os_profile.#:                                                                   "1"
      os_profile.3324759317.admin_password:                                           <sensitive>
      os_profile.3324759317.admin_username:                                           "training"
      os_profile.3324759317.computer_name:                                            "ba-02"
      os_profile.3324759317.custom_data:                                              "565bed3819b6aee3742f0232403bc458e5e5534d"
      os_profile_windows_config.#:                                                    "1"
      os_profile_windows_config.1060902566.additional_unattend_config.#:              "2"
      os_profile_windows_config.1060902566.additional_unattend_config.0.component:    "Microsoft-Windows-Shell-Setup"
      os_profile_windows_config.1060902566.additional_unattend_config.0.content:      <sensitive>
      os_profile_windows_config.1060902566.additional_unattend_config.0.pass:         "oobeSystem"
      os_profile_windows_config.1060902566.additional_unattend_config.0.setting_name: "AutoLogon"
      os_profile_windows_config.1060902566.additional_unattend_config.1.component:    "Microsoft-Windows-Shell-Setup"
      os_profile_windows_config.1060902566.additional_unattend_config.1.content:      <sensitive>
      os_profile_windows_config.1060902566.additional_unattend_config.1.pass:         "oobeSystem"
      os_profile_windows_config.1060902566.additional_unattend_config.1.setting_name: "FirstLogonCommands"
      os_profile_windows_config.1060902566.enable_automatic_upgrades:                 "true"
      os_profile_windows_config.1060902566.provision_vm_agent:                        "true"
      os_profile_windows_config.1060902566.winrm.#:                                   "0"

PS: Thanks for the Terraform workshop in Amsterdam this week.

@StefanScherer
Copy link
Contributor Author

One example to use Terraform without leaking credentials in stdout is my setup to spin up a couple of VM's for a workshop https://circleci.com/workflow-run/378e60f8-9287-4b79-a9f4-0ece98532a7e

@tombuildsstuff tombuildsstuff added this to the 1.9.0 milestone Jul 2, 2018
@tombuildsstuff tombuildsstuff added the service/vmss Virtual Machine Scale Sets label Jul 2, 2018
Copy link
Contributor

@tombuildsstuff tombuildsstuff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for this! 👍

@tombuildsstuff tombuildsstuff merged commit 8e05e9d into hashicorp:master Jul 2, 2018
tombuildsstuff added a commit that referenced this pull request Jul 2, 2018
@StefanScherer StefanScherer deleted the make-additional_unattend_config-content-sensitive branch July 2, 2018 05:16
@ghost
Copy link

ghost commented Mar 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Mar 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants