--- title: CVM instance using user data description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CVM instance using user data --- # CVM instance using user data {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-tencentcloud-cvm-instance-using-user-data` **Provider:** TencentCloud **Platform:** Terraform **Severity:** Low **Category:** Access Control #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/tencentcloudstack/tencentcloud/latest/docs/resources/instance#user_data) ### Description{% #description %} CVM instances must use roles to obtain required permissions rather than embedding API credentials in instance configuration. This rule detects API secret keys in the `user_data` or `user_data_raw` fields of `tencentcloud_instance` resources. Embedding secrets in user data is insecure. Instead, assign permissions using the `cam_role_name` attribute. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ``` ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id user_data = base64encode("this is test value") data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ``` ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id user_data_raw = "this is test value" data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id user_data = base64encode("apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here") data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ``` ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id user_data_raw = "apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here" data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ``` ```terraform data "tencentcloud_images" "my_favorite_image" { image_type = ["PUBLIC_IMAGE"] image_name_regex = "Final" } data "tencentcloud_instance_types" "my_favorite_instance_types" { filter { name = "instance-family" values = ["S1", "S2", "S3", "S4", "S5"] } cpu_core_count = 2 exclude_sold_out = true } data "tencentcloud_availability_zones" "my_favorite_zones" {} resource "tencentcloud_vpc" "app" { cidr_block = "10.0.0.0/16" name = "awesome_app_vpc" } resource "tencentcloud_subnet" "app" { vpc_id = tencentcloud_vpc.app.id availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name name = "awesome_app_subnet" cidr_block = "10.0.1.0/24" } resource "tencentcloud_instance" "cvm_postpaid" { instance_name = "cvm_postpaid" availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type system_disk_type = "CLOUD_PREMIUM" system_disk_size = 50 hostname = "user" project_id = 0 vpc_id = tencentcloud_vpc.app.id subnet_id = tencentcloud_subnet.app.id user_data = base64encode("apt-get install -y tccli; export secretId=your_access_key_id_here; export secretId=your_secret_access_key_here") data_disks { data_disk_type = "CLOUD_PREMIUM" data_disk_size = 50 encrypt = false } tags = { tagKey = "tagValue" } } ```