Beta - CVM instance using user data
This product is not supported for your selected
Datadog site. (
).
Id: 5bb6fa08-5e84-4760-a54a-cdcd66626976
Cloud Provider: TencentCloud
Platform: Terraform
Severity: Low
Category: Access Control
Learn More
Description
CVM instances must use roles to obtain required permissions rather than embedding API credentials in instance configuration. This rule detects API secret keys in the user_data or user_data_raw fields of tencentcloud_instance resources. Embedding secrets in user data is insecure. Instead, assign permissions using the cam_role_name attribute.
Compliant Code Examples
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "this is test value"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data = base64encode("this is test value")
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Non-Compliant Code Examples
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data = base64encode("apt-get install -y tccli; export secretId=your_access_key_id_here; export secretId=your_secret_access_key_here")
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "apt-get install -y tccli; export secretId=your_access_key_id_here; export secretId=your_secret_access_key_here"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
