Ensure that no sensitive credentials are exposed in VM custom_data

Explanation

When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.

Possible Impact

Sensitive credentials in custom_data can be leaked

Suggested Resolution

Don’t use sensitive credentials in the VM custom_data

Insecure Example

The following example will fail the azure-compute-no-secrets-in-custom-data check.

resource "azurerm_virtual_machine" "bad_example" {
	name = "bad_example"
	custom_data =<<EOF
export DATABASE_PASSWORD=\"SomeSortOfPassword\"
EOF
}

Secure Example

The following example will pass the azure-compute-no-secrets-in-custom-data check.

resource "azurerm_virtual_machine" "good_example" {
	name = "good_example"
	custom_data =<<EOF
export GREETING="Hello there"
EOF
}

Getting Started
Provider Checks
Config
GitHub Actions