no-secrets-in-custom-data
Explanation
When creating Azure Virtual Machines, custom_data is used to pass start up information into the EC2 instance. This custom_dat must not contain access key credentials.
Possible Impact
Sensitive credentials in custom_data can be leaked
Suggested Resolution
Don't use sensitive credentials in the VM custom_data
Insecure Example
The following example will fail the azure-compute-no-secrets-in-custom-data check.
resource "azurerm_virtual_machine" "bad_example" {
name = "bad_example"
custom_data =<<EOF
export DATABASE_PASSWORD=\"SomeSortOfPassword\"
EOF
}
Secure Example
The following example will pass the azure-compute-no-secrets-in-custom-data check.
resource "azurerm_virtual_machine" "good_example" {
name = "good_example"
custom_data =<<EOF
export GREETING="Hello there"
EOF
}