Variables and secrets exposed at /etc/salt/grains

SUSE / ha-sap-terraform-deployments

Automated SAP/HA Deployments in Public/Private Clouds

GNU General Public License v3.0

120 stars 88 forks source link

Variables and secrets exposed at /etc/salt/grains #862

Closed abravosuse closed 2 years ago

abravosuse commented 2 years ago

The variables and secrets set in the terraform.tfvars file are exposed in plain text file /etc/salt/grains, including master passwords. Even though folder /etc/salt can only be accessed by root or members of the salt group, this is a vulnerability and it would be preferable if the file was removed altogether at some point during the execution process.

yeoldegrove commented 2 years ago

@melzer-b1 What do you think? Could be implement another switch in terraform.tfvars e.g. cleanup_secrets = true which is disabled by default (to make debugging easier)?

yeoldegrove commented 2 years ago

@abravosuse #877 is a suggestion on how to implement this feature. Any other suggestions which files to e.g. delete?

abravosuse commented 2 years ago

@abravosuse #877 is a suggestion on how to implement this feature. Any other suggestions which files to e.g. delete?

It looks good to me, @yeoldegrove. Thanks!

yeoldegrove commented 2 years ago

implemented in #877