[BUG] - user-data security

[binnsr]

The Vultr API encrypts user_data in the Vultr UI when added to a server, but the vultr_instance terraform provider creates the 'user_data' field in plain text. If there are sensitive values in the user_data, they then show in the Vultr UI in plain text.

For example, using this command, I have a random-looking string placed into the User Data field in the UI curl --silent -X PATCH --url "https://api.vultr.com/v2/instances/${INSTANCE_ID}" -H "Authorization: Bearer ${VULTR_API_TOKEN}" -H "Content-Type: application/json" -d '{ "user_data" : "redacted" }'

Running a terraform provisioner with this block, I have the secrets (variables in the code-block below) written to the UI user_datea = <<EOF

cloud-config

runcmd:

• doppler -t ${var.ctx_doppler_token} -p ${var.ctx_doppler_project} -c ${var.ctx_doppler_config} run -- ansible-pull -U https://null:${data.doppler_secrets.secrets.map.GITLAB_TOKEN}@gitlab.com/path/to/my/repo -i "$(hostname -s)", -d /tmp/repo -C main --full --purge my_cool_playbook.yml

The Terraform Provisioner should write the data as a hash like the API does, or provide for the ability to redact variables in the field.

[optik-aper]

Hello @binnsr and thanks for the report.

User data is base64 encoded during transit, but is decoded in the Vultr platform. The Vultr UI will always show it as plain text and if it's showing encoded for you, it might have been doubly encoded and will therefore probably not work in cloud-init. If you want to preserve secure information, perhaps a startup script would be a better solutions? https://www.vultr.com/api/#tag/startup