Issue
I am provisioning an EC2 using Terraform, and I am leveraging PowerShell to programmatically create a local admin user on the EC2 when the Terraform is run. The problem I am running into is that when the EC2 is launched, and I go into the "View/Change User Data" option under "Instance Settings" on the EC2, it is showing the local admin user's password in plain text. Is there any way to do this so that it does not show the password within the User Data section? Below is the PS:
<powershell>
($User = "brittany")
$Password = ConvertTo-SecureString "MyPassword123" -AsPlainText -Force
New-LocalUser $User -Password $Password
Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
Add-LocalGroupMember -Group "Administrators" -Member $User
</powershell>
Solution
From the documentation:
Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.
So instead of having a plaintext password, you should use a Secret Manager secret to store the password value, and you should then fetch that secret in the UserData script.
Here's an example:
user_data = <<-EOF
<powershell>
($User = "brittany")
$Password = (aws secretsmanager get-secret-value --secret-id "SECRET_ID" | ConvertFrom-Json).SecretString
New-LocalUser $User -Password $Password
Add-LocalGroupMember -Group "Remote Desktop Users” -Member $User
Add-LocalGroupMember -Group "Administrators" -Member $User
</powershell>
EOF
Answered By - Paolo Answer Checked By - Timothy Miller (WPSolving Admin)