Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to decrypt windows administrator password in terraform?

Tags:

syntax

amazon-web-services

interpolation

terraform

I'm provisioning a single windows server for testing with terraform in AWS. Every time i need to decrypt my windows password with my PEM file to connect. Instead, i chose the terraform argument get_password_data and stored my password_data in tfstate file. Now how do i decrypt the same with interpolation syntax rsadecrypt

Please find my below terraform code

### Resource for EC2 instance creation ###

resource "aws_instance" "ec2" {
  ami                   =   "${var.ami}"
  instance_type         =   "${var.instance_type}"
  key_name              =   "${var.key_name}"
  subnet_id             =   "${var.subnet_id}"
  security_groups       =  ["${var.security_groups}"]
  availability_zone     =   "${var.availability_zone}"
  private_ip            =   "x.x.x.x"
  get_password_data     =   "true"

  connection {
    password            =   "${rsadecrypt(self.password_data)}"
    }

  root_block_device {
              volume_type = "${var.volume_type}"
              volume_size = "${var.volume_size}"
    delete_on_termination = "true"
    }

  tags {
        "Cost Center"  =  "R1"
        "Name"         =  "AD-test"
        "Purpose"      =  "Task"
        "Server Name"  =  "Active Directory"
        "SME Name"     =  "Ravi"
    }

}


output "instance_id" {
  value = "${aws_instance.ec2.id}"
}


### Resource for EBS volume creation ###

  resource "aws_ebs_volume" "additional_vol" {
    availability_zone =  "${var.availability_zone}"
    size              =  "${var.size}"
    type              =  "${var.type}"
}

### Output of Volume ID ###

  output "vol_id" {
    value = "${aws_ebs_volume.additional_vol.id}"
}

### Resource for Volume attachment ###

   resource "aws_volume_attachment" "attach_vol" {
     device_name       = "${var.device_name}"
     volume_id         = "${aws_ebs_volume.additional_vol.id}"
     instance_id       = "${aws_instance.ec2.id}"
     skip_destroy      = "true"
}
like image 872
Ravichandran Avatar asked Jun 29 '18 04:06

Ravichandran

1 Answers

The password is encrypted using the key_pair you specified when launching the instance, you still need to use it to decrypt as password_data is still just the base64 encoded encrypted password data.

You should use ${rsadecrypt(self.password_data,file("/path/to/private_key.pem"))}

This is for good reason. You really don't want just a base64 encoded password floating around in state.

Short version: You are missing the second argument in the interpolation function.

like image 189
mootpt Avatar answered Oct 14 '22 10:10

mootpt
Sign in to Comment

Related questions

Storing secrets and credentials inside of an Android App
How to delete a Sagemaker Ground Truth Labeling Job?
AWS API Gateway: why post request body is encoded base64?
Is it possible to upload to S3 by just providing a URL? [closed]
Amazon AWS: How Do I Programmatically Calculate My Spending?
Can I use signed and unsigned urls on the same Cloudfront distribution?
Laravel Queue with Amazon SQS
Amazon S3 CORS issue with SVG on All major browser
Uploading multiple files at same time from local to s3 bucket through node js
How do I limit access to S3 Bucket for particular IAM Role?
How to query third party JSON API from AWS Lambda function
Handling https requests without API Gateway
botocore.exceptions.ProfileNotFound when code run on AWS elastic beanstalk, but locally it's OK
How to host multiple domains and subdomains on single AWS EC2 instance
Replacement for AWS Lambda invokeAsync (deprecated)
AWS Cognito not sending verification SMS
What is the smallest subnet one can create on AWS in the VPC?
Mock AWS services for testing
AWS Glue output file name
Lambda throttling below concurrency limit

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!