Beta - CVM Instance Using User Data
- Query id: 5bb6fa08-5e84-4760-a54a-cdcd66626976
- Query name: Beta - CVM Instance Using User Data
- Platform: Terraform
- Severity: Low
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
CVM instances should use roles to be granted access
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data = base64encode("apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here")
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Positive test num. 2 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "apt-get install -y tccli; export TENCENTCLOUD_SECRET_ID=your_access_key_id_here; export TENCENTCLOUD_SECRET_KEY=your_secret_access_key_here"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Positive test num. 3 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data = base64encode("apt-get install -y tccli; export secretId=your_access_key_id_here; export secretId=your_secret_access_key_here")
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Positive test num. 4 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "apt-get install -y tccli; export secretId=your_access_key_id_here; export secretId=your_secret_access_key_here"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Negative test num. 2 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data = base64encode("this is test value")
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}
Negative test num. 3 - tf file
data "tencentcloud_images" "my_favorite_image" {
image_type = ["PUBLIC_IMAGE"]
image_name_regex = "Final"
}
data "tencentcloud_instance_types" "my_favorite_instance_types" {
filter {
name = "instance-family"
values = ["S1", "S2", "S3", "S4", "S5"]
}
cpu_core_count = 2
exclude_sold_out = true
}
data "tencentcloud_availability_zones" "my_favorite_zones" {}
resource "tencentcloud_vpc" "app" {
cidr_block = "10.0.0.0/16"
name = "awesome_app_vpc"
}
resource "tencentcloud_subnet" "app" {
vpc_id = tencentcloud_vpc.app.id
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
name = "awesome_app_subnet"
cidr_block = "10.0.1.0/24"
}
resource "tencentcloud_instance" "cvm_postpaid" {
instance_name = "cvm_postpaid"
availability_zone = data.tencentcloud_availability_zones.my_favorite_zones.zones.0.name
image_id = data.tencentcloud_images.my_favorite_image.images.0.image_id
instance_type = data.tencentcloud_instance_types.my_favorite_instance_types.instance_types.0.instance_type
system_disk_type = "CLOUD_PREMIUM"
system_disk_size = 50
hostname = "user"
project_id = 0
vpc_id = tencentcloud_vpc.app.id
subnet_id = tencentcloud_subnet.app.id
user_data_raw = "this is test value"
data_disks {
data_disk_type = "CLOUD_PREMIUM"
data_disk_size = 50
encrypt = false
}
tags = {
tagKey = "tagValue"
}
}