How does terraform zero out the .sh scripts when using a remote-exec inline command?

[Tony Gt]

If I create a simple remote-exec provisioner using an inline command terraform creates a terraform_timestamp.sh under /tmp.  I can capture this script by copying it as the first command

For example:

provisioner "remote-exec" {
    inline = [
    "sudo sh -c 'cp /tmp/terraform* /home/myhome/'",
    "ls -l"
    ]
}


When I look in /home/myhome/ I see a "terraform_<some UID>.sh"

If I open the contents of this .sh script I see my commands

sudo sh -c 'cp /tmp/terraform* /home/myhome'
ls -l

If I copy these commands into a new file, say "newfile.sh" and then execute newfile.sh, the terraform_<some UID>.sh becomes zerod out (the commands are removed from the .sh script).


How does that happen? I don't have terraform on the target host, so it cannot be terraform related.  Is terraform doing something else aside from uploading a /tmp/terraform_<some UID>.sh ??

I don't understand the magic behind terraform zeroing out these scripts, please explain....

[Mitchell Hashimoto]

Tony,

No magic, and not a secure erase either. After executing a command we upload an empty (0 byte) file to the same path as the original temporary file. Some people put secrets and other such things in their provisioning scripts and we don’t want to risk leaving it around.

Like I said though, its not the most secure, if you’re truly afraid you should use `shred` or something like that from another inline script.

Best,
Mitchell

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/13e7ac83-2de6-49bd-8a53-420ccfdd9996%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Tony Gt]

Mitchell,

Thanks for the quick reply!  The part that confuses me though is this bit..

I ran my attached snippet to demo the issue, which copies a /tmp/terraform_*.sh script into my home directory before it zero's it out and I end up with

• /tmp/terraform_544541579.sh ( 0 bytes - no commands in file)
• /home/myhome/terraform_544541579.sh (138 bytes, commands are in file)

So it successfully copies, but then I run the following commands

•  `cp /home/myhome/terraform_544541579.sh /home/myhome/544541580.sh`
•  `cp /home/myhome/544541580.sh /home/myhome/new.sh'
•  `chmod 700 /home/myhome/new.sh`
•  `/home/myhome/./new.sh`

So hear I'm copying the original copy into a new copy, and then making a copy of that called "new.sh" and executing it.  When I execute it my results are:

• -rwx------ 1 root root 138 Jan  4 14:37 new.sh
• -rwxr-xr-x 1 root root   0 Jan  4 14:37 terraform_324111250.sh (new file)
  
• -rwxr-xr-x 1 root root   0 Jan  4 14:37 terraform_544541579.sh (now zero'd out)
  
• -rwxr-xr-x 1 root root 138 Jan  4 14:34 terraform_544541580.sh (copy of copy of the original)
  

So you can see the original copy in my home dir has now become zero'd out, but the copy of the "copy of the original" is still in tact and so is "new.sh".  Also, there is a new file now in my home directory called "terraform_324111250.sh".

So yes what you said makes sense when I see /tmp/terraform_544541579.sh zero'd out, but how is this following along on my copies in my home directory, like I described above?

Where is this new file coming from ( terraform_324111250.sh ) and how come only the copy of the original is zerod out in my home directory (not the copy of original)? This is the "magic" I'm referring to.  When I run a `ps -U <user id>` of the user I'm terraforming as, I see no processes, so I'm not sure what is executing this "erase" on the target host?

Thanks!

[Mitchell Hashimoto]

Tony,

Sorry I sent it from the wrong address, see my response inline below:

Best,
Mitchell

On Jan 4, 2017, 2:47 PM -0800, Mitchell Hashimoto <xmi...@gmail.com>, wrote:

Tony,

I’m not sure, nothing screams out to me as obvious.

You can see the exact place we zero out the file here: https://github.com/hashicorp/terraform/blob/bf529839a8d53be3279678a30fdc2e1dcd916ebc/builtin/provisioners/remote-exec/resource_provisioner.go#L209

As you can see, it is very simple and uses only SCP. We don’t run any processes on the remote machine. We upload an empty file exactly to the path where we originally executed it (`remotePath`). Note that remotePath is a Go string variable that is never modified so it is impossible for the remote machine to effect the value of that. Therefore, I don’t think this exact line is zero-ing out your file.

The only thing I can imagine is that there are symlinks being used somewhere. Terraform probably isn’t doing this, though.

Best,
Mitchell

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/160af742-2131-4165-9f91-3e5dbd8a6940%40googlegroups.com.