Estimated reading time: 4 minutes
Cloudbase-Init is the Windows flavor of the popular tool Cloud-Init: a Python-based automation utility which facilitates the provisioning of a Guest OS at first boot. The possibilities are practically endless: adding registry keys, creating user accounts, configuring NICs – and so much more. Aria Automation makes it fairly easy to harness the power of Cloudbase-Init and Cloud-Init through the same concept of Infrastructure as Code (IaC) and is easily incorporated into Cloud Templates (formerly known as “Blueprints”). Further, you can pass input fields from your Aria Automation request forms to variables which Cloudbase-Init or Cloud-Init can reference: the input values simply become part of the metadata payload.
By default, you can find the Cloudbase-Init log file in the following directory on a Windows OS:C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log
Like most applications, Cloudbase-Init creates a log file on each system for which it is installed. Although valuable to Administrators, the log content can also be valuable to prying eyes and present a security challenge. Consider the scenario where you enable an end-user or Administrator to request a new Virtual Machine deployment from Aria Automation and specify a unique local user account password. Although the input field may be configured to obfuscate the password value on the web UI, the password is still exposed in plain text in the Cloudbase-Init log file, assuming you have used a PowerShell command to set the password. This is just an example scenario: there are numerous reasons you may wish to protect certain input field values.
If we proceed with the current scenario, you can see that we have a few lines of PowerShell code within our Cloudbase-Init code block, which appears as below:
# Set Local Administrator password per form input
$localAdminPw = ConvertTo-SecureString '${input.local_acct_pw}' -AsPlainText -Force
Set-LocalUser -Name "MyLocalAdmin" -Password $localAdminPwUnfortunately, this means that the Cloudbase-Init log file will document the literal values passed to it from metadata:
# Set Local Administrator password per form input
$localAdminPw = ConvertTo-SecureString 'ThisIsMyPassword' -AsPlainText -Force
Set-LocalUser -Name "MyLocalAdmin" -Password $localAdminPwObviously, we do not want the password value for the “MyLocalAdmin” user account to be exposed in a plain text log file! At the same time, we do not necessarily want to delete the log file either, because it may contain valuable information we need for troubleshooting deployment issues. Luckily, there is a fairly straightforward (although not foolproof in the world of security) solution to mitigate this concern.
Given that our Cloudbase-Init code block is executing PowerShell code, it stands to reason that we could manipulate the Cloudbase-Init log file using additional lines of code. This is half the battle, as we still have not determined how to redact only specific sets of data. Once again, PowerShell has our back – this time by employing Regular Expressions (RegEx). The code block below demonstrates how we can use this concept to our advantage:
# Sanitize the Cloudbase-Init log file to ensure secrets are not stored.
# Specify the location of the Cloudbase-Init log file.
$logFile = "C:\Program Files\Cloudbase Solutions\Cloudbase-Init\log\*.log"
# Specify a RegEx pattern to target.
# Target the text immediately following "ConvertTo-SecureString" and between single quotes.
$logPattern = "(?<=ConvertTo-SecureString\s')[^']+"
# PowerShell opens the log file in Memory.
$logContent = Get-Content $logFile
# Powershell searches the contents of the log file for the defined pattern and replaces the text with "REDACTED".
$logContent = $logContent -replace $logPattern, "REDACTED"
# PowerShell saves the changes to the log file.
$logContent | Set-Content $logFileAfter incorporating the above code into our Cloudbase-Init code block inside the Cloud Template, we can execute a test deployment to review the outcome. Note that the redaction code must be executed after the user account is modified: the Cloudbase-Init commands are launched sequentially. The Cloudbase-Init log file should now contain the following information – notice the user account password is now redacted!
# Set Local Administrator password per form input
$localAdminPw = ConvertTo-SecureString 'REDACTED' -AsPlainText -Force
Set-LocalUser -Name "MyLocalAdmin" -Password $localAdminPwNote that this is only a selection of the Cloudbase-Init log file, which can be lengthy depending on your use case.
We have successfully leveraged PowerShell within the same Cloud Template code block for Cloudbase-Init to manipulate its own log file! Although “more secure” than leaving sensitive fields stored in plain text, this is of course not the “most secure” option. For example, you may consider integrating Aria Operations with a secure password manager. Passwords aside, you can apply similar logic to redact any component of the log file which should not be documented in plain text long term.