This is regarding the guide here:
It recommends deploying the connector instance using this code
resource "aws_instance" "twingate_connector" {
ami = data.aws_ami.twingate.id
instance_type = "t3.micro"
associate_public_ip_address = true
key_name = aws_key_pair.ssh_access_key.key_name
user_data = <<-EOT
#!/bin/bash
set -e
mkdir -p /etc/twingate/
{
echo TWINGATE_URL="https://${var.tg_network}.twingate.com"
echo TWINGATE_ACCESS_TOKEN="${twingate_connector_tokens.aws_connector_tokens.access_token}"
echo TWINGATE_REFRESH_TOKEN="${twingate_connector_tokens.aws_connector_tokens.refresh_token}"
} > /etc/twingate/connector.conf
sudo systemctl enable --now twingate-connector
EOT
subnet_id = aws_subnet.main.id
tags = {
"Name" = "Twingate Connector"
}
}
However, this puts the values of both access token and refresh token in plain text inside the userdata of the ec2 instance. Thus anyone with ReadOnlyAccess to the AWS account can see the values for both the tokens.