Terraform Connector documentation results in insecure install

pdevaastra · December 26, 2022, 5:10am

This is regarding the guide here:

It recommends deploying the connector instance using this code

resource "aws_instance" "twingate_connector" {
  ami           = data.aws_ami.twingate.id
  instance_type = "t3.micro"
  associate_public_ip_address = true
  key_name = aws_key_pair.ssh_access_key.key_name

  user_data = <<-EOT
    #!/bin/bash
    set -e
    mkdir -p /etc/twingate/
    {
      echo TWINGATE_URL="https://${var.tg_network}.twingate.com"
      echo TWINGATE_ACCESS_TOKEN="${twingate_connector_tokens.aws_connector_tokens.access_token}"
      echo TWINGATE_REFRESH_TOKEN="${twingate_connector_tokens.aws_connector_tokens.refresh_token}"
    } > /etc/twingate/connector.conf
    sudo systemctl enable --now twingate-connector
  EOT

  subnet_id              = aws_subnet.main.id

  tags = {
    "Name" = "Twingate Connector"
  }
}

However, this puts the values of both access token and refresh token in plain text inside the userdata of the ec2 instance. Thus anyone with ReadOnlyAccess to the AWS account can see the values for both the tokens.

Bren · January 3, 2023, 9:11pm

hi @pdevaastra,

thank you for sharing your feedback! I’ve put in an internal request to amend the documentation.

SaintAardvark · March 13, 2023, 5:26pm

Hi @Bren – I’m following up on this topic. I’m working on Terraform code to deploy the connector in AWS. The TF code is based on the guide, but my plan is to store the tokens in AWS SecretManager; the ec2 instance will be granted permission to fetch them. The startup script needs a very small modification (install AWS cli + jq, fetch the secrets), but everything else works pretty much untouched. I’ve tested this out locally, and it works fine.

I have a question about the lifetime of the Refresh Token, though. I think of the term “refresh token” as implying a short lifetime (hours, days); if that’s the case, then my approach will only work until that Refresh Token expires. However, Updating Connectors | Docs implies that the Refresh Token does not expire:

Connectors are uniquely identified by the tokens individually assigned to them. When updating a Connector, ensure that the same tokens are retained during the update process, otherwise new tokens will need to be provisioned.

Can you clarify whether the Refresh token expires? If I’ve misunderstood anything, or if you need any further information, please let me know.

Thanks in advance for any help you can offer!

Bren · March 13, 2023, 5:53pm

Hi @SaintAardvark,

the Refresh Token indeed does not expire so you should be all set.

thank you!