How do you encrypt ApiKey for cTentacleAgent #285
Description
Hi,
I'm following the instructions here to try to install tentacle on azure vm using Set-AzVMDscExtension. I found that even though the installed Tentacle agent doesn't store the api key in plain text. But the mof file that compiled during the dsc extension deployment still contains the api key in plain text. The compiled mof file is stored under folder in azure vm which can be a big security concern:
C:\Packages\Plugins\Microsoft.Powershell.DSC\2.xx.1.0\DSCWork\...
So my question is do we have any way to encrypt the api key because it is sensitive. Or should cTentacleAgent takes in SecureString instead of String? I would think going through ARM template would still have the same issue,
Thanks!
Example configuration ps1:
configuration OctopusTentacle
{
param (
[Parameter(Mandatory=$true)]
$DisplayName,
[Parameter(Mandatory=$true)]
$OctopusServerUrl,
[Parameter(Mandatory=$true)]
[ValidateNotNullorEmpty()]
[PSCredential]
$ApiKey,
[Parameter(Mandatory=$true)]
$Environments,
[Parameter(Mandatory=$true)]
$Roles,
[Parameter(Mandatory=$true)]
$ServerPort
)
Import-DscResource -Module OctopusDSC
Node "localhost"
{
cTentacleAgent OctopusTentacle
{
Ensure = "Present"
State = "Started"
# Tentacle instance name. Leave it as 'Tentacle' unless you have more
# than one instance
Name = "Tentacle"
DisplayName = $DisplayName
# Registration - all parameters required
OctopusServerUrl = $OctopusServerUrl
ApiKey = $ApiKey.GetNetworkCredential().Password
Environments = $Environments
Roles = $Roles
# How Tentacle will communicate with the server
CommunicationMode = "Poll"
ServerPort = $ServerPort
# Where deployed applications will be installed by Octopus
DefaultApplicationDirectory = "C:\Applications"
# Where Octopus should store its working files, logs, packages etc
TentacleHomeDirectory = "C:\Octopus"
}
}
}
Code to push the dsc extension:
Function ConfigureVMTentacleExtension {
Param(
[Parameter(Mandatory = $true)]
[String]$ResourceGroupName,
[Parameter(Mandatory = $true)]
[String]$VMName,
[Parameter(Mandatory = $true)]
[String]$OctopusServerUrl,
[Parameter(Mandatory = $true)]
[String]$OctopusApiKey,
[Parameter(Mandatory = $true)]
[String]$Environment,
[Parameter(Mandatory = $true)]
[String]$Role,
[Parameter(Mandatory = $true)]
[Int32]$Port,
[Parameter(Mandatory = $true)]
[String]$StorageResourceGroup,
[Parameter(Mandatory = $true)]
[string]$StorageAccountName
)
. ".\GetOrInstallModule.ps1"
GetOrInstallModule -ModuleName "OctopusDSC"
Publish-AzVMDscConfiguration .\OctopusTentacleConfiguration.ps1 -StorageAccountName $StorageAccountName -ResourceGroupName $StorageResourceGroup -Force
$configurationArgument = @{
OctopusServerUrl = $OctopusServerUrl;
# https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-credentials,
# FIXME, However, the Octopus dsc only takes in plain text ApiKey, which would still be a security problem.
# https://github.com/OctopusDeploy/OctopusDSC/issues/285
ApiKey = [PSCredential]::new("ApiKey", $(ConvertTo-SecureString $OctopusApiKey -AsPlainText -Force));
Environments = @($environment);
Roles = @($Role);
ServerPort = $Port;
DisplayName = $VMName
}
Set-AzVMDscExtension -ArchiveResourceGroupName $StorageResourceGroup `
-ArchiveStorageAccountName $StorageAccountName `
-ArchiveContainerName "windows-powershell-dsc" <# created automatically by Publish-AzVMDscConfiguration #> `
-ArchiveBlobName "OctopusTentacleConfiguration.ps1.zip" <# created automatically by Publish-AzVMDscConfiguration #> `
-ResourceGroupName $ResourceGroupName `
-VMName $VMName `
-ConfigurationArgument $configurationArgument `
-Version 2.83 -AutoUpdate `
-Name "OctopusTentacle" `
-ConfigurationName "OctopusTentacle"
}