From 66a428bcf008e804c1ef2accedb2dd1378e319a7 Mon Sep 17 00:00:00 2001 From: Brian Joerger Date: Thu, 11 Aug 2022 09:32:20 -0700 Subject: [PATCH] Use Debug flag in aws scripts (#15407) Wrap set -x with DEBUG check to prevent inadvertently logging secrets, such as join tokens held in the /etc/teleport.d/conf. --- assets/aws/files/bin/teleport-all-pre-start | 4 +++- assets/aws/files/bin/teleport-check-cert | 5 +++-- assets/aws/files/bin/teleport-get-cert | 4 +++- assets/aws/files/bin/teleport-lock | 5 ++++- assets/aws/files/bin/teleport-renew-cert | 4 +++- assets/aws/files/bin/teleport-upload-cert | 4 +++- assets/aws/files/install.sh | 4 +++- 7 files changed, 22 insertions(+), 8 deletions(-) diff --git a/assets/aws/files/bin/teleport-all-pre-start b/assets/aws/files/bin/teleport-all-pre-start index ca0ed7c8c4a68..bdfc3be56a848 100755 --- a/assets/aws/files/bin/teleport-all-pre-start +++ b/assets/aws/files/bin/teleport-all-pre-start @@ -1,7 +1,9 @@ #!/bin/bash # This script prepares a Letsencrypt certificate before all-in-one Teleport starts for the first time (if needed) set -e -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Source variables from user-data (if present) if [ -f /etc/teleport.d/conf ]; then diff --git a/assets/aws/files/bin/teleport-check-cert b/assets/aws/files/bin/teleport-check-cert index 2118a8d3d4fd5..c134b71f5c043 100755 --- a/assets/aws/files/bin/teleport-check-cert +++ b/assets/aws/files/bin/teleport-check-cert @@ -2,8 +2,9 @@ # This script is called hourly to check if the certificate # has been renewed on S3 and if it has been renewed, restart teleport proxies - -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Source variables from user-data . /etc/teleport.d/conf diff --git a/assets/aws/files/bin/teleport-get-cert b/assets/aws/files/bin/teleport-get-cert index ffff08dc35e34..d95c2a719c81d 100755 --- a/assets/aws/files/bin/teleport-get-cert +++ b/assets/aws/files/bin/teleport-get-cert @@ -4,7 +4,9 @@ # to prove to letsencrypt that they own the domain. set -e -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Source variables from user-data . /etc/teleport.d/conf diff --git a/assets/aws/files/bin/teleport-lock b/assets/aws/files/bin/teleport-lock index 334e771af7855..45ae55df5f9fd 100755 --- a/assets/aws/files/bin/teleport-lock +++ b/assets/aws/files/bin/teleport-lock @@ -2,8 +2,11 @@ # Locking service makes sure that there is only one auth server performing certain action, # for example renewing or getting letsencrypt certificates -set -x set -e +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi + # Source variables from user-data . /etc/teleport.d/conf diff --git a/assets/aws/files/bin/teleport-renew-cert b/assets/aws/files/bin/teleport-renew-cert index 082144529302b..603f5fecdf5ce 100755 --- a/assets/aws/files/bin/teleport-renew-cert +++ b/assets/aws/files/bin/teleport-renew-cert @@ -4,7 +4,9 @@ # needs renewal, and renews the cert after that set -e -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Source variables from user-data . /etc/teleport.d/conf diff --git a/assets/aws/files/bin/teleport-upload-cert b/assets/aws/files/bin/teleport-upload-cert index 54f35987305f2..19e7d2c3a24a9 100755 --- a/assets/aws/files/bin/teleport-upload-cert +++ b/assets/aws/files/bin/teleport-upload-cert @@ -2,7 +2,9 @@ # This script is called to upload renewed cert # to the S3 bucket set -e -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Source variables from user-data . /etc/teleport.d/conf diff --git a/assets/aws/files/install.sh b/assets/aws/files/install.sh index 5b6f8c155b2f2..6e7af8b07706a 100644 --- a/assets/aws/files/install.sh +++ b/assets/aws/files/install.sh @@ -1,5 +1,7 @@ #!/bin/bash -set -x +if [[ "${DEBUG}" == "true" ]]; then + set -x +fi # Update packages yum -y update