How to ingest variable data like passwords into compute instance when deploying from template

Question

We are trying to figure out how we can create a compute engine template and set some information like passwords with the help of variables in the moment when the final instance is generated by deployment manager, not in the base image. When deploying something from marketplace you can see that passwords are generated by "password.py" and stored as metadata in the VMs template. But i can't find the code that writes this data into the VMs disk image. Could someone explain how this can be achieved?

Edit: I found out that startup scripts are able to read the instance's metadata: https://cloud.google.com/compute/docs/storing-retrieving-metadata Is this how they do it in marketplace click-to-deploy scripts like https://console.cloud.google.com/marketplace/details/click-to-deploy-images/wordpress ? Or is there an even better way to accomplish this?

Answer 1

The best way is to use the metadata server.

In a star-up script, use this to recover all the attributes of your VM.

curl  -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetada
ta/v1/instance/attributes/"

Then, do what you want with it

Don't forget to delete secret from metadata after their use. Or change them on the compute. Secrets must be stay secret.

---

By the way, I would to recommand you to have a look to another things: berglas. Berglas is made by a Google Developer Advocate, specialized in security: Seth Vargo. In summary the principle:

• Bootstrap a bucket with Berglas
• Create a secret in this Bucket ith Berglas
• Pass the reference to this secret in your compute Metadata (berglas://<my_bucket>/<my secret name>)
• Use berglas in start up script to resolve secret.

All this action are possible in command line, thus an integration in a script is possible.

Answer 2

You can use python templates , this give you more flexibility. In your YAML you can call the python script to fill the necessary information, from documentation:

imports:
- path: vm-template.py

resources:
- name: vm-1
  type: vm-template.py
- name: a-new-network
  type: compute.v1.network
  properties:
    routingConfig:
      routingMode: REGIONAL
    autoCreateSubnetworks: true

Where vm-template.py it's a python script:

    """Creates the virtual machine."""

COMPUTE_URL_BASE = 'https://www.googleapis.com/compute/v1/'


def GenerateConfig(unused_context):
  """Creates the first virtual machine."""

  resources = [{
      'name': 'the-first-vm',
      'type': 'compute.v1.instance',
      'properties': {
          'zone': 'us-central1-f',
          'machineType': ''.join([COMPUTE_URL_BASE, 'projects/[MY_PROJECT]',
                                  '/zones/us-central1-f/',
                                  'machineTypes/f1-micro']),
          'disks': [{
              'deviceName': 'boot',
              'type': 'PERSISTENT',
              'boot': True,
              'autoDelete': True,
              'initializeParams': {
                  'sourceImage': ''.join([COMPUTE_URL_BASE, 'projects/',
                                          'debian-cloud/global/',
                                          'images/family/debian-9'])
              }
          }],
          'networkInterfaces': [{
              'network': '$(ref.a-new-network.selfLink)',
              'accessConfigs': [{
                  'name': 'External NAT',
                  'type': 'ONE_TO_ONE_NAT'
              }]
          }]
      }
  }]
  return {'resources': resources}

Now for the password it depends which VM you are using, Windows or Linux.

Linux you can add a startup script which inject a ssh public key.

Windows you can first prepare the proper key, see this Automate password generation