cloud-init and account-expiry

Posted on

Recently, a new customer asked me to automate a platform-deployment for them because I'd done similar for another organization they do business with.

I generally configure my automation to use #cloud-init to override the AMI's default-user's name (why let attackers know what EC2 account to attack just because it's set to something in the AMI?) Normally, this isn't a problem.

Unfortunately, the new customer bakes a lot of security-settings into their AWS machine images. One of these is setting maximum password-age and expiring the account after N days of inactivity. As a further part of their bake-in, they pre-create the EC2's default user in the AMI (rather than relying on cloud-init to do it at launch-time). Part of that pre-creation specifically exempts their default-user from the aging/expiry.

Didn't really discover any of this until I powered on a testing-cluster that I'd built back in mid-January and got the dreaded, "our account has expired; please contact your system administrator" message.

In looking through both the Red Hat documents and the upstream cloud-init project's documents, it looks like, if I have a stanza similar to:

#cloud-config
system_info:
  default_user:
    name: maintenance

users:
  - default

chpasswd: {expire: False}

It ought to override the security-defaults when cloud-init creates the default user. Unfortunately, this doesn't seem to actually work. Thus far, the only thing that seems to work is to use a Content-Type: multipart/mixed (multipart-MIME) userData document and put a chage … in a #!/bin/bash block that executes after the #cloud-config block executes. I'd like to avoid having to do two-part execution-sequence processe. So, I have to ask, "am I botching the usage of the chpasswd parameter or is cloud-init not doing what it ought to?"