EC2 AWS Launch Template Resource - User Data Storage

I am trying to understand how the “user_data” property is stored within the “aws_launch_template” Resource, how can I pass variables within it securely and without them expiring.

To expand upon that, if I used String Interpolation to specify in the Terraform scripts “user_data” property to inject a variable into an environment variable within a generated EC2 (by the Autoscaling Group), where does that Interpolation “user_data” get stored?

If I inject a token within a EC2 instances environment variable for my application to access a database or an API, how do I update that value within the “user_data” property for future scale initiated EC2 instances to use?

Is the simpler option to redeploy and let Terraform notice the difference in the state and update accordingly (then manually connect to already deployed instances and change the environment variable from within)?

Even if I did secure database / API tokens in a third party service or AWS storage, how would I correctly / securely connect to that service though a generated EC2 instance? Wouldn’t that lead to the same problem, just with an extra step?

The preferred way to store secrets for use by EC2 is to use SSM parameter store or Secrets Manager.

Your user data script can absolutely pull the values from these stores, and you can put the secret ID/parameter name into your user data script with no secure information leak.

If I understand correctly what you’re asking, create an iam_role with rights to access the secret and attach to your instances with an instance profile - also specified in the launch template.