instance-data: write redacted cfg to instance-data.json (#233)

When cloud-init persisted instance metadata to instance-data.json               
if failed to redact the sensitive value. Currently, the only sensitive          
key 'security-credentials' is omitted as cloud-init does not fetch              
this value from IMDS.                                                           
                                                                                
Fix this by properly redacting the content from the public                      
instance-metadata.json file while retaining the value in the root-only          
instance-data-sensitive.json file.                                              
                                                                                
LP: #1865947

1 files changed, 4 insertions, 4 deletions

diff --git a/cloudinit/sources/__init__.py b/cloudinit/sources/__init__.py
index dd93cfd8..805d803d 100644
--- a/cloudinit/sources/__init__.py
+++ b/cloudinit/sources/__init__.py
@@ -315,12 +315,12 @@ class DataSource(metaclass=abc.ABCMeta):
         except UnicodeDecodeError as e:
             LOG.warning('Error persisting instance-data.json: %s', str(e))
             return False
-        json_file = os.path.join(self.paths.run_dir, INSTANCE_JSON_FILE)
-        write_json(json_file, processed_data)  # World readable
         json_sensitive_file = os.path.join(self.paths.run_dir,
                                            INSTANCE_JSON_SENSITIVE_FILE)
-        write_json(json_sensitive_file,
-                   redact_sensitive_keys(processed_data), mode=0o600)
+        write_json(json_sensitive_file, processed_data, mode=0o600)
+        json_file = os.path.join(self.paths.run_dir, INSTANCE_JSON_FILE)
+        # World readable
+        write_json(json_file, redact_sensitive_keys(processed_data))
         return True
 
     def _get_data(self):