Provide an option to disable password auth for database users
Currently, it is not possible securely create a user in a terraform DevOps pipeline, since "Passwords may show up in Terraform related logs" according to the documentation. If the password was no longer required to create a user, we could avoid this issue by only using certificate authentication.
Philipp Weber
shared this idea
-
AdminZuhair
(Admin, MongoDB)
commented
Hi Philipp we now have several mechanisms for creating Resource: mongodbatlas_database_user without having to input Password (which as you correctly mention will end up in Terraform State file and logs in clear text). These include creating database users via: x509 type, IAM type, LDAP auth type, and most recently OIDC auth type. Hope this helps
https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/database_user
-
William
commented
Agree. I think it should be possible to use a `random_password` resource or a fixed initial password secret, then change it out of band, and use a lifecycle policy to prevent changes after the resource changes. But it would be much cleaner if the provider could set an empty or random password on resource creation, so that the password could be managed out of band vs. having to define the resource with a password, then removing the password resource later.
Even in the case of using a secure backend for the password, it will end up being viewable in cleartext in the (unencrypted) state, so not ideal.