Add support for ephemeral password input in mongodbatlas_database_user resources
Terraform v1.10 added ephemeral resources that are not persisted in state, and v1.11 then added support for write-only resource attributes. To make use of this new resource type, resources must take a write-only input for applicable variables.
To make use of this in mongodbatlas_database_user, I propose adding an alternative password_wo input that is mutually exclusive with the existing password input, along with a supplementary password_wo_version value that will trigger a change if required (this is the pattern used in aws_secretsmanager_secret_version).
The database user could then be configured as such, without the password being present in the terraform state:
variable "password_version" {
description = "Used to track changes to the password"
type = number
default = 0
}
ephemeral "random_password" "example" {
length = 16
special = true
override_special = "!#$%&*()-_=+[]"
}
resource "mongodbatlas_database_user" "example" {
username = "example"
password_wo = ephemeral.random_password.example.result
password_wo_version = var.password_version
...
}
Elliott
shared this idea
-
Adding support for ephemeral values is on our roadmap. Once we get closer to work we'll update this entry. Thank you!
-
Aris
commented
It goes without saying that this is the most critical security issue in the provider. Ideally everyone would use OIDC or any other way for temporary credentials, but that is not always possible.
