no-plaintext-password
Default Severity: medium
Explanation
Assigning a password to the compute instance using plaintext could lead to compromise; it would be preferable to use key-pairs as a login mechanism
Possible Impact
Including a plaintext password could lead to compromised instance
Suggested Resolution
Do not use plaintext passwords in terraform files
Insecure Example
The following example will fail the openstack-compute-no-plaintext-password check.
resource "openstack_compute_instance_v2" "bad_example" {
name = "basic"
image_id = "ad091b52-742f-469e-8f3c-fd81cadf0743"
flavor_id = "3"
admin_pass = "N0tSoS3cretP4ssw0rd"
security_groups = ["default"]
user_data = "#cloud-config\nhostname: instance_1.example.com\nfqdn: instance_1.example.com"
network {
name = "my_network"
}
}
Secure Example
The following example will pass the openstack-compute-no-plaintext-password check.
resource "openstack_compute_instance_v2" "good_example" {
name = "basic"
image_id = "ad091b52-742f-469e-8f3c-fd81cadf0743"
flavor_id = "3"
key_pair = "my_key_pair_name"
security_groups = ["default"]
user_data = "#cloud-config\nhostname: instance_1.example.com\nfqdn: instance_1.example.com"
network {
name = "my_network"
}
}