MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Add new feedback Subscribe
Status Will Not Implement
Categories Atlas
Created by Guest
Created on Nov 27, 2020

RELATED FEEDBACK

Provide an option to disable password auth for database users

Currently, it is not possible securely create a user in a terraform DevOps pipeline, since "Passwords may show up in Terraform related logs" according to the documentation. If the password was no longer required to create a user, we could avoid this issue by only using certificate authentication.
  • Attach files
  • Guest
    Jan 1, 2024
    Hi Philipp we now have several mechanisms for creating Resource: mongodbatlas_database_user without having to input Password (which as you correctly mention will end up in Terraform State file and logs in clear text). These include creating database users via: x509 type, IAM type, LDAP auth type, and most recently OIDC auth type. Hope this helps https://registry.terraform.io/providers/mongodb/mongodbatlas/latest/docs/resources/database_user
    Reply
  • Guest
    Sep 1, 2021
    Agree. I think it should be possible to use a `random_password` resource or a fixed initial password secret, then change it out of band, and use a lifecycle policy to prevent changes after the resource changes. But it would be much cleaner if the provider could set an empty or random password on resource creation, so that the password could be managed out of band vs. having to define the resource with a password, then removing the password resource later. Even in the case of using a secure backend for the password, it will end up being viewable in cleartext in the (unencrypted) state, so not ideal.
    Reply