search

Unleash / terraform-provider-unleash

Terraform provider for unleash, the Open-source feature management solution
https://www.getunleash.io
Apache License 2.0
7 stars 1 forks source link

fix: create user with password #83

Closed gastonfournier closed 12 months ago

gastonfournier commented 12 months ago

About the changes

When creating a user the password was not sent to Unleash.

It might not be a good idea to send passwords this way as it might be a security risk

Fixes: #76

sighphyre commented 12 months ago

It might not be a good idea to send passwords this way as it might be a security risk

Probably not but I don't see anything that would block someone from reading from an secret/env var there?

gastonfournier commented 12 months ago

It might not be a good idea to send passwords this way as it might be a security risk

Probably not but I don't see anything that would block someone from reading from an secret/env var there?

Yes, I'm not sure what best practices are out there for terraform, or if this can be integrated with a secrets provider. The only challenge is the password always goes inside the body of the request in plain text, so unless you use https, someone could intercept the message.

I think it is what it is, and it can be improved later. Users still have the option of not specifying the password and resetting it on the UI or using the send_email functionality (which would need some additional configuration for the email provider)