Option to not set password

f5devcentral / terraform-aws-bigip

BIG-IP AWS module for the Terraform Registry

MIT License

10 stars 25 forks source link

Option to not set password #35

Open codygreen opened 5 years ago

codygreen commented 5 years ago

Add an option to not set the password for situations where the IAM rights do not allow access to the secrests manager.

codygreen commented 4 years ago

I took a stab at this but I didn't like how complicated it was making the HCL putting conditional logic everywhere trying to determine if the password should be set or not.

Possible considerations:

make this a separate branch
make this a separate module
refactor module to accommodate this option

I'll leave this open for comments and remove it from the 0.1.3 milestone.

steveh565 commented 4 years ago

Cody, we need to move away from requiring users to embed credentials in their TF code.

Could we not simply look for and use the environment variables for the AWS API creds, instead - similar to how the AWS provider does?

codygreen commented 4 years ago

@steveh565, the dependency on the service account is so the BIG-IP password can be pulled from the AWS Secrets Manager. Please note, this is the only secure way to set the BIG-IP password without requiring a subsequent task to SSH into the BIG-IP. Any password set via cloud-init can be viewed in the machine metadata.