Open kthejoker opened 2 years ago
Even if you do, people will still copy paste the examples in. Having scanned a lot of the documentation, there's actually a lot of code blocks, with passwords, which are not even valid by the default policy. This is an odd thought, but it is a way of solving the problem.
If you can't deploy the example, you won't end up with defaulted passwords, as you are forced to do a manual edit. You would of course get an annoying error saying "Hey, the password you provided, doesn't live up to the standards." - but at least that's understandable.
This is just a suggestion, I could easily go through with my tools and find all password blocks and set this. But would probably require some feedback from others, as it's also not an obvious solution.
I like this idea, if people will ignore the warnings, the best way to ensure default passwords aren't being used is make sure there are no (valid) default passwords.
On Sat, Apr 30, 2022 at 6:22 PM DeeNaxic @.***> wrote:
Even if you do, people will still copy paste the examples in. Having scanned a lot of the documentation, there's actually a lot of code blocks, with passwords, which are not even valid by the default policy. This is an odd thought, but it is a way of solving the problem.
If you can't deploy the example, you won't end up with defaulted passwords, as you are forced to do a manual edit. You would of course get an annoying error saying "Hey, the password you provided, doesn't live up to the standards." - but at least that's understandable.
This is just a suggestion, I could easily go through with my tools and find all password blocks and set this. But would probably require some feedback from others, as it's also not an obvious solution.
— Reply to this email directly, view it on GitHub https://github.com/hashicorp/terraform-provider-azurerm/issues/15677#issuecomment-1114071087, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEY2HKYATCUOG3DXKF5PB3VHW6DBANCNFSM5PYI2UHQ . You are receiving this because you authored the thread.Message ID: @.***>
This doc
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine
Contains an example script, including a plain-text administrative password.
Attackers are using this exact admin/password combo for recon on Azure VMs in order to hijack them, infect them with malware, etc.
Can we include an even more aggressive disclaimer or alert at the top of the docs to not deploy with this example password, but to change it in your script, with the stated effort of preventing a VM from being generated with a password already known to attackers.