Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Plain text db password in terraform files
See original GitHub issueHi, I’m new to infrastructure security. I know exactly that I have several databases in terraform files such as SQL Server or PostgreSQL with admin passwords in plain text. I don’t understand why checkov can’t tell me this is some kind of issue? In my IT experience, this is quite a critical issue as anyone with access to the GIT repository can see the passwords. Am I wrong?
I’m attaching two examples.
resource "azurerm_sql_server" "sql_server" {
provider = azurerm.providername
name = "${var.sql_server_name}"
resource_group_name = azurerm_resource_group.sql_rg.name
location = var.location
version = "12.0"
administrator_login = "adminuser"
administrator_login_password = "My_STRONG_password(!)"
tags = var.tags
}
resource "azurerm_postgresql_flexible_server" "psql" {
name = "${var.postgresql_name}"
resource_group_name = azurerm_resource_group.postrgressql_rg.name
location = azurerm_resource_group.postrgressql_rg.location
version = "13"
delegated_subnet_id = var.delegated_subnet_id
private_dns_zone_id = azurerm_private_dns_zone.private_dns.id
administrator_login = "psqladmin"
administrator_password = "My_STRONG_password(!)"
zone = "1"
sku_name = "B_Standard_B1ms"
}
Issue Analytics
- State:
- Created a year ago
- Comments:7 (3 by maintainers)
Top Results From Across the Web
A comprehensive guide to managing secrets in your Terraform ...
Pre-requisite #1: Don't Store Secrets in Plain Text; Pre-requisite #2: Keep Your ... description = "The password for the DB master user"
Read more >Protect Sensitive Input Variables | Terraform
Provision a web application with Terraform, and mark input variables as sensitive to restrict when Terraform prints them out to the console.
Read more >Learn how to secure sensitive information In Terraform using ...
In the above example, you can see that we need to pass the username and password as plain text for the database creation....
Read more >aws_kms_secrets | Data Sources | hashicorp/aws
This requires you to have your AWS CLI setup correctly and replace the --key-id with your own. Alternatively you can use --plaintext 'master-password'...
Read more >How To Protect Sensitive Data in Terraform - DigitalOcean
For example, you can consider API keys or passwords for database users as sensitive data. If a malicious third party were to acquire...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Roqche The secrets detection is failing on the example above due to the complexity of the password 😃 The check only looks for alphanumeric characters the
(!)causes the the regex to fail and the password is not detected. If you test the following examples:Then you get the following error:
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!