Insecure password for admin in GCP modules (and GCP image in general)

Question

Insecure password for admin in GCP modules (and GCP image in general)

philip-harvey opened this issue 2 years ago · 3 comments

As far as I can tell all the GCP modules output the instance ID as the admin password. I assume this is something that is baked into the image, but it seems like a terrible idea from a security standpoint since anyone with minimal permissions on the project can get the admin password and it's very hard to fix afterwards. It would be a lot better if the terraform generated a random password and configured this as the admin password at deployment time.

Answer 1 · 2023-02-15T20:53:09.000Z

Hi,

By default it would use instance id as for the initial login password. User is suppose to change the password after first login.

https://docs.fortinet.com/document/fortigate-public-cloud/7.2.0/gcp-administration-guide/306020/connecting-to-the-fortigate-vm

Cheers

Answer 2 · 2023-02-15T21:01:05.000Z

Hi @mobilesuitzero I can't see any way that it would be possible to automate this with Terraform, and having an expired password means a provider can't be configured. Am I missing something?

Answer 3 · 2023-02-16T00:51:46.000Z

Hi,

Initially, user would use the instance id to login to first login and then user is required to change that password once logged in.

The password is expected to change after first login from the security standpoint.

If user wants to bootstrap username/password inside the configuration. Then can do so from the configuration.

Cheers