Bug: A password is being set for the default cloud-init user when cipassword is not-defined or null

[trfore]

When adding a cloud-init configuration drive, a password is automatically generated and set for the default user. The attribute cipassword is not set, and setting the value to null does not remedy the issue.

Code Example

terraform {
  required_providers {
    proxmox = {
      source  = "Telmate/proxmox"
      version = "3.0.1-rc4"
    }
  }
}

provider "proxmox" {
  pm_api_url          = "REDACTED"
  pm_api_token_id     = "REDACTED"
  pm_api_token_secret = "REDACTED"
}

resource "proxmox_vm_qemu" "vm" {
  target_node = "pve"
  vmid        = "100"
  clone       = "ubuntu20"

  disk {
    type    = "disk"
    slot    = "scsi0"
    storage = "local-lvm"
    size    = "8G"
  }

  disk {
    type    = "cloudinit"
    slot    = "ide2"
    storage = "local-lvm"
  }
}

Log/Output

The VM config from PVE node:

root@pve:~# cat /etc/pve/nodes/pve/qemu-server/100.conf
agent: 0
balloon: 0
bios: seabios
boot: order=scsi0
cicustom:  
cipassword: $5$Uohwxx2t$Xdpf6Wi7pJMmIgR2VfXA3v6ulzFqwUaV1dqIkpL1wC.
citype: nocloud
ciupgrade: 0
cores: 1
cpu: host
hotplug: network,disk,usb
ide2: local-lvm:vm-100-cloudinit,media=cdrom,size=4M
kvm: 1
machine: q35
memory: 512
meta: creation-qemu=9.0.2,ctime=1724254788
name: Copy-of-VM-ubuntu20
net0: virtio=BC:24:11:0E:47:71,bridge=vmbr0,tag=1
numa: 0
onboot: 0
ostype: l26
protection: 0
scsi0: local-lvm:vm-100-disk-0,replicate=0,size=8G
scsihw: lsi
smbios1: uuid=REDACTED
sockets: 1
sshkeys: %0A
tablet: 1
vmgenid: REDACTED

[jay7x]

Just saw that also..

Below is the command copied from the "Cluster log" tab:

update VM 808: -agent 1 -balloon 0 -bios seabios -cicustom -cipassword <hidden> -ciupgrade 0 -cores 2 -cpu host -delete ide2,shares -description Debian 12 test VM -hotplug network,disk,usb -kvm 1 -memory 4096 -name test01 -net0 virtio=72:94:B9:B2:02:B8,bridge=vmbr0 -numa 0 -onboot 0 -ostype l26 -protection 0 -scsihw virtio-scsi-single -sockets 1 -sshkeys %0A -tablet 1 -virtio0 vms08-zfs01:base-995-disk-0/vm-808-disk-0,iothread=1,replicate=0 -virtio1 vms08-zfs01:1,format=raw,iothread=1,replicate=0

cipassword was set to null in this TF run.

Let me know if more information is required.

[jay7x]

I spent some time on this and found the following.

See the file: https://github.com/Telmate/proxmox-api-go/blob/032717b543a596ebae3013da4cda592052a02d17/proxmox/config_qemu_cloudinit.go#L131

	if config.UserPassword != nil {
		params["cipassword"] = *config.UserPassword
	}

When a new cloud-init config is created, UserPassword field is set to a pointer to an empty string (*""). So cipassword is defined in the params map returned by this function. That leads to cipassword parameter to be defined in the API call later.

What's interesting, there is another check for Username field in the condition few lines above, which removes it from the params map:

		if config.Username != nil && *config.Username != "" {
			params["ciuser"] = *config.Username
		}

So I guess we should add the same to the UserPassword field condition.

I tried to set config.UserPassword to nil in delve and it went fine. No cipassword argument was present in the update VM line. Password was not changed in the VM.

TF state still has "cipassword": "",, but terraform plan shows no changes expected.

@Tinyblargon could you please have another look here? I can make a PR into the proxmox-api-go if the solution is ok for you (or feel free to just fix it yourself)

[jay7x]

Found some time and raised the PR there :)
Telmate/proxmox-api-go#364