grey/Opinionated.tf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions1

Fixup some issues in trivy/checkov

Browse source
This commit is contained in:
Greyscale 2025-01-25 02:48:26 +01:00
parent e63eedc370
commit 8e4b8a9d71
Signed by: grey
GPG key ID: DDB392AE64B32D89
26 changed files with 236 additions and 91 deletions

24
.trunk/trunk.yaml
View file

@ -2,17 +2,18 @@
# To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
version: 0.1 version: 0.1
cli: cli:
version: 1.22.2 version: 1.22.9
# Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins) # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
plugins: plugins:
sources: sources:
- id: trunk - id: trunk
ref: v1.6.1 ref: v1.6.6
uri: https://github.com/trunk-io/plugins uri: https://github.com/trunk-io/plugins
# Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes) # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
runtimes: runtimes:
enabled: enabled:
- node@18.12.1 - go@1.21.0
- node@18.20.5
- python@3.10.8 - python@3.10.8
# This is the section where you manage your linters. (https://docs.trunk.io/check/configuration) # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
lint: lint:
@ -21,14 +22,17 @@ lint:
paths: paths:
- LICENCE.md - LICENCE.md
enabled: enabled:
- actionlint@1.7.1 - hadolint@2.12.1-beta
- checkov@3.2.216 - shellcheck@0.10.0
- shfmt@3.6.0
- actionlint@1.7.7
- checkov@3.2.357
- git-diff-check - git-diff-check
- markdownlint@0.41.0 - markdownlint@0.43.0
- prettier@3.3.3 - prettier@3.4.2
- tflint@0.52.0 - tflint@0.55.0
- trivy@0.54.0 - trivy@0.58.2
- trufflehog@3.80.3 - trufflehog@3.88.2
- yamllint@1.35.1 - yamllint@1.35.1
actions: actions:
enabled: enabled:

BIN
bin/expose Executable file
View file

Binary file not shown.

6
cloud/aws/efs_file_system/security-groups.tf
View file

@ -13,6 +13,7 @@ resource "aws_security_group" "efs" {
}) })
} }
resource "aws_vpc_security_group_ingress_rule" "nfs" { resource "aws_vpc_security_group_ingress_rule" "nfs" {
description = "Allow NFS traffic from EFS"
ip_protocol = "tcp" ip_protocol = "tcp"
from_port = 2049 from_port = 2049
to_port = 2049 to_port = 2049
@ -23,6 +24,7 @@ resource "aws_vpc_security_group_ingress_rule" "nfs" {
}) })
} }
resource "aws_vpc_security_group_egress_rule" "nfs" { resource "aws_vpc_security_group_egress_rule" "nfs" {
description = "Allow NFS traffic to EFS"
ip_protocol = "tcp" ip_protocol = "tcp"
from_port = 2049 from_port = 2049
to_port = 2049 to_port = 2049
@ -32,7 +34,11 @@ resource "aws_vpc_security_group_egress_rule" "nfs" {
Name = "NFS/EFS Egress" Name = "NFS/EFS Egress"
}) })
} }
# checkov:skip=CKV_AWS_24: checkov is mis-detecting this as exposing port 22 to 0.0.0.0
# checkov:skip=CKV_AWS_25: checkov is mis-detecting this as exposing port 3389 to 0.0.0.0
# checkov:skip=CKV_AWS_260: checkov is mis-detecting this as exposing port 80 to 0.0.0.0
resource "aws_vpc_security_group_ingress_rule" "ping" { resource "aws_vpc_security_group_ingress_rule" "ping" {
description = "Allow ping"
ip_protocol = "icmp" ip_protocol = "icmp"
from_port = 0 from_port = 0
to_port = 0 to_port = 0

2
products/bastion/README.md
View file

@ -1 +1 @@
Heavy use of code pilfered from https://github.com/binlab/docker-bastion/blob/master/Dockerfile Heavy use of code pilfered from https://github.com/binlab/docker-bastion/blob/master/Dockerfile

105
products/bastion/bastion.sh
View file

@ -1,90 +1,89 @@
#!/usr/bin/env sh #!/usr/bin/env bash
HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:='/'}" HOST_KEYS_PATH_PREFIX="${HOST_KEYS_PATH_PREFIX:='/'}"
HOST_KEYS_PATH="${HOST_KEYS_PATH:='/etc/ssh'}" HOST_KEYS_PATH="${HOST_KEYS_PATH:='/etc/ssh'}"
if [ "$PUBKEY_AUTHENTICATION" == "false" ]; then if [[ ${PUBKEY_AUTHENTICATION} == "false" ]]; then
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no" CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=no"
else else
CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes" CONFIG_PUBKEY_AUTHENTICATION="-o PubkeyAuthentication=yes"
fi fi
if [ -n "$AUTHORIZED_KEYS" ]; then if [[ -n ${AUTHORIZED_KEYS} ]]; then
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=$AUTHORIZED_KEYS" CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=${AUTHORIZED_KEYS}"
else else
CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys" CONFIG_AUTHORIZED_KEYS="-o AuthorizedKeysFile=authorized_keys"
fi fi
if [ -n "$TRUSTED_USER_CA_KEYS" ]; then if [[ -n ${TRUSTED_USER_CA_KEYS} ]]; then
CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=$TRUSTED_USER_CA_KEYS" CONFIG_TRUSTED_USER_CA_KEYS="-o TrustedUserCAKeys=${TRUSTED_USER_CA_KEYS}"
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u" CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
else else
CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u" CONFIG_AUTHORIZED_PRINCIPALS_FILE="-o AuthorizedPrincipalsFile=/etc/ssh/auth_principals/%u"
fi fi
if [[ ${GATEWAY_PORTS} == "true" ]]; then
if [ "$GATEWAY_PORTS" == "true" ]; then CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
CONFIG_GATEWAY_PORTS="-o GatewayPorts=yes"
else else
CONFIG_GATEWAY_PORTS="-o GatewayPorts=no" CONFIG_GATEWAY_PORTS="-o GatewayPorts=no"
fi fi
if [ "$PERMIT_TUNNEL" == "true" ]; then if [[ ${PERMIT_TUNNEL} == "true" ]]; then
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes" CONFIG_PERMIT_TUNNEL="-o PermitTunnel=yes"
else else
CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no" CONFIG_PERMIT_TUNNEL="-o PermitTunnel=no"
fi fi
if [ "$X11_FORWARDING" == "true" ]; then if [[ ${X11_FORWARDING} == "true" ]]; then
CONFIG_X11_FORWARDING="-o X11Forwarding=yes" CONFIG_X11_FORWARDING="-o X11Forwarding=yes"
else else
CONFIG_X11_FORWARDING="-o X11Forwarding=no" CONFIG_X11_FORWARDING="-o X11Forwarding=no"
fi fi
if [ "$TCP_FORWARDING" == "false" ]; then if [[ ${TCP_FORWARDING} == "false" ]]; then
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no" CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=no"
else else
CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes" CONFIG_TCP_FORWARDING="-o AllowTcpForwarding=yes"
fi fi
if [ "$AGENT_FORWARDING" == "false" ]; then if [[ ${AGENT_FORWARDING} == "false" ]]; then
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no" CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=no"
else else
CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes" CONFIG_AGENT_FORWARDING="-o AllowAgentForwarding=yes"
fi fi
if [ ! -f "$HOST_KEYS_PATH/ssh_host_rsa_key" ]; then if [[ ! -f "${HOST_KEYS_PATH}/ssh_host_rsa_key" ]]; then
/usr/bin/ssh-keygen -A -f "$HOST_KEYS_PATH_PREFIX" /usr/bin/ssh-keygen -A -f "${HOST_KEYS_PATH_PREFIX}"
fi fi
if [ -n "$LISTEN_ADDRESS" ]; then if [[ -n ${LISTEN_ADDRESS} ]]; then
CONFIG_LISTEN_ADDRESS="-o ListenAddress=$LISTEN_ADDRESS" CONFIG_LISTEN_ADDRESS="-o ListenAddress=${LISTEN_ADDRESS}"
else else
CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0" CONFIG_LISTEN_ADDRESS="-o ListenAddress=0.0.0.0"
fi fi
if [ -n "$LISTEN_PORT" ]; then if [[ -n ${LISTEN_PORT} ]]; then
CONFIG_LISTEN_PORT="-o Port=$LISTEN_PORT" CONFIG_LISTEN_PORT="-o Port=${LISTEN_PORT}"
else else
CONFIG_LISTEN_PORT="-o Port=22" CONFIG_LISTEN_PORT="-o Port=22"
fi fi
/usr/sbin/sshd -D -e -4 \ /usr/sbin/sshd -D -e -4 \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_rsa_key" \ -o "HostKey=${HOST_KEYS_PATH}/ssh_host_rsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_dsa_key" \ -o "HostKey=${HOST_KEYS_PATH}/ssh_host_dsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ecdsa_key" \ -o "HostKey=${HOST_KEYS_PATH}/ssh_host_ecdsa_key" \
-o "HostKey=$HOST_KEYS_PATH/ssh_host_ed25519_key" \ -o "HostKey=${HOST_KEYS_PATH}/ssh_host_ed25519_key" \
-o "PasswordAuthentication=no" \ -o "PasswordAuthentication=no" \
-o "PermitEmptyPasswords=no" \ -o "PermitEmptyPasswords=no" \
-o "PermitRootLogin=no" \ -o "PermitRootLogin=no" \
$CONFIG_PUBKEY_AUTHENTICATION \ "${CONFIG_PUBKEY_AUTHENTICATION}" \
$CONFIG_AUTHORIZED_KEYS \ "${CONFIG_AUTHORIZED_KEYS}" \
$CONFIG_GATEWAY_PORTS \ "${CONFIG_GATEWAY_PORTS}" \
$CONFIG_PERMIT_TUNNEL \ "${CONFIG_PERMIT_TUNNEL}" \
$CONFIG_X11_FORWARDING \ "${CONFIG_X11_FORWARDING}" \
$CONFIG_AGENT_FORWARDING \ "${CONFIG_AGENT_FORWARDING}" \
$CONFIG_TCP_FORWARDING \ "${CONFIG_TCP_FORWARDING}" \
$CONFIG_TRUSTED_USER_CA_KEYS \ "${CONFIG_TRUSTED_USER_CA_KEYS}" \
$CONFIG_AUTHORIZED_PRINCIPALS_FILE \ "${CONFIG_AUTHORIZED_PRINCIPALS_FILE}" \
$CONFIG_LISTEN_ADDRESS \ "${CONFIG_LISTEN_ADDRESS}" \
$CONFIG_LISTEN_PORT "${CONFIG_LISTEN_PORT}"

2
products/bastion/docker-compose.yml
View file

@ -33,4 +33,4 @@ services:
target: /var/lib/bastion/authorized_keys target: /var/lib/bastion/authorized_keys
volumes: volumes:
bastion: bastion:

24
products/expose/auth.tf Normal file
View file

@ -0,0 +1,24 @@
variable "username" {
type = string
description = "The username to use for the service."
default = null
}
variable "password" {
type = string
description = "The password to use for the service."
default = null
}
resource "random_pet" "username" {
count = var.username == null ? 1 : 0
length = 2
separator = ""
}
resource "random_string" "password" {
count = var.username == null ? 1 : 0
length = 32
special = false
}
locals {
username = var.username != null ? var.username : random_pet.username[0].id
password = var.password != null ? var.password : nonsensitive(random_string.password[0].result)
}

26
products/expose/expose.tf Normal file
View file

@ -0,0 +1,26 @@
variable "domain" {
type = string
description = "The domain to use for the service."
}
module "service" {
source = "../../docker/service"
image = "beyondcodegmbh/expose-server:latest"
service_name = "expose"
stack_name = var.stack_name
networks = concat(var.networks, [module.network.network])
traefik = var.traefik
placement_constraints = var.placement_constraints
mounts = var.mounts
ports = var.ports
converge_enable = false
environment_variables = {
port = 9090
domain = var.domain
username = local.username
password = local.password
}
volumes = {
"expose_data" = "/root/.expose"
}
}

45
products/expose/inputs.tf Normal file
View file

@ -0,0 +1,45 @@
variable "stack_name" {
default = "expose"
type = string
description = "The name of the stack to create."
}
variable "networks" {
type = list(object({
name = string
id = string
}))
default = []
description = "A list of network names to attach the service to."
}
variable "traefik" {
default = null
type = object({
domain = string
port = optional(number)
non-ssl = optional(bool, true)
ssl = optional(bool, false)
rule = optional(string)
middlewares = optional(list(string))
network = optional(object({ name = string, id = string }))
basic-auth-users = optional(list(string))
})
description = "Whether to enable traefik for the service."
}
variable "placement_constraints" {
default = []
type = list(string)
description = "Docker Swarm placement constraints"
}
variable "mounts" {
type = map(string)
default = {}
description = "A map of host paths to container paths to mount. The key is the host path, and the value is the container path."
}
variable "ports" {
type = list(object({
host = optional(number, null)
container = number
protocol = optional(string, "tcp")
}))
default = []
}

4
products/expose/network.tf Normal file
View file

@ -0,0 +1,4 @@
module "network" {
source = "../../docker/network"
stack_name = var.stack_name
}

15
products/expose/outputs.tf Normal file
View file

@ -0,0 +1,15 @@
output "docker_service" {
value = module.service.docker_service
}
output "network" {
value = module.network.network
}
output "endpoint" {
value = module.service.endpoint
}
output "auth" {
value = {
username = local.username
password = local.password
}
}

16
products/expose/terraform.tf Normal file
View file

@ -0,0 +1,16 @@
terraform {
required_version = "~> 1.6"
required_providers {
docker = {
source = "kreuzwerker/docker"
version = "~> 3.0"
}
random = {
source = "hashicorp/random"
version = "~> 3.5"
}
}
}

7
products/memcached/memcached.tf
View file

@ -4,7 +4,7 @@ module "service" {
stack_name = var.stack_name stack_name = var.stack_name
service_name = var.service_name service_name = var.service_name
networks = var.networks networks = var.networks
command = ["memcached", "--memory-limit", var.memory_limit_mb, "--threads", var.threads, "--connection-limit", var.connection_limit] command = ["memcached", "-m", var.memory_limit_mb, "-t", var.threads, "-c", var.connection_limit]
#healthcheck = ["CMD-SHELL", "echo \"version\" | nc -vn -w 1 127.0.0.1 11211"] #healthcheck = ["CMD-SHELL", "echo \"version\" | nc -vn -w 1 127.0.0.1 11211"]
#healthcheck_start_period = "10s" #healthcheck_start_period = "10s"
#healthcheck_interval = "10s" #healthcheck_interval = "10s"
@ -21,8 +21,5 @@ locals {
volumes = var.data_persist_path == null ? { volumes = var.data_persist_path == null ? {
"data" = "/var/lib/mysql" "data" = "/var/lib/mysql"
} : {} } : {}
mounts = var.data_persist_path != null ? { mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/mysql"]) : {}
"${var.data_persist_path}" = "/var/lib/mysql"
} : {}
} }

5
products/mysql/mysql.tf
View file

@ -24,8 +24,5 @@ locals {
volumes = var.data_persist_path == null ? { volumes = var.data_persist_path == null ? {
"data" = "/var/lib/mysql" "data" = "/var/lib/mysql"
} : {} } : {}
mounts = var.data_persist_path != null ? { mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/mysql"]) : {}
"${var.data_persist_path}" = "/var/lib/mysql"
} : {}
} }

4
products/openhaystack/inputs.tf
View file

@ -9,7 +9,7 @@ variable "networks" {
})) }))
default = [] default = []
description = "A list of network names to attach the service to." description = "A list of network names to attach the service to."
} }/*
variable "ports" { variable "ports" {
type = list(object({ type = list(object({
host = optional(number) host = optional(number)
@ -30,7 +30,7 @@ variable "ports" {
error_message = "Protocol must be either 'tcp' or 'udp'." error_message = "Protocol must be either 'tcp' or 'udp'."
condition = alltrue([for port in var.ports : port.protocol == "tcp" || port.protocol == "udp"]) condition = alltrue([for port in var.ports : port.protocol == "tcp" || port.protocol == "udp"])
} }
} }*/
variable "placement_constraints" { variable "placement_constraints" {
default = [] default = []
type = list(string) type = list(string)

1
products/openhaystack/openhaystack.tf
View file

@ -15,7 +15,6 @@ module "anisette" {
"anisette-v3-data" = "/home/Alcoholic/.config/anisette-v3/lib/" "anisette-v3-data" = "/home/Alcoholic/.config/anisette-v3/lib/"
} }
} }
module "macless-haystack" { module "macless-haystack" {
source = "../../docker/service" source = "../../docker/service"
stack_name = var.stack_name stack_name = var.stack_name

5
products/postgres/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "postgres_image" { variable "postgres_image" {
default = "postgres" default = "postgres"
type = string type = string

7
products/postgres/postgres.tf
View file

@ -1,5 +1,6 @@
module "service" { module "service" {
source = "../../docker/service" source = "../../docker/service"
enable = var.enable
image = "${var.postgres_image}:${var.postgres_version}" image = "${var.postgres_image}:${var.postgres_version}"
stack_name = var.stack_name stack_name = var.stack_name
service_name = var.service_name service_name = var.service_name
@ -16,13 +17,9 @@ module "service" {
ports = var.ports ports = var.ports
placement_constraints = var.placement_constraints placement_constraints = var.placement_constraints
} }
locals { locals {
volumes = var.data_persist_path == null ? { volumes = var.data_persist_path == null ? {
"data" = "/var/lib/postgres/data" "data" = "/var/lib/postgres/data"
} : {} } : {}
mounts = var.data_persist_path != null ? { mounts = var.data_persist_path != null ? zipmap([var.data_persist_path], ["/var/lib/postgres/data"]) : {}
"${var.data_persist_path}" = "/var/lib/postgres/data"
} : {}
} }

5
products/quassel/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "quassel_image" { variable "quassel_image" {
default = "lscr.io/linuxserver/quassel-core" default = "lscr.io/linuxserver/quassel-core"
type = string type = string

3
products/quassel/quassel.tf
View file

@ -4,16 +4,17 @@ module "network" {
} }
module "postgres" { module "postgres" {
source = "../postgres" source = "../postgres"
enable = var.enable
postgres_version = "16" postgres_version = "16"
stack_name = var.stack_name stack_name = var.stack_name
networks = [module.network] networks = [module.network]
username = "postgres" username = "postgres"
database = "postgres" database = "postgres"
placement_constraints = var.placement_constraints placement_constraints = var.placement_constraints
ports = [{ container = 5432, host = 65432 }]
} }
module "service" { module "service" {
source = "../../docker/service" source = "../../docker/service"
enable = var.enable
image = "${var.quassel_image}:${var.quassel_version}" image = "${var.quassel_image}:${var.quassel_version}"
stack_name = var.stack_name stack_name = var.stack_name
service_name = "quassel" service_name = "quassel"

5
products/redis/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enable" {
type = bool
description = "Whether to enable the service."
default = true
}
variable "redis_image" { variable "redis_image" {
default = "redis" default = "redis"
type = string type = string

1
products/redis/redis.tf
View file

@ -24,6 +24,7 @@ variable "append_only" {
} }
module "service" { module "service" {
source = "../../docker/service" source = "../../docker/service"
enable = var.enable
image = "${var.redis_image}:${var.redis_version}" image = "${var.redis_image}:${var.redis_version}"
stack_name = var.stack_name stack_name = var.stack_name
service_name = "redis" service_name = "redis"

1
products/unifi/magic-forward/magic_forward.tf
View file

@ -4,4 +4,5 @@ module "port_forward" {
label = var.label label = var.label
port = var.port != null ? var.port : var.docker_service.endpoint_spec[0].ports[0].published_port port = var.port != null ? var.port : var.docker_service.endpoint_spec[0].ports[0].published_port
ip = var.target.fixed_ip ip = var.target.fixed_ip
protocol = var.protocol
} }

2
products/watchtower/watchtower.tf
View file

@ -3,7 +3,7 @@ module "watchtower" {
image = "containrrr/watchtower:latest" image = "containrrr/watchtower:latest"
stack_name = "watchtower" stack_name = "watchtower"
service_name = "watchtower" service_name = "watchtower"
placement_constraints = var.placement_constraints + ["node.role == manager"] placement_constraints = distinct(concat(var.placement_constraints, ["node.role == manager"]))
command = ["--cleanup", "--label-enable", "--interval", "3600"] command = ["--cleanup", "--label-enable", "--interval", "3600"]
labels = { labels = {
"com.centurylinklabs.watchtower.enable" = "true" "com.centurylinklabs.watchtower.enable" = "true"

11
products/yarr/inputs.tf
View file

@ -1,3 +1,8 @@
variable "enabled" {
description = "Whether to enable the services or merely provision them."
type = bool
default = true
}
variable "stack_name" { variable "stack_name" {
description = "The name of the stack" description = "The name of the stack"
type = string type = string
@ -16,7 +21,6 @@ variable "placement_constraints" {
default = [] default = []
} }
variable "traefik" { variable "traefik" {
default = null
type = object({ type = object({
domain = string domain = string
port = optional(number) port = optional(number)
@ -29,8 +33,3 @@ variable "traefik" {
}) })
description = "Whether to enable traefik for the service." description = "Whether to enable traefik for the service."
} }
variable "enabled" {
description = "Whether to enable the services or merely provision them."
type = bool
default = true
}

1
utils/identity/locals.tf
View file

@ -1,5 +1,4 @@
locals { locals {
username_words = var.username_words != null ? var.username_words : floor(var.username_max_length / 3)
username = var.username != null ? var.username : random_pet.username[0].id username = var.username != null ? var.username : random_pet.username[0].id
password = var.password != null ? nonsensitive(var.password) : nonsensitive(random_password.password[0].result) password = var.password != null ? nonsensitive(var.password) : nonsensitive(random_password.password[0].result)
} }