diff --git a/manifests/keystone/domain.pp b/manifests/keystone/domain.pp
index 9217c746..98c50131 100644
--- a/manifests/keystone/domain.pp
+++ b/manifests/keystone/domain.pp
@@ -14,7 +14,7 @@
 #   Keystone domain admin user email address. Defaults to 'heat_admin@localhost'.
 #
 # [*domain_password*]
-#   Keystone domain admin user password. Defaults to 'changeme'.
+#   (Required) Keystone domain admin user password.
 #
 # [*manage_domain*]
 #   Whether manage or not the domain creation.
@@ -35,10 +35,10 @@
 #   Defaults to 'true'
 #
 class heat::keystone::domain (
+  $domain_password,
   $domain_name        = 'heat',
   $domain_admin       = 'heat_admin',
   $domain_admin_email = 'heat_admin@localhost',
-  $domain_password    = 'changeme',
   $manage_domain      = true,
   $manage_user        = true,
   $manage_role        = true,
diff --git a/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml b/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml
new file mode 100644
index 00000000..32daeccc
--- /dev/null
+++ b/releasenotes/notes/domain_password-b9e2e385ebf5d912.yaml
@@ -0,0 +1,5 @@
+---
+security:
+  - domain_password in heat::keystone::domain is now required and no default
+    value is provided.  It will make sure our users set the value so deployments
+    are more secure.