diff --git a/bare-metal/container-linux/kubernetes/cl/container-linux-install.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/container-linux-install.yaml.tmpl
index 6fed906f..1371ec76 100644
--- a/bare-metal/container-linux/kubernetes/cl/container-linux-install.yaml.tmpl
+++ b/bare-metal/container-linux/kubernetes/cl/container-linux-install.yaml.tmpl
@@ -32,6 +32,11 @@ storage:
           systemctl reboot
 passwd:
   users:
-    - name: core
+    # Avoid using standard name "core" so terraform apply cannot SSH until post-install.
+    - name: debug
+      create:
+        groups:
+          - sudo
+          - docker
       ssh_authorized_keys:
         - {{.ssh_authorized_key}}
diff --git a/bare-metal/container-linux/pxe-worker/ssh.tf b/bare-metal/container-linux/pxe-worker/ssh.tf
index 77263b65..3d57ac1c 100644
--- a/bare-metal/container-linux/pxe-worker/ssh.tf
+++ b/bare-metal/container-linux/pxe-worker/ssh.tf
@@ -1,5 +1,5 @@
 # Secure copy kubeconfig to all nodes to activate kubelet.service
-resource "null_resource" "copy-kubeconfig" {
+resource "null_resource" "copy-secrets" {
   count = "${length(var.worker_names)}"
 
   connection {
diff --git a/docs/bare-metal.md b/docs/bare-metal.md
index f84f3c55..b4548afb 100644
--- a/docs/bare-metal.md
+++ b/docs/bare-metal.md
@@ -243,9 +243,6 @@ module.bare-metal-mercury.null_resource.copy-secrets.1: Still creating... (10s e
 
 Apply will then loop until it can successfully copy credentials to each machine and start the one-time Kubernetes bootstrap service. Proceed to the next step while this loops.
 
-!!! note ""
-    You may see `terraform apply` fail to `copy-secrets` if it connects before the disk install has completed. Run terraform apply until it reconciles successfully.
-
 ### Power
 
 Power on each machine with the boot device set to `pxe` for the next boot only.