When managing infrastructure as code (IaC) with Terraform, there are instances where securely generating random passwords becomes essential.
Terraform’s random_password
resource provides a way to generate secure, random passwords without relying on external tools. These passwords can be used for:
- Database credentials
- Application secrets
- User account passwords
With Terraform, you can easily manage these passwords in your infrastructure code while maintaining security and repeatability.
This article walks you through the process of using Terraform to generate random passwords with examples.
Setting up the random provider
First, add the random
provider to your Terraform configuration. Here’s a minimal example:
terraform {
required_providers {
random = {
source = "hashicorp/random"
version = "3.5.1"
}
}
}
provider "random" {}
The random
provider is a standard Terraform provider maintained by HashiCorp.
Example 1: Basic password generation
The random_password
resource is designed to generate secure passwords. Below is an example of how to use it in your Terraform configuration.
resource "random_password" "example_password" {
length = 16
special = true
upper = true
lower = true
number = true
override_special = "@#$%"
}
output "generated_password" {
value = random_password.example_password.result
}
Here is the explanation of each parameters:
length
: Specifies the password length.special
: Includes special characters in the password.upper
andlower
: Include uppercase and lowercase letters.number
: Adds numeric digits.override_special
: Restricts special characters to a defined set.
After creating a Terraform file, initialize the working directory:
terraform init
Review the plan.
terraform plan
Apply the configuration.
terraform apply
Terraform will display the generated password in the output section.
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Outputs:
generated_password = "A1b@2C#d$3E%f4G^"
Example 2: Password generation with variable length
To make the password length configurable, use variables in your configuration:
variable "password_length" {
default = 20
}
resource "random_password" "variable_length_password" {
length = var.password_length
}
output "variable_length_password" {
value = random_password.variable_length_password.result
}
Follow the same steps to initialize and apply the configuration. You can modify the password_length
variable to generate passwords of different lengths.
Example 3: Storing generated password in a secret manager
Instead of displaying the password in Terraform outputs, securely store it in AWS Secrets Manager:
resource "random_password" "aws_secret_password" {
length = 24
special = true
}
resource "aws_secretsmanager_secret" "example" {
name = "example_secret"
}
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = random_password.aws_secret_password.result
}
In this example, the generated password is stored securely in AWS Secrets Manager.
Example 4: Password generation for multiple users
To generate passwords for multiple users, you can use a for_each
loop:
variable "usernames" {
default = ["user1", "user2", "user3"]
}
resource "random_password" "user_passwords" {
for_each = toset(var.usernames)
length = 12
special = true
}
output "user_passwords" {
value = { for username, password in random_password.user_passwords : username => password.result }
}
This configuration generates unique passwords for each user defined in the usernames
variable.
💡 Tips on storing and managing passwords securely
While Terraform can generate and display passwords, it’s crucial to handle these securely:
- Avoid Hardcoding Passwords: Use variables to keep your configuration clean.
variable "password_length" {
default = 16
}
resource "random_password" "example_password" {
length = var.password_length
}
- Use Outputs Sparingly: Avoid displaying sensitive information in logs or outputs in production.
Integrate with Secret Managers: Store the generated passwords in secret managers like AWS Secrets Manager or HashiCorp Vault.
Example with AWS Secrets Manager:
resource "aws_secretsmanager_secret_version" "example" {
secret_id = aws_secretsmanager_secret.example.id
secret_string = random_password.example_password.result
}
Conclusion
Generating random passwords with Terraform is a simple yet powerful way to enhance the security of your infrastructure. By leveraging the random_password
resource, you can automate and centralize password management within your IaC workflows.
✍️
Author: Hitesh Jethwa has more than 15+ years of experience with Linux system administration and DevOps. He likes to explain complicated topics in easy to understand way.