Terraform Random Password

Terraform Random Password

Let’s learn how to generate a random password using Terraform. 

If you have already tried to deploy one AWS RDS, AWS Secret Manager, AWS MSK, or anything that requires authentication, you need to manually define passwords on your Terraform. However, you can use the approach below with any cloud provider, like Azure, or Google Cloud.

The Terraform provides us with different features that allow us to generate random strings, and this is great because we don’t need to rely on another script, or language to generate a password for us.

Terraform Random Password

The Terraform provides us two different resources that enable us to generate random strings: random_string and random_string.

What is the difference between random_string and random_password?

Both have the same arguments (schema) and do the same function: generate a random string. However, the random_password does not shows the output in the console.

So, let’s see how to create a random password, using random_password:

In the example below, we are creating a random password and later we are storing that password on the Secret Manager.

resource "random_password" "secret" {
  length           = 16
  special          = true
  override_special = "!#$%&*()-_=+[]{}<>:?"
}
resource "aws_secretsmanager_secret_version" "app-secret-version-bitslovers" {
  secret_id     = aws_secretsmanager_secret.app-secret-version-bitslovers.id
  secret_string = jsonencode({ username = var.user_admin, password = random_password.secret.result })
}

Look at override_special. We can define our own list of special characters to utilize to create the string, when we define a value for that, we are overriding the default character list in the special argument. The special argument must explicitly be set to true to use our list.

Also, use the result property to retrieve the value generated. If you perform the “terraform plan“, the output for that value will be removed and should see the string “(sensitive value)” instead of the original value.

If we decide to create a random string that represents our user? How generate a string that is readable for us humans? Short answer random_pet

Generating Random Names

Let’s imagine the scenario above, that we need to create one Secret using the AWS Secret Manager and we need besides the password we need to provide a random username. Let’s how we can do it using random_pet.

What is random_pet?

Creates random pet names that are planned to be utilized as distinctive identifiers for different resources. (You can use it to find a good name for your dog too…)

Terraform Random Pet Example

resource "random_pet" "username" {}

Yeap, you aren’t crazy. There is no required argument. So, to use it in our Secret:

resource "aws_secretsmanager_secret_version" "app-secret-version-bitslovers" {
  secret_id     = aws_secretsmanager_secret.app-secret-version-bitslovers.id
  secret_string = jsonencode({ username = random_pet.username, password = random_password.secret.result })
}

Terraform Random Number

Right now, if you are looking for a solution that generates a random number, you can use the random_number. But, if you plan to use it for a password, it’s not recommended. First, it will generate a weak password, and second, the password will be printed in the console log, not a good deal.

# The following example shows how to generate a random priority between 1 and 99999:

resource "random_integer" "priority" {
  min = 1
  max = 99999
}

Leave a Comment

Your email address will not be published.