Terraform, a powerful tool created by HashiCorp, is synonymous with infrastructure as code (IaC). It allows for the provisioning and management of infrastructure through code. An essential part of setting up infrastructure includes creating and managing secrets, such as passwords. This tutorial explores various methods to generate passwords in Terraform, ranging from simple random string generation to more sophisticated methods involving external data sources and modules.

Prerequisites

Terraform installed
Basic understanding of Terraform syntax and operations

A text editor (e.g., VSCode, Atom)

Using the Random Provider

The random provider in Terraform can generate random values, serving as a simple method for password generation. This approach is ideal for creating a straightforward, hard-to-guess password.

terraform {
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "> 2.0"
    }
  }
}

resource "random_password" "password" {
  length  = 16
  special = true
}

output "generated_password" {
  value = random_password.password.result
}

To initialize Terraform with the random provider, run `terraform init`. After adding the above code to your configuration and running `terraform apply`, Terraform will generate and output a 16-character password that includes special characters.

Advanced Randomization

For more control over the complexity of the generated password, you can introduce additional arguments, like excluding certain characters or ensuring a specific number of digits or upper-case letters.

resource "random_password" "advanced_password" {
  length           = 20
  special          = true
  override_special = "_@#%&"
  min_upper        = 2
  min_numeric      = 2
  min_special      = 2
}

This configuration generates a 20-character password, with at least two upper-case letters, two numbers, and two special characters from the specified subset.

Combining Resources for Unique Passwords

Sometimes, you may want to combine multiple resources or inputs to create a unique password. This can include using other data sources, external files, or even concatenating multiple random strings.

resource "random_string" "prefix" {
  length  = 4
  special = false
}

resource "random_password" "suffix" {
  length  = 12
  special = true
}

output "combined_password" {
  value = "${random_string.prefix.result}${random_password.suffix.result}"
}

This method combines a 4-character string (without special characters) with a 12-character password, creating a 16-character mixed complexity password.

Using External Data and Modules for Password Generation

Beyond built-in capabilities, Terraform can integrate with external data sources and modules to facilitate more complex scenarios. For instance, generating a password using an API or a custom Terraform module tailored for your organization’s password policies.

data "external" "password_generator" {
  program = ["your_external_script.sh"]
}

output "external_generated_password" {
  value = data.external.password_generator.result.password
}

This example assumes the existence of an external script (`your_external_script.sh`) that outputs a JSON object with a password. Terraform retrieves the password through the external data block and makes it available for use.

Conclusion

Terraform’s versatility makes it an excellent tool for generating and managing passwords within your infrastructure. Whether you need a simple random password or a more complex, policy-driven secret, Terraform, combined with its random provider, external data sources, and modules, can meet those needs. By leveraging these capabilities, you can enforce strong password policies, ensuring your infrastructure remains secure.

Next Article: When NOT to use Terraform (and what to use instead)

Previous Article: Terraform: How to concatenate lists

Series: Terraform Tutorials

DevOps