Sling Academy
Home/DevOps/Terraform: How to generate passwords

Terraform: How to generate passwords

Last updated: February 03, 2024

Introduction

Terraform, a powerful tool created by HashiCorp, is synonymous with infrastructure as code (IaC). It allows for the provisioning and management of infrastructure through code. An essential part of setting up infrastructure includes creating and managing secrets, such as passwords. This tutorial explores various methods to generate passwords in Terraform, ranging from simple random string generation to more sophisticated methods involving external data sources and modules.

Prerequisites

  • Terraform installed
  • Basic understanding of Terraform syntax and operations
  • A text editor (e.g., VSCode, Atom)

Using the Random Provider

The random provider in Terraform can generate random values, serving as a simple method for password generation. This approach is ideal for creating a straightforward, hard-to-guess password.

terraform {
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = "> 2.0"
    }
  }
}

resource "random_password" "password" {
  length  = 16
  special = true
}

output "generated_password" {
  value = random_password.password.result
}

To initialize Terraform with the random provider, run `terraform init`. After adding the above code to your configuration and running `terraform apply`, Terraform will generate and output a 16-character password that includes special characters.

Advanced Randomization

For more control over the complexity of the generated password, you can introduce additional arguments, like excluding certain characters or ensuring a specific number of digits or upper-case letters.

resource "random_password" "advanced_password" {
  length           = 20
  special          = true
  override_special = "_@#%&"
  min_upper        = 2
  min_numeric      = 2
  min_special      = 2
}

This configuration generates a 20-character password, with at least two upper-case letters, two numbers, and two special characters from the specified subset.

Combining Resources for Unique Passwords

Sometimes, you may want to combine multiple resources or inputs to create a unique password. This can include using other data sources, external files, or even concatenating multiple random strings.

resource "random_string" "prefix" {
  length  = 4
  special = false
}

resource "random_password" "suffix" {
  length  = 12
  special = true
}

output "combined_password" {
  value = "${random_string.prefix.result}${random_password.suffix.result}"
}

This method combines a 4-character string (without special characters) with a 12-character password, creating a 16-character mixed complexity password.

Using External Data and Modules for Password Generation

Beyond built-in capabilities, Terraform can integrate with external data sources and modules to facilitate more complex scenarios. For instance, generating a password using an API or a custom Terraform module tailored for your organization’s password policies.

data "external" "password_generator" {
  program = ["your_external_script.sh"]
}

output "external_generated_password" {
  value = data.external.password_generator.result.password
}

This example assumes the existence of an external script (`your_external_script.sh`) that outputs a JSON object with a password. Terraform retrieves the password through the external data block and makes it available for use.

Conclusion

Terraform’s versatility makes it an excellent tool for generating and managing passwords within your infrastructure. Whether you need a simple random password or a more complex, policy-driven secret, Terraform, combined with its random provider, external data sources, and modules, can meet those needs. By leveraging these capabilities, you can enforce strong password policies, ensuring your infrastructure remains secure.

Next Article: Terraform & AWS: How to deploy a load balancer

Previous Article: How to generate random values in Terraform

Series: Terraform Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide