Generate Random Password with Terraform

When managing infrastructure as code (IaC) with Terraform, there are instances where securely generating random passwords becomes essential.

Terraform’s random_password resource provides a way to generate secure, random passwords without relying on external tools. These passwords can be used for:

  • Database credentials
  • Application secrets
  • User account passwords

With Terraform, you can easily manage these passwords in your infrastructure code while maintaining security and repeatability.

This article walks you through the process of using Terraform to generate random passwords with examples.

Setting up the random provider

First, add the random provider to your Terraform configuration. Here’s a minimal example:

terraform {
  required_providers {
    random = {
      source = "hashicorp/random"
      version = "3.5.1"
    }
  }
}

provider "random" {}

The random provider is a standard Terraform provider maintained by HashiCorp.

Example 1: Basic password generation

The random_password resource is designed to generate secure passwords. Below is an example of how to use it in your Terraform configuration.

resource "random_password" "example_password" {
  length           = 16
  special          = true
  upper            = true
  lower            = true
  number           = true
  override_special = "@#$%"
}

output "generated_password" {
  value = random_password.example_password.result
}

Here is the explanation of each parameters:

  • length: Specifies the password length.
  • special: Includes special characters in the password.
  • upper and lower: Include uppercase and lowercase letters.
  • number: Adds numeric digits.
  • override_special: Restricts special characters to a defined set.

After creating a Terraform file, initialize the working directory:

terraform init

Review the plan.

terraform plan

Apply the configuration.

terraform apply

Terraform will display the generated password in the output section.

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

generated_password = "A1b@2C#d$3E%f4G^"

Example 2: Password generation with variable length

To make the password length configurable, use variables in your configuration:

variable "password_length" {
  default = 20
}

resource "random_password" "variable_length_password" {
  length = var.password_length
}

output "variable_length_password" {
  value = random_password.variable_length_password.result
}

Follow the same steps to initialize and apply the configuration. You can modify the password_length variable to generate passwords of different lengths.

Example 3: Storing generated password in a secret manager

Instead of displaying the password in Terraform outputs, securely store it in AWS Secrets Manager:

resource "random_password" "aws_secret_password" {
  length  = 24
  special = true
}

resource "aws_secretsmanager_secret" "example" {
  name = "example_secret"
}

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = random_password.aws_secret_password.result
}

In this example, the generated password is stored securely in AWS Secrets Manager.

Example 4: Password generation for multiple users

To generate passwords for multiple users, you can use a for_each loop:

variable "usernames" {
  default = ["user1", "user2", "user3"]
}

resource "random_password" "user_passwords" {
  for_each = toset(var.usernames)

  length  = 12
  special = true
}

output "user_passwords" {
  value = { for username, password in random_password.user_passwords : username => password.result }
}

This configuration generates unique passwords for each user defined in the usernames variable.

💡 Tips on storing and managing passwords securely

While Terraform can generate and display passwords, it’s crucial to handle these securely:

  • Avoid Hardcoding Passwords: Use variables to keep your configuration clean.
variable "password_length" {
  default = 16
}

resource "random_password" "example_password" {
  length = var.password_length
}
  • Use Outputs Sparingly: Avoid displaying sensitive information in logs or outputs in production.

Integrate with Secret Managers: Store the generated passwords in secret managers like AWS Secrets Manager or HashiCorp Vault.

Example with AWS Secrets Manager:

resource "aws_secretsmanager_secret_version" "example" {
  secret_id     = aws_secretsmanager_secret.example.id
  secret_string = random_password.example_password.result
}

Conclusion

Generating random passwords with Terraform is a simple yet powerful way to enhance the security of your infrastructure. By leveraging the random_password resource, you can automate and centralize password management within your IaC workflows.

✍️
Author: Hitesh Jethwa has more than 15+ years of experience with Linux system administration and DevOps. He likes to explain complicated topics in easy to understand way.