In the world of infrastructure automation, security is paramount. One crucial aspect of securing your infrastructure is using strong, random passwords for resources like databases, services, and user accounts. While hardcoding passwords in configuration files is a major security risk, storing them directly in your code repositories is even worse.

This post introduces you to a powerful approach to secure password management using Terraform's random_password resources. This resource allows you to generate random, complex passwords on the fly during infrastructure provisioning, eliminating the need to manually create or store them in plain text

Benefits of Using Terraform's random_password Resource:

• Enhanced Security: Random passwords significantly reduce the risk of unauthorized access compared to predictable or reused passwords.

• Improved Infrastructure Management: By automating password generation, you streamline your infrastructure setup and avoid manual intervention, making it more efficient and consistent.

• Centralized Management: Store Terraform state securely, offering centralized control and management of password information, avoiding the need to manage passwords across multiple locations.

resource "random_password" "password_generator" {
  length       = 16                  # Minimum password length (default: 16)
  lower        = true                # Include lowercase characters (default: true)
  min_lower    = 3                   # Minimum number of lowercase characters (default: 0)
  min_numeric  = 3                    # Minimum number of numeric characters (default: 0)
  min_special  = 3                    # Minimum number of special characters (default: 0)
  min_upper    = 3                   # Minimum number of uppercase characters (default: 0)
  numeric      = true                # Include numeric characters (default: true)
  special      = true                # Include special characters (default: true)
  upper        = true                # Include uppercase characters (default: true)
  override_special = true            # Override default special characters (optional)
/*
keepers can be used to regenerate the password 
when changes will trigger recreation of resource
*/

 keepers = { 
    trigger = timestamp()
  }

}
output "password_result" {
  value = random_password.password_generator.result
  sensitive = true
}

Checking Terraform Output Values (While Maintaining Security):

While you can use terraform output -json to view Terraform outputs in JSON format, this approach directly displays sensitive values on your terminal, which is not recommended.

[root@balapradeeps]  terraform output -json
{
  "password_result": {
    "sensitive": true,
    "type": "string",
    "value": "tZ9u6vpPG0ynpuyI"
  }
}

To ensure security, follow these alternatives:

Use terraform output -raw password_result

[root@balapradeeps] terraform output -raw password_result
tZ9u6vpPG0ynpuyI

Conclusion:

By employing the techniques outlined in this post, you can effectively generate and manage random passwords within your Terraform configurations, bolstering the security posture of your infrastructure while streamlining your infrastructure management processes.