![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![Blue Archive tier list [April 2025]](https://media.pocketgamer.com/artwork/na-33404-1636469504/blue-archive-screenshot-2.jpg?#)
.png?#)
-Baldur’s-Gate-3-The-Final-Patch---An-Animated-Short-00-03-43.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Apple to Split Enterprise and Western Europe Roles as VP Exits [Report]](https://www.iclarified.com/images/news/97032/97032/97032-640.jpg)
![Alleged Pixel 10 series wallpapers leak with vibrant colors and a strange new theme [Gallery]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/04/pixel-10-wallpaper-leak-1.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1){kind=tracking}
![Nanoleaf Announces New Pegboard Desk Dock With Dual-Sided Lighting [Video]](https://www.iclarified.com/images/news/97030/97030/97030-640.jpg)
![Apple's Foldable iPhone May Cost Between $2100 and $2300 [Rumor]](https://www.iclarified.com/images/news/97028/97028/97028-640.jpg)
Terraform Random_Password Resource Overview
Generating secure passwords in Terraform can be challenging without a reliable method. The random_password resource from the Terraform Random provider solves this by creating strong, unpredictable passwords for infrastructure automation while ensuring proper security measures. In this article, we will cover how to use random_password for variable-length passwords, multi-user setups, secret storage, and importing existing passwords, along with key differences from random_string. What is Terraform Random provider? The Terraform Random provider (random) generates cryptographically secure pseudo-random values for use in Terraform configurations. It provides resources like random_string, random_id, and random_pet, which help create unique names, passwords, or tokens. These values persist in the Terraform state file but can be re-generated when their arguments change or when forced through lifecycle configurations. It's useful for creating unique resources in both production and testing environments where unique identifiers or credentials are required. What is the Terraform random_password resource? The Terraform random_password resource, part of the Random provider, generates a secure, random password with specific length and complexity requirements. The generated value can be referenced in other resources, such as database configurations or secrets management tools, ensuring no hardcoded passwords exist in your configuration. For example: resource "random_password" "example" { length = 16 special = true upper = true lower = true numeric = true override_special = "!@#%^&*" } output "generated_password" { value = random_password.example.result sensitive = true } The random_password resource is declared with various parameters: length - Defines the number of characters in the password special - Boolean flag to include special characters upper - Boolean flag to include uppercase letters lower - Boolean flag to include lowercase letters numeric - Boolean flag to include numbers override_special - Custom set of special characters Always mark the result of random_password as sensitive = true in any output or resource attribute that uses it. However, note that while this hides the value from Terraform CLI output, the password is still stored in plain text in the Terraform state file. To enhance security, consider using remote state storage with encryption, such as AWS S3 with server-side encryption enabled. (Learn more: Terraform security best practices) How to use random_password resource to generate passwords in Terraform Terraform requires the random provider to use the random_password resource. resource "random_password" "secure_password" { length = 20 special = false upper = true lower = true numeric = true } output "secure_generated_password" { value = random_password.secure_password.result sensitive = true } The parameters we used here: length = 20: Specifies that the password will be 20 characters long special = false: Ensures that special characters (!@#$%^&*(), etc.) are not included, making the password suitable for systems that do not support special characters upper = true: Ensures that uppercase letters are included lower = true: Ensures that lowercase letters are included numeric = true: Ensures that numbers are included The output block defines secure_generated_password, which displays the generated password when running Terraform. However, since sensitive = true is set, the password will not appear in the CLI output to prevent accidental exposure. Generate a password with a variable length You can define a variable and reference it within the random_password resource to generate a password with a dynamically adjustable length in Terraform. For example: provider "random" {} variable "password_length" { description = "Length of the generated password" type = number default = 16 } resource "random_password" "dynamic_password" { length = var.password_length special = true upper = true lower = true numeric = true } output "generated_password" { value = random_password.dynamic_password.result sensitive = true } The variable "password_length" block allows setting the password length dynamically. Here, the default value is 16, but this can be overridden when running Terraform. Then instead of specifying a fixed length, length = var.password_length dynamically sets the password length based on the variable. You can specify a different password length by passing a value using the Terraform CL: terraform apply -var="password_length=20" Generate passwords for multiple users To generate unique passwords for multiple users in Terraform, you can use the random_password resource with the for_each or count meta-argument. In the example below, we'll use for_each
Generating secure passwords in Terraform can be challenging without a reliable method. The random_password resource from the Terraform Random provider solves this by creating strong, unpredictable passwords for infrastructure automation while ensuring proper security measures.
In this article, we will cover how to use random_password for variable-length passwords, multi-user setups, secret storage, and importing existing passwords, along with key differences from random_string.
What is Terraform Random provider?
The Terraform Random provider (random) generates cryptographically secure pseudo-random values for use in Terraform configurations.
It provides resources like random_string, random_id, and random_pet, which help create unique names, passwords, or tokens. These values persist in the Terraform state file but can be re-generated when their arguments change or when forced through lifecycle configurations.
It's useful for creating unique resources in both production and testing environments where unique identifiers or credentials are required.
What is the Terraform random_password resource?
The Terraform random_password resource, part of the Random provider, generates a secure, random password with specific length and complexity requirements. The generated value can be referenced in other resources, such as database configurations or secrets management tools, ensuring no hardcoded passwords exist in your configuration.
For example:
resource "random_password" "example" {
length = 16
special = true
upper = true
lower = true
numeric = true
override_special = "!@#%^&*"
}
output "generated_password" {
value = random_password.example.result
sensitive = true
}
The random_password resource is declared with various parameters:
-
length- Defines the number of characters in the password -
special- Boolean flag to include special characters -
upper- Boolean flag to include uppercase letters -
lower- Boolean flag to include lowercase letters -
numeric- Boolean flag to include numbers -
override_special- Custom set of special characters
Always mark the result of random_password as sensitive = true in any output or resource attribute that uses it. However, note that while this hides the value from Terraform CLI output, the password is still stored in plain text in the Terraform state file. To enhance security, consider using remote state storage with encryption, such as AWS S3 with server-side encryption enabled. (Learn more: Terraform security best practices)
How to use random_password resource to generate passwords in Terraform
Terraform requires the random provider to use the random_password resource.
resource "random_password" "secure_password" {
length = 20
special = false
upper = true
lower = true
numeric = true
}
output "secure_generated_password" {
value = random_password.secure_password.result
sensitive = true
}
The parameters we used here:
-
length = 20: Specifies that the password will be 20 characters long -
special = false: Ensures that special characters (!@#$%^&*(), etc.) are not included, making the password suitable for systems that do not support special characters -
upper = true: Ensures that uppercase letters are included -
lower = true: Ensures that lowercase letters are included -
numeric = true: Ensures that numbers are included
The output block defines secure_generated_password, which displays the generated password when running Terraform. However, since sensitive = true is set, the password will not appear in the CLI output to prevent accidental exposure.
Generate a password with a variable length
You can define a variable and reference it within the random_password resource to generate a password with a dynamically adjustable length in Terraform.
For example:
provider "random" {}
variable "password_length" {
description = "Length of the generated password"
type = number
default = 16
}
resource "random_password" "dynamic_password" {
length = var.password_length
special = true
upper = true
lower = true
numeric = true
}
output "generated_password" {
value = random_password.dynamic_password.result
sensitive = true
}
The variable "password_length" block allows setting the password length dynamically. Here, the default value is 16, but this can be overridden when running Terraform. Then instead of specifying a fixed length, length = var.password_length dynamically sets the password length based on the variable.
You can specify a different password length by passing a value using the Terraform CL:
terraform apply -var="password_length=20"
Generate passwords for multiple users
To generate unique passwords for multiple users in Terraform, you can use the random_password resource with the for_each or count meta-argument.
In the example below, we'll use for_each:
provider "random" {}
variable "users" {
description = "List of users who need passwords"
type = list(string)
default = ["alice", "bob", "charlie"]
}
resource "random_password" "user_passwords" {
for_each = toset(var.users)
length = 16
special = true
upper = true
lower = true
numeric = true
}
output "user_passwords" {
value = { for user in var.users : user => random_password.user_passwords[user].result }
sensitive = true
}
The variable "users" stores a list of usernames that require passwords. We can modify that list to add or remove users dynamically.
To ensure a unique password is generated for each user, the random_password resource iterates over each username in var.users (converted to a set using [toset()](https://spacelift.io/blog/terraform-toset)).
You can also use a map instead of a list to store additional user metadata.
Storing generated passwords in a secret manager
Best practice dictates that generated passwords should be stored in a secure secrets manager rather than in Terraform state files.
In the example below, we'll use random_password and store it in AWS Secrets Manager using the aws_secretsmanager_secret and aws_secretsmanager_secret_version resources.
provider "aws" {
region = "us-east-1"
}
provider "random" {}
# Generate a random password
resource "random_password" "db_password" {
length = 20
special = true
upper = true
lower = true
numeric = true
}
# Create a secret in AWS Secrets Manager
resource "aws_secretsmanager_secret" "db_secret" {
name = "my-database-password"
}
# Store the generated password in AWS Secrets Manager
resource "aws_secretsmanager_secret_version" "db_secret_value" {
secret_id = aws_secretsmanager_secret.db_secret.id
secret_string = jsonencode({
username = "admin"
password = random_password.db_password.result
})
}
output "secret_arn" {
value = aws_secretsmanager_secret.db_secret.arn
}
The provider "aws" block configures Terraform to interact with AWS services. Terraform requires proper authentication credentials, which can be provided via environment variables (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) or IAM roles if running on AWS infrastructure.
Once the password is generated, Terraform creates an AWS Secrets Manager secret using the aws_secretsmanager_secret resource. This secret acts as a container for sensitive data, allowing controlled access through IAM policies.
The actual password is then stored inside this secret using the aws_secretsmanager_secret_version resource. The secret_string field is defined using jsonencode({ username = "admin", password = random_password.db_password.result }), which securely structures the credentials as a JSON object containing both a username and password.
To avoid exposing the password in Terraform output, only the ARN (Amazon Resource Name) of the secret is displayed using an output block. This ARN can be used to reference the secret securely in other AWS resources, such as RDS instances or Lambda functions. The actual password can be retrieved securely using the AWS CLI command:
aws secretsmanager get-secret-value --secret-id my-database-password --query SecretString --output text
If you are using a different secrets manager, such as, HashiCorp Vault, the vault_generic_secret resource stores the password, and the vault provider handles authentication and retrieval.
