Random Password
The random_password resource generates cryptographically secure random passwords with configurable character sets and constraints. It supports customizable requirements for uppercase, lowercase, numeric, and special characters.
HCL Syntax
Section titled “HCL Syntax”Basic Syntax
Section titled “Basic Syntax”resource "random_password" "name" { length = 16}Full Syntax
Section titled “Full Syntax”resource "random_password" "name" { length = 32
# Character set options special = true numeric = true lower = true upper = true
# Minimum requirements min_special = 2 min_numeric = 2 min_lower = 2 min_upper = 2
# Custom special characters override_special = "!@#$%^&*"}Fields
Section titled “Fields”| Field | Type | Required | Description |
|---|---|---|---|
| length | int | ✓ | Length of the password to generate |
| special | bool | Include special characters. Defaults to true | |
| numeric | bool | Include numeric characters (0-9). Defaults to true | |
| lower | bool | Include lowercase letters (a-z). Defaults to true | |
| upper | bool | Include uppercase letters (A-Z). Defaults to true | |
| min_special | int | Minimum number of special characters. Defaults to 0 | |
| min_numeric | int | Minimum number of numeric characters. Defaults to 0 | |
| min_lower | int | Minimum number of lowercase characters. Defaults to 0 | |
| min_upper | int | Minimum number of uppercase characters. Defaults to 0 | |
| override_special | string | Custom special characters to use. Defaults to the standard special character set |
Computed Attributes
Section titled “Computed Attributes”These attributes are set by the system after password generation:
| Field | Type | Description |
|---|---|---|
| value | string | The generated password |
Validation Rules
Section titled “Validation Rules”- Length must be greater than 0
- Sum of all minimum requirements cannot exceed the total length
- At least one character type must be enabled
- Generated passwords remain constant across multiple runs (idempotent)
- Passwords are cryptographically secure
Examples
Section titled “Examples”Simple Password
Section titled “Simple Password”resource "random_password" "admin" { length = 12}
output "admin_password" { value = resource.random_password.admin.value sensitive = true}Database Password with Requirements
Section titled “Database Password with Requirements”resource "random_password" "db_password" { length = 24
min_upper = 2 min_lower = 2 min_numeric = 2 min_special = 2}
resource "container" "database" { image { name = "postgres:15" }
environment = { POSTGRES_PASSWORD = resource.random_password.db_password.value }}API Key Generation
Section titled “API Key Generation”resource "random_password" "api_key" { length = 32 special = false # Only alphanumeric}
resource "template" "config" { source = <<-EOF api: key: "${resource.random_password.api_key.value}" timeout: 30 EOF
destination = "./config/api.yaml"}Custom Special Characters
Section titled “Custom Special Characters”resource "random_password" "secure_token" { length = 20 override_special = "!@#$%" # Only these special chars
min_special = 3 min_numeric = 3 min_upper = 3 min_lower = 3}Multiple Service Passwords
Section titled “Multiple Service Passwords”# Database passwordresource "random_password" "postgres_password" { length = 16 min_upper = 1 min_numeric = 2 min_special = 1}
# Redis passwordresource "random_password" "redis_password" { length = 20 special = false # Redis doesn't handle some special chars well}
# Application secretresource "random_password" "app_secret" { length = 32 min_special = 4 override_special = "@#$%^&*"}
resource "template" "env_file" { source = <<-EOF # Database POSTGRES_PASSWORD=${resource.random_password.postgres_password.value}
# Redis REDIS_PASSWORD=${resource.random_password.redis_password.value}
# Application APP_SECRET=${resource.random_password.app_secret.value} EOF
destination = "./.env"}Numeric-Only PIN
Section titled “Numeric-Only PIN”resource "random_password" "pin" { length = 6
# Only numbers special = false upper = false lower = false numeric = true}Username and Password Combination
Section titled “Username and Password Combination”resource "random_id" "username_suffix" { byte_length = 4}
resource "random_password" "user_password" { length = 14
min_upper = 2 min_lower = 2 min_numeric = 2 min_special = 1}
resource "template" "user_credentials" { source = <<-EOF username: user_${resource.random_id.username_suffix.hex} password: ${resource.random_password.user_password.value} EOF
destination = "./credentials.yaml"}Security Considerations
Section titled “Security Considerations”Sensitive Values
Section titled “Sensitive Values”Always mark password outputs as sensitive:
output "database_password" { value = resource.random_password.db.value sensitive = true}Storage Security
Section titled “Storage Security”# Good: Use in environment variables or config filesresource "container" "app" { environment = { DB_PASSWORD = resource.random_password.db.value }}
# Avoid: Don't log or output passwords directlyresource "exec" "bad_example" { script = "echo 'Password: ${resource.random_password.db.value}'" # DON'T DO THIS}Best Practices
Section titled “Best Practices”- Length: Use at least 12 characters for production passwords
- Complexity: Include multiple character types for stronger passwords
- Minimums: Set minimum requirements for critical applications
- Special Characters: Consider target system limitations when choosing special chars
- Sensitive Data: Always mark password outputs as sensitive
- Rotation: Generate new passwords by changing resource names or recreating resources
- Documentation: Document password requirements and usage
Common Use Cases
Section titled “Common Use Cases”- Database Passwords: Secure database authentication
- API Keys: Application programming interface authentication
- Service Tokens: Inter-service communication tokens
- User Accounts: Initial user password generation
- Encryption Keys: Application-level encryption secrets
- Session Secrets: Web application session management
- Certificate Passphrases: Private key protection