# devops # iac # terraform

    How to Generate Secure Passwords in Terraform with random_password

    If you’ve ever needed to generate secure passwords in Terraform, you know it can feel… a bit painful if you don’t have a solid method.
    Hardcoding secrets? Yeah, let’s not do that.
    Manually rotating passwords? Nightmare fuel.

    Luckily, Terraform’s random_password resource (from the Random provider) solves this beautifully — strong, unpredictable passwords, baked right into your Infrastructure as Code workflow.

    In this article, I’ll show you how I use it in real-world setups — from basic examples to dynamic multi-user generation, secret managers, and even the right way to “import” an existing password. We’ll also settle once and for all when to use random_password vs random_string.

    Let’s dive right in.

    What is the Terraform Random Provider?

    The Random provider in Terraform generates cryptographically secure pseudo-random values — strings, IDs, names, pets (yes, random pets — but sadly no Kubernetes clusters… yet).

    It’s super useful when you need uniqueness:

    • Resource names
    • Credentials
    • Tokens
    • Testing environments where conflicts would ruin your day

    The important thing: random values are stored in the Terraform state and only change when you tell them to — they’re not random on every plan (which would be chaos).

    Meet random_password: Your Secret Weapon for Passwords

    The random_password resource is laser-focused on secure password generation.

    Here’s the classic version I use:

    resource "random_password" "example" {
  length            = 16
  special           = true
  upper             = true
  lower             = true
  numeric           = true
  override_special  = "!@#%^&*"
}

output "generated_password" {
  value     = random_password.example.result
  sensitive = true
}

    ✅ Length, complexity, even the special characters — all customizable.
    ✅ No more “P@ssword123” embarrassments in production.
    ✅ Mark outputs as sensitive = true to avoid leaking secrets in the CLI.

    Heads up: Sensitive output hides it from the console, but the password is still saved plaintext in the Terraform state file.
    Use remote backends with encryption like AWS S3 + KMS when you get serious.

    How I Actually Use random_password in Terraform

    Here’s a straight-to-the-point version I often use for service credentials:

    resource "random_password" "secure_password" {
  length  = 20
  special = false
  upper   = true
  lower   = true
  numeric = true
}

output "secure_generated_password" {
  value     = random_password.secure_password.result
  sensitive = true
}

    Notice special = false — sometimes, older systems (looking at you, legacy databases 👀) can’t handle special characters.
    Adjust according to your use case!

    Variable-Length Passwords (Because Requirements Always Change)

    Need to let someone set the password length at deployment time? Here’s the neat way:

    provider "random" {}

variable "password_length" {
  description = "Length of the generated password"
  type        = number
  default     = 16
}

resource "random_password" "dynamic_password" {
  length  = var.password_length
  special = true
  upper   = true
  lower   = true
  numeric = true
}

output "generated_password" {
  value     = random_password.dynamic_password.result
  sensitive = true
}

    At apply time:

    terraform apply -var="password_length=24"

    Flexibility — built right in.
    (No more PRs just to change the password policy!)

    Generating Passwords for Multiple Users (for_each FTW)

    If you’re spinning up multiple users at once, you’ll love this pattern:

    variable "users" {
  description = "List of users who need passwords"
  type        = list(string)
  default     = ["alice", "bob", "charlie"]
}

resource "random_password" "user_passwords" {
  for_each = toset(var.users)

  length  = 16
  special = true
  upper   = true
  lower   = true
  numeric = true
}

output "user_passwords" {
  value     = { for user in var.users : user => random_password.user_passwords[user].result }
  sensitive = true
}

    Each user gets a secure, randomly generated password.

    Want metadata like roles or email addresses too? Switch from a list to a map — Terraform’s flexible like that.

    Storing Passwords in a Secret Manager (Because You’re Not a Monster)

    Storing secrets inside the Terraform state?
    No thanks. Here’s a better idea: AWS Secrets Manager.

    provider "aws" {
  region = "us-east-1"
}

resource "random_password" "db_password" {
  length  = 20
  special = true
  upper   = true
  lower   = true
  numeric = true
}

resource "aws_secretsmanager_secret" "db_secret" {
  name = "my-database-password"
}

resource "aws_secretsmanager_secret_version" "db_secret_value" {
  secret_id     = aws_secretsmanager_secret.db_secret.id
  secret_string = jsonencode({
    username = "admin"
    password = random_password.db_password.result
  })
}

output "secret_arn" {
  value = aws_secretsmanager_secret.db_secret.arn
}

    Retrieve the secret securely with:

    aws secretsmanager get-secret-value --secret-id my-database-password --query SecretString --output text

    Bonus tip: If you’re using HashiCorp Vault instead, the vault_generic_secret resource works almost the same way.

    Importing an Existing Password into Terraform

    True story:
    Random providers can’t import an existing password.
    But we can work around that:

    Option 1: Use Variables

    variable "imported_password" {
  description = "Manually imported password"
  type        = string
  sensitive   = true
}

output "imported_password_output" {
  value     = var.imported_password
  sensitive = true
}

    In terraform.tfvars:

    imported_password = "My$Super$Secret$Password123"

    Run it with:

    terraform apply -var-file="terraform.tfvars"

    Option 2: Use External Data Sources

    Already have the password in AWS Secrets Manager?
    Pull it at deploy time:

    data "aws_secretsmanager_secret_version" "imported_password" {
  secret_id = "my-secret-password"
}

output "retrieved_password" {
  value     = data.aws_secretsmanager_secret_version.imported_password.secret_string
  sensitive = true
}

    Problem solved ✅

    random_password vs random_string: When to Use Each?

    Feature random_password random_string
    Built for passwords? ✅ Yes 🚫 No (general random strings)
    Secure by default? ✅ Yes (complex character sets) ➖ Only if you configure manually
    Typical use case Secrets, credentials Resource names, database identifiers

    👉 Bottom line: If it’s a password, just use random_password.
    Don’t hack it together with random_string unless you have a very good reason.

    Final Thoughts (aka “Avoid Future You Hating Past You”)

    When it comes to generating passwords with Terraform:

    • Use random_password for all secure credentials
    • Store them securely (Secrets Manager, Vault, etc.)
    • Encrypt your Terraform state (S3 + KMS is your friend)
    • Leverage IAM roles, not static API keys, for access

    Follow Me

    🐦 X / Twitter
    🎨 Instagram
    🐘 Mastodon
    🧵 Threads
    🎸 Facebook
    🧊 Bluesky
    💻 LinkedIn
    📣 daily.dev Squad
    🐈 GitHub

    Community of IT Experts

    👾 Discord

    Author

    Alexander Chizhkov
    I’m Alexander Chizhkov, the Cloud Mage — turning cloud-native tech, automation, and DevOps into practical magic for engineers and teams.

    Recent Posts

    1
    How to Generate Secure Passwords in Terraform with random_password

    DevOps Community

    🧙‍♂️ Stuck with setup or config spells? Ask me or summon help from the Cloud Mage community: