Behavior of random_password

simple question really, but one the docs don’t make very clear.

If I wanted to use random_password to generate a password for a service, on next apply would it rotate the password or honor the original one stored in the tf plan?

In other words, would I have to wrap the resulting account created in a “ignore changes” statement to keep it from constantly updating the password every apply?

Hi @Justin-DynamicD,

All of the random provider resources follow a common pattern of generating a random value during their “create” action and then retaining it in the Terraform state so that it can be used for future operation. The value will not change until the resource object is subsequently destroyed for any reason.

You can use the keepers mechanism to give the resources hints about when they will need to replace themselves in order to generate a new random value. If keepers is not set then the value will be retained until you explicitly destroy the resource object.

2 Likes

Hi,

How to rotate a password created by random_password?
If we create a password this way it is not changed during following runs of Terraform code.
How to overcome this issue?

Best Regards,
Łukasz Gołębiewski

I have this question too. I’m using random_password to assign a password to VMs, SQL instances, and other assorted things that require passwords. If I do a “terraform destroy”, make changes elsewhere in the config, and then run terraform plan/apply again, the VM creation fails due to the password not being changed:

Blockquote Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 – Original Error: Code=“InvalidParameter” Message=“The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following:\r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character\r\n5) Control characters are not allowed” Target=“adminPassword”

The docs don’t say that random_password supports a keepers block (I’m not sure what I’d key off of given why I’m using random_password, so I tried creating a random_integer and using that as a seed value, but apparently that isn’t supported either.

the only way I found to resolve the issue was to delete the .tfplan created by the -out param of terraform plan, and then run terraform plan -out file.tfplan again.

I may have to add a lifecycle block on my vm creation resource block, but I also want it to definately generate a new password if I’ve destroyed the infrastructure and am then trying to redeploy it.

1 Like

I’ve changed it, by removing the random_password resource from the state using
terraform state rm RANDOM_PASSWORD_IDENTIFIER

to get the identifier I used terraform state list after that apply will recreate that random password and do whats needed.

I know this is digging up an old post, but for anyone else that comes across this, an example of how to use the keepers mechanism is as follows:

resource "random_password" "password" {
  length  = 16
  special = true
  override_special = "@#%*()-_=+[]{}:?"
  keepers = {
    trigger = timestamp()
  }
}

By using the timestamp function, you’ll basically guarantee every time the tf script is run, a new password is generated.