simple question really, but one the docs don’t make very clear.
If I wanted to use random_password to generate a password for a service, on next apply would it rotate the password or honor the original one stored in the tf plan?
In other words, would I have to wrap the resulting account created in a “ignore changes” statement to keep it from constantly updating the password every apply?
All of the random provider resources follow a common pattern of generating a random value during their “create” action and then retaining it in the Terraform state so that it can be used for future operation. The value will not change until the resource object is subsequently destroyed for any reason.
You can use the keepers mechanism to give the resources hints about when they will need to replace themselves in order to generate a new random value. If keepers is not set then the value will be retained until you explicitly destroy the resource object.
How to rotate a password created by random_password?
If we create a password this way it is not changed during following runs of Terraform code.
How to overcome this issue?
I have this question too. I’m using random_password to assign a password to VMs, SQL instances, and other assorted things that require passwords. If I do a “terraform destroy”, make changes elsewhere in the config, and then run terraform plan/apply again, the VM creation fails due to the password not being changed:
Blockquote Error: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 – Original Error: Code=“InvalidParameter” Message=“The supplied password must be between 6-72 characters long and must satisfy at least 3 of password complexity requirements from the following:\r\n1) Contains an uppercase character\r\n2) Contains a lowercase character\r\n3) Contains a numeric digit\r\n4) Contains a special character\r\n5) Control characters are not allowed” Target=“adminPassword”
The docs don’t say that random_password supports a keepers block (I’m not sure what I’d key off of given why I’m using random_password, so I tried creating a random_integer and using that as a seed value, but apparently that isn’t supported either.
the only way I found to resolve the issue was to delete the .tfplan created by the -out param of terraform plan, and then run terraform plan -out file.tfplan again.
I may have to add a lifecycle block on my vm creation resource block, but I also want it to definately generate a new password if I’ve destroyed the infrastructure and am then trying to redeploy it.