how-to-guide

How to Use the Terraform Random Password Resource for Secure Multi-Service Deployment

February 12, 2026 hashicorp/terraform ↗

Use the random_password resource from the HashiCorp Random provider to generate cryptographically secure passwords that persist in Terraform state and can be referenced across multiple services and modules.

The random_password resource is not part of Terraform core; it is implemented in the external hashicorp/random provider (registry.terraform.io/hashicorp/random). This resource generates a secure string once and stores it in the Terraform state file, ensuring that subsequent runs maintain the same password unless explicitly triggered to regenerate. By referencing random_password.<NAME>.result, you can share secrets across AWS IAM users, Kubernetes secrets, Vault configurations, and other resources without hardcoding credentials.

How the Random Password Resource Works

Terraform delegates password generation to the Random provider, which is loaded during terraform init. In internal/provider/resource_random_password.go, the resource implements create, read, and delete lifecycle hooks that manage the generated value, while internal/provider/provider.go registers the resource with the Terraform plugin framework.

The provider stores the password in the Terraform state file immediately after creation. During terraform refresh operations, the provider's Read function simply returns the stored value from state rather than generating a new one. This idempotence guarantees that dependent services retain consistent credentials across plan and apply cycles.

Key Architectural Features

  • State persistence: The generated password survives between runs unless the resource is tainted or keepers change
  • Sensitive marking: The result attribute is automatically marked as sensitive, redacting it from plan output and CLI displays
  • Cryptographic generation: Uses secure random number generation suitable for production secrets

Basic Password Generation

Declare a random_password resource with parameters like length and special to control complexity. Reference the generated value using the result attribute.

resource "random_password" "db" {
  length  = 16
  special = true
}

resource "aws_db_instance" "example" {
  identifier          = "mydb"
  instance_class      = "db.t3.micro"
  allocated_storage   = 20
  engine              = "mysql"
  username            = "admin"
  password            = random_password.db.result
  skip_final_snapshot = true
}

This configuration generates a 16-character password containing uppercase, lowercase, digits, and symbols exactly once. The aws_db_instance resource receives this value, and subsequent terraform apply commands reuse the same password from state.

Triggering Password Rotation with Keepers

To force regeneration when external conditions change, use the keepers map. This argument acts as a dependency trigger stored in resource_random_password.go.

resource "random_password" "service_account" {
  length  = 24
  special = false
  keepers = {
    service_name = var.service_name
  }
}

Changing the service_name variable destroys the existing password resource and creates a new one. Any resource referencing random_password.service_account.result receives the updated value automatically. Without modifying keepers, the password remains stable regardless of other configuration changes.

Sharing Passwords Across Modules and Services

Because the password is managed as a Terraform resource, you can export it via outputs or consume it in child modules. Mark outputs as sensitive to maintain security boundaries.

output "admin_password" {
  description = "Password for the admin user"
  value       = random_password.db.result
  sensitive   = true
}

Downstream modules access this value using module.<NAME>.admin_password. The same secret can populate Kubernetes secrets, Vault entries, or Azure Key Vault simultaneously.

Kubernetes Secret Example

resource "random_password" "k8s" {
  length  = 32
  special = false
}

resource "kubernetes_secret" "db_credentials" {
  metadata {
    name = "db-credentials"
  }
  data = {
    username = "admin"
    password = random_password.k8s.result
  }
  type = "Opaque"
}

Security Considerations and State Management

According to the implementation in internal/provider/resource_random_password.go, the provider never refreshes or regenerates the password during planning unless the resource is replaced. The password exists in plain text within the Terraform state file, which necessitates strict state file security.

Critical security practices:

  • Enable encryption at rest for state backends (S3, GCS, Azure Blob)
  • Restrict access to state files containing random_password resources
  • Use sensitive = true on all outputs to prevent CLI logging
  • Store state in remote backends rather than local disk for team collaboration

The result attribute's sensitive flag, defined in the resource schema, ensures that terraform plan and terraform show display [sensitive] rather than the actual value.

Summary

  • The random_password resource resides in the hashicorp/random provider, not Terraform core, and is loaded via terraform init
  • Generated passwords persist in Terraform state and remain stable across runs unless keepers change or the resource is tainted
  • Reference the password value using random_password.<NAME>.result in any resource that accepts string inputs
  • Use the keepers argument to implement conditional rotation based on external variable changes
  • Always mark outputs as sensitive and secure your state files, as passwords are stored in plain text within the state

Frequently Asked Questions

Where is the password stored in Terraform?

The password is stored in plain text within the Terraform state file, managed by the backend configuration (local or remote). The internal/provider/resource_random_password.go file implements the Create function to generate and persist the value, while the Read function retrieves it from state during refresh operations. Secure your state backend with encryption and strict access controls.

How do I force Terraform to generate a new random password?

Modify the keepers map argument with values that change when you want rotation, such as timestamps or revision variables. Alternatively, run terraform taint random_password.<NAME> or terraform apply -replace="random_password.<NAME>" to force recreation. The provider will generate a new cryptographically secure string during the next apply.

Is the random_password resource safe to use in production?

Yes, the resource uses cryptographically secure random generation suitable for production credentials. However, because the value exists in the Terraform state file, you must implement proper state security: encrypt remote backends, restrict IAM access, and avoid committing state files to version control. The result attribute is automatically marked sensitive to prevent accidental exposure in logs.

Can I use the same password across multiple cloud providers?

Yes. Because random_password is a separate resource, you can reference random_password.example.result in an AWS RDS instance, an Azure SQL server, and a Kubernetes secret within the same configuration. The value remains consistent across all resources because it is generated once and stored in state, then referenced by multiple downstream resources.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:
curl -s https://instagit.com/install.md
Works with
Claude Codex Cursor VS Code OpenClaw Any MCP Client