Skip to content

DNXLabs/terraform-azurerm-password

BranchesTags

Repository files navigation

terraform-azure-password

Terraform module for generating random passwords or SSH key pairs and securely storing them in Azure Key Vault. This module supports password rotation through version triggering.

Designed to work alongside other modules (VM, VMSS, MySQL) that require credentials, ensuring passwords are never hardcoded and are centrally managed in Key Vault.

Features

  • Random Password Generation: Cryptographically secure random password generation
  • SSH Key Pair Generation: RSA 4096-bit SSH key pair generation
  • Key Vault Storage: Automatic storage as Key Vault secrets
  • Password Rotation: Increment version_trigger to force rotation on next apply
  • Configurable Complexity: Custom length, special characters, and overrides
  • Sensitive Output: Password values marked as sensitive in Terraform state

Usage

Example 1 — Non-Prod (Simple Password)

A basic password for a development database or VM.

module "db_password" {
  source = "./modules/password"

  name                    = "mysql-admin-password"
  key_vault_name          = "kvmycompanydevaueapp001"
  key_vault_resource_group = "rg-mycompany-dev-aue-app-001"

  type   = "password"
  length = 24
}

# Reference in other modules
module "mysql" {
  source = "./modules/mysql"
  # ...
  administrator_password = module.db_password.value
}

Example 2 — Production (SSH Key + Password with Rotation)

SSH keys for Linux VMs and passwords with rotation support for production.

# SSH key for Linux VMs
module "vm_ssh_key" {
  source = "./modules/password"

  name                    = "vm-linux-ssh-key"
  key_vault_name          = "kv-contoso-prod-001"
  key_vault_resource_group = "rg-contoso-prod-aue-kv-001"

  type = "ssh"

  tags = {
    purpose = "linux-vm-access"
    managed = "terraform"
  }
}

# Strong password for Windows VM with rotation
module "vm_password" {
  source = "./modules/password"

  name                    = "vm-windows-admin-password"
  key_vault_name          = "kv-contoso-prod-001"
  key_vault_resource_group = "rg-contoso-prod-aue-kv-001"

  type             = "password"
  length           = 32
  special          = true
  override_special = "!@#$%&*()-_=+"

  version_trigger = 2  # Increment to rotate password

  tags = {
    purpose = "windows-vm-admin"
    rotated = "v2"
  }
}

# Reference SSH key in VM module
module "linux_vm" {
  source = "./modules/vm"
  # ...
  vm_ssh_key = module.vm_ssh_key.public_key
}

# Reference password in VM module
module "windows_vm" {
  source = "./modules/vm"
  # ...
  admin_password = module.vm_password.value
}

Using YAML Variables

Create a vars/identity.yaml file:

identity:
  passwords:
    mysql-admin:
      name: mysql-admin-password
      type: password
      length: 32

    vm-ssh:
      name: vm-linux-ssh-key
      type: ssh

    vm-admin:
      name: vm-windows-admin
      type: password
      length: 24
      version_trigger: 1

Then use in your Terraform:

locals {
  workspace = yamldecode(file("vars/${terraform.workspace}.yaml"))
}

module "passwords" {
  for_each = try(local.workspace.identity.passwords, {})

  source = "./modules/password"

  name                    = each.value.name
  key_vault_name          = module.keyvault["main"].key_vault.name
  key_vault_resource_group = module.keyvault["main"].resource_group_name

  type             = try(each.value.type, "password")
  length           = try(each.value.length, 32)
  special          = try(each.value.special, true)
  override_special = try(each.value.override_special, "!@#$%^&*()-_=+")
  version_trigger  = try(each.value.version_trigger, 1)

  tags = try(each.value.tags, {})
}

Password Rotation

To rotate a password, increment the version_trigger variable:

# Initial deployment
version_trigger = 1

# To rotate, change to:
version_trigger = 2

On the next terraform apply, a new password will be generated and stored in Key Vault.

Outputs

Name Description
secret_id The ID of the Key Vault secret
secret_name The name of the Key Vault secret
value The generated password or private key (sensitive)
public_key The generated public key (if type is ssh, otherwise null)

Requirements

Name Version
terraform >= 1.6.0
azurerm >= 4.0.0
random >= 3.0.0
tls >= 4.0.0

Providers

Name Version
azurerm >= 4.0.0
random >= 3.0.0
tls >= 4.0.0

Inputs

Name Description Type Required
name Name of the secret in Key Vault string yes
key_vault_name Name of the Azure Key Vault string yes
key_vault_resource_group Resource group of the Key Vault string yes
type Type of secret: password or ssh string no
length Password length (default: 32) number no
special Include special characters (default: true) bool no
override_special Custom special character set string no
version_trigger Increment to force password rotation number no
tags Tags for the Key Vault secret map(string) no

License

Apache 2.0 Licensed. See LICENSE for full details.

Authors

Module managed by DNX Solutions.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct and the process for submitting pull requests.

About

Terraform utility module for generating passwords

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

0.1.0 Latest
Mar 8, 2026

Packages

 
 
 

Contributors

Languages