feat: Re-add support for random passwords using ephemeral random password

bryantbiggs · bryantbiggs · commit 9682e45340bb · 2025-08-08T09:28:35.000-05:00
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.5
+    rev: v1.100.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
@@ -125,6 +125,7 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.11 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.7 |
 
 ## Providers
 
@@ -154,6 +155,7 @@ No modules.
 | <a name="input_block_public_policy"></a> [block\_public\_policy](#input\_block\_public\_policy) | Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret | `bool` | `null` | no |
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
 | <a name="input_create_policy"></a> [create\_policy](#input\_create\_policy) | Determines whether a policy will be created | `bool` | `false` | no |
+| <a name="input_create_random_password"></a> [create\_random\_password](#input\_create\_random\_password) | Determines whether an ephemeral random password will be generated for `secret_string_wo` | `bool` | `false` | no |
 | <a name="input_description"></a> [description](#input\_description) | A description of the secret | `string` | `null` | no |
 | <a name="input_enable_rotation"></a> [enable\_rotation](#input\_enable\_rotation) | Determines whether secret rotation is enabled | `bool` | `false` | no |
 | <a name="input_force_overwrite_replica_secret"></a> [force\_overwrite\_replica\_secret](#input\_force\_overwrite\_replica\_secret) | Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region | `bool` | `null` | no |
@@ -163,6 +165,8 @@ No modules.
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Creates a unique name beginning with the specified prefix | `string` | `null` | no |
 | <a name="input_override_policy_documents"></a> [override\_policy\_documents](#input\_override\_policy\_documents) | List of IAM policy documents that are merged together into the exported document. In merging, statements with non-blank `sid`s will override statements with the same `sid` | `list(string)` | `[]` | no |
 | <a name="input_policy_statements"></a> [policy\_statements](#input\_policy\_statements) | A map of IAM policy [statements](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#statement) for custom permission usage | <pre>list(object({<br/>    sid           = optional(string)<br/>    actions       = optional(list(string))<br/>    not_actions   = optional(list(string))<br/>    effect        = optional(string)<br/>    resources     = optional(list(string))<br/>    not_resources = optional(list(string))<br/>    principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    not_principals = optional(list(object({<br/>      type        = string<br/>      identifiers = list(string)<br/>    })))<br/>    condition = optional(list(object({<br/>      test     = string<br/>      values   = list(string)<br/>      variable = string<br/>    })))<br/>  }))</pre> | `null` | no |
+| <a name="input_random_password_length"></a> [random\_password\_length](#input\_random\_password\_length) | The length of the generated random password | `number` | `32` | no |
+| <a name="input_random_password_override_special"></a> [random\_password\_override\_special](#input\_random\_password\_override\_special) | Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument | `string` | `"!@#$%&*()-_=+[]{}<>:?"` | no |
 | <a name="input_recovery_window_in_days"></a> [recovery\_window\_in\_days](#input\_recovery\_window\_in\_days) | Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be `0` to force deletion without recovery or range from `7` to `30` days. The default value is `30` | `number` | `null` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |
 | <a name="input_replica"></a> [replica](#input\_replica) | Configuration block to support secret replication | <pre>map(object({<br/>    kms_key_id = optional(string)<br/>    region     = optional(string) # will default to the key name<br/>  }))</pre> | `null` | no |
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -51,8 +51,9 @@ module "secrets_manager" {
   ]
 
   # Version
-  secret_string_wo         = ephemeral.random_password.password.result
-  secret_string_wo_version = 1
+  create_random_password           = true
+  random_password_length           = 64
+  random_password_override_special = "!@#$%^&*()_+"
 
   tags = local.tags
 }
@@ -126,12 +127,6 @@ module "secrets_manager_disabled" {
 # Supporting Resources
 ################################################################################
 
-ephemeral "random_password" "password" {
-  length           = 16
-  special          = true
-  override_special = "!#$%&*()-_=+[]{}<>:?"
-}
-
 # https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets-required-permissions-function.html
 data "aws_iam_policy_document" "this" {
   statement {
@@ -163,7 +158,7 @@ module "lambda" {
   description   = "Example Secrets Manager secret rotation lambda function"
 
   handler     = "function.lambda_handler"
-  runtime     = "python3.12"
+  runtime     = "python3.13"
   timeout     = 60
   memory_size = 512
   source_path = "${path.module}/function.py"
diff --git a/main.tf b/main.tf
@@ -101,8 +101,8 @@ resource "aws_secretsmanager_secret_version" "this" {
   secret_id                = aws_secretsmanager_secret.this[0].id
   secret_binary            = var.secret_binary
   secret_string            = var.secret_string
-  secret_string_wo         = var.secret_string_wo
-  secret_string_wo_version = var.secret_string_wo_version
+  secret_string_wo         = var.create_random_password ? ephemeral.random_password.this[0].result : var.secret_string_wo
+  secret_string_wo_version = var.create_random_password ? coalesce(var.secret_string_wo_version, 0) : var.secret_string_wo_version
   version_stages           = var.version_stages
 }
 
@@ -114,8 +114,8 @@ resource "aws_secretsmanager_secret_version" "ignore_changes" {
   secret_id                = aws_secretsmanager_secret.this[0].id
   secret_binary            = var.secret_binary
   secret_string            = var.secret_string
-  secret_string_wo         = var.secret_string_wo
-  secret_string_wo_version = var.secret_string_wo_version
+  secret_string_wo         = var.create_random_password ? ephemeral.random_password.this[0].result : var.secret_string_wo
+  secret_string_wo_version = var.create_random_password ? coalesce(var.secret_string_wo_version, 0) : var.secret_string_wo_version
   version_stages           = var.version_stages
 
   lifecycle {
@@ -127,6 +127,14 @@ resource "aws_secretsmanager_secret_version" "ignore_changes" {
   }
 }
 
+ephemeral "random_password" "this" {
+  count = var.create && var.create_random_password ? 1 : 0
+
+  length           = var.random_password_length
+  special          = true
+  override_special = var.random_password_override_special
+}
+
 ################################################################################
 # Rotation
 ################################################################################
diff --git a/variables.tf b/variables.tf
@@ -160,6 +160,24 @@ variable "version_stages" {
   default     = null
 }
 
+variable "create_random_password" {
+  description = "Determines whether an ephemeral random password will be generated for `secret_string_wo`"
+  type        = bool
+  default     = false
+}
+
+variable "random_password_length" {
+  description = "The length of the generated random password"
+  type        = number
+  default     = 32
+}
+
+variable "random_password_override_special" {
+  description = "Supply your own list of special characters to use for string generation. This overrides the default character list in the special argument"
+  type        = string
+  default     = "!@#$%&*()-_=+[]{}<>:?"
+}
+
 ################################################################################
 # Rotation
 ################################################################################
diff --git a/versions.tf b/versions.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 6.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.7"
+    }
   }
 }
diff --git a/wrappers/main.tf b/wrappers/main.tf
@@ -3,29 +3,32 @@ module "wrapper" {
 
   for_each = var.items
 
-  block_public_policy            = try(each.value.block_public_policy, var.defaults.block_public_policy, null)
-  create                         = try(each.value.create, var.defaults.create, true)
-  create_policy                  = try(each.value.create_policy, var.defaults.create_policy, false)
-  description                    = try(each.value.description, var.defaults.description, null)
-  enable_rotation                = try(each.value.enable_rotation, var.defaults.enable_rotation, false)
-  force_overwrite_replica_secret = try(each.value.force_overwrite_replica_secret, var.defaults.force_overwrite_replica_secret, null)
-  ignore_secret_changes          = try(each.value.ignore_secret_changes, var.defaults.ignore_secret_changes, false)
-  kms_key_id                     = try(each.value.kms_key_id, var.defaults.kms_key_id, null)
-  name                           = try(each.value.name, var.defaults.name, null)
-  name_prefix                    = try(each.value.name_prefix, var.defaults.name_prefix, null)
-  override_policy_documents      = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
-  policy_statements              = try(each.value.policy_statements, var.defaults.policy_statements, null)
-  recovery_window_in_days        = try(each.value.recovery_window_in_days, var.defaults.recovery_window_in_days, null)
-  region                         = try(each.value.region, var.defaults.region, null)
-  replica                        = try(each.value.replica, var.defaults.replica, null)
-  rotate_immediately             = try(each.value.rotate_immediately, var.defaults.rotate_immediately, null)
-  rotation_lambda_arn            = try(each.value.rotation_lambda_arn, var.defaults.rotation_lambda_arn, "")
-  rotation_rules                 = try(each.value.rotation_rules, var.defaults.rotation_rules, null)
-  secret_binary                  = try(each.value.secret_binary, var.defaults.secret_binary, null)
-  secret_string                  = try(each.value.secret_string, var.defaults.secret_string, null)
-  secret_string_wo               = try(each.value.secret_string_wo, var.defaults.secret_string_wo, null)
-  secret_string_wo_version       = try(each.value.secret_string_wo_version, var.defaults.secret_string_wo_version, null)
-  source_policy_documents        = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
-  tags                           = try(each.value.tags, var.defaults.tags, {})
-  version_stages                 = try(each.value.version_stages, var.defaults.version_stages, null)
+  block_public_policy              = try(each.value.block_public_policy, var.defaults.block_public_policy, null)
+  create                           = try(each.value.create, var.defaults.create, true)
+  create_policy                    = try(each.value.create_policy, var.defaults.create_policy, false)
+  create_random_password           = try(each.value.create_random_password, var.defaults.create_random_password, false)
+  description                      = try(each.value.description, var.defaults.description, null)
+  enable_rotation                  = try(each.value.enable_rotation, var.defaults.enable_rotation, false)
+  force_overwrite_replica_secret   = try(each.value.force_overwrite_replica_secret, var.defaults.force_overwrite_replica_secret, null)
+  ignore_secret_changes            = try(each.value.ignore_secret_changes, var.defaults.ignore_secret_changes, false)
+  kms_key_id                       = try(each.value.kms_key_id, var.defaults.kms_key_id, null)
+  name                             = try(each.value.name, var.defaults.name, null)
+  name_prefix                      = try(each.value.name_prefix, var.defaults.name_prefix, null)
+  override_policy_documents        = try(each.value.override_policy_documents, var.defaults.override_policy_documents, [])
+  policy_statements                = try(each.value.policy_statements, var.defaults.policy_statements, null)
+  random_password_length           = try(each.value.random_password_length, var.defaults.random_password_length, 32)
+  random_password_override_special = try(each.value.random_password_override_special, var.defaults.random_password_override_special, "!@#$%&*()-_=+[]{}<>:?")
+  recovery_window_in_days          = try(each.value.recovery_window_in_days, var.defaults.recovery_window_in_days, null)
+  region                           = try(each.value.region, var.defaults.region, null)
+  replica                          = try(each.value.replica, var.defaults.replica, null)
+  rotate_immediately               = try(each.value.rotate_immediately, var.defaults.rotate_immediately, null)
+  rotation_lambda_arn              = try(each.value.rotation_lambda_arn, var.defaults.rotation_lambda_arn, "")
+  rotation_rules                   = try(each.value.rotation_rules, var.defaults.rotation_rules, null)
+  secret_binary                    = try(each.value.secret_binary, var.defaults.secret_binary, null)
+  secret_string                    = try(each.value.secret_string, var.defaults.secret_string, null)
+  secret_string_wo                 = try(each.value.secret_string_wo, var.defaults.secret_string_wo, null)
+  secret_string_wo_version         = try(each.value.secret_string_wo_version, var.defaults.secret_string_wo_version, null)
+  source_policy_documents          = try(each.value.source_policy_documents, var.defaults.source_policy_documents, [])
+  tags                             = try(each.value.tags, var.defaults.tags, {})
+  version_stages                   = try(each.value.version_stages, var.defaults.version_stages, null)
 }
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
@@ -6,5 +6,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 6.0"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.7"
+    }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,9 @@ terraform {`
`6`	`6`	`source = "hashicorp/aws"`
`7`	`7`	`version = ">= 6.0"`
`8`	`8`	`}`
	`9`	`+ random = {`
	`10`	`+ source = "hashicorp/random"`
	`11`	`+ version = ">= 3.7"`
	`12`	`+ }`
`9`	`13`	`}`
`10`	`14`	`}`