Generating random passwords by using AWS Secrets Manager

The AWS Well-Architected Framework recommends that you store and use secrets securely. You can use the AWS Secrets Manager API to generate random passwords, and you can customize the password complexity requirements. The GetRandomPassword action supports password string lengths between 1 and 4,096 characters. For more information, see GetRandomPassword in the AWS Secrets Manager API Reference. We recommend that you use this approach to generate secrets instead of allowing users to manually define secrets.

The following code sample shows how you can generate random passwords that are 20 characters long and that include numbers, exclude punctuation characters, and exclude spaces. You can modify this code example to meet the password security requirements for your organization.

data "aws_secretsmanager_random_password" "test" { 
password_length = 20 
exclude_numbers = false 
exclude_punctuation = true 
include_space = false 
}

Using random secrets generation when you deploy IaC help you protect sensitive data from the very start, known as zero hours. The sensitive data is never known to anyone, right from the deployment phase.

1. Through Terraform, use AWS Secrets Manager to generate a random password secret.

2. Terraform uses this random password secret, which is stored in AWS Secrets Manager, to access the database.

Important

When you use Terraform as a data source, secrets are not stored in the state file. But after you use that secret in a database or any service, then it is stored in the state file. We recommend that you rotate the secrets immediately or create very restrictive permissions to access the state file. For more information, see Protecting sensitive data in the Terraform state file in this guide.