terraform-provider-random icon indicating copy to clipboard operation
terraform-provider-random copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

random_password - exclude attribute functionality

Open drarnold opened this issue 3 years ago • 0 comments

Terraform CLI and Provider Versions

$ terraform --version
Terraform v1.0.6
on darwin_amd64

But this could be on any version that supports the random_password resource.

Use Cases or Problem Statement

We are currently using the random_password resource to generate passwords for our Neo4j database with the following snippet of code:

resource "random_password" "neo4j_password" {
  length  = 32
  special = false
}

This gives us a good randomized password, almost all of the time. The big issue we run into is that the ' (single quote) is not considered a special character per the documentation nor the codebase. Neo4j currently does not handle these single quotes very well, so we can either update Neo4j's password management or we can handle the password being generated. I am opting for either approach, so I will be creating an issue for them as well.

Proposal

I have several different ideas about what could be done to solve this particular issue:

  1. We could consider a single quote ' as a special character, which would allow the usage of the special attribute within the random_password resource.
  2. We could create an exclude attribute for the random_password resource, similar to the following:
resource "random_password" "neo4j_password" {
  length  = 32
  special = false
  exclude = "',_%@"
}

This would go through the generated password and replace any excluded characters with valid characters.

How much impact is this issue causing?

Medium

Additional Information

Currently, we are taking the hit and handling the issue as it comes up with our new environment creation process where we need to troubleshoot the issue and change the password using the terraform taint command since we have other restrictions in place to change passwords on subsequent plans.

I think we can also work with Neo4j regarding their password handling, however, it seems like this might be the easier route if we can add special characters into the list.

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

drarnold avatar Feb 09 '22 23:02 drarnold