how to keep passwords out of terraform code file
Solution 1:
Depending on how your deployment is setup. You can generate a password (random_password) and store it securely in a keyvault and reference it further on when deploying your SQL. You can also reference an existing keyvault secret to be your password.
Some links related to this from Terraform:
Creation of key vault in Terraform: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html
Fetch the secret from an existing Azure Key Vault: https://www.terraform.io/docs/providers/azurerm/d/key_vault_secret.html
Information related to Azure Key Vault can be found here: https://azure.microsoft.com/en-us/services/key-vault/
Solution 2:
As the simplest option, you can remove the default value of the variable and pass the variable when execute terraform plan
or apply
. Just export TF_SQL_SERVER_ADMIN_PASSWORD=<password>
and run terraform commands. Also, it could be securely passed during builds. Integrating Azure KeyVault or HashiCorp Vault to retrieve the variables are a more complex, but more secure way to this.