how to keep passwords out of terraform code file

Solution 1:

Depending on how your deployment is setup. You can generate a password (random_password) and store it securely in a keyvault and reference it further on when deploying your SQL. You can also reference an existing keyvault secret to be your password.

Some links related to this from Terraform:

Creation of key vault in Terraform: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html

Fetch the secret from an existing Azure Key Vault: https://www.terraform.io/docs/providers/azurerm/d/key_vault_secret.html

Information related to Azure Key Vault can be found here: https://azure.microsoft.com/en-us/services/key-vault/

Solution 2:

As the simplest option, you can remove the default value of the variable and pass the variable when execute terraform plan or apply. Just export TF_SQL_SERVER_ADMIN_PASSWORD=<password> and run terraform commands. Also, it could be securely passed during builds. Integrating Azure KeyVault or HashiCorp Vault to retrieve the variables are a more complex, but more secure way to this.