how to keep passwords out of terraform code file

azure terraform

Solution 1:

Depending on how your deployment is setup. You can generate a password (random_password) and store it securely in a keyvault and reference it further on when deploying your SQL. You can also reference an existing keyvault secret to be your password.

Some links related to this from Terraform:

Creation of key vault in Terraform: https://www.terraform.io/docs/providers/azurerm/r/key_vault.html

Fetch the secret from an existing Azure Key Vault: https://www.terraform.io/docs/providers/azurerm/d/key_vault_secret.html

Information related to Azure Key Vault can be found here: https://azure.microsoft.com/en-us/services/key-vault/

Solution 2:

As the simplest option, you can remove the default value of the variable and pass the variable when execute terraform plan or apply. Just export TF_SQL_SERVER_ADMIN_PASSWORD=<password> and run terraform commands. Also, it could be securely passed during builds. Integrating Azure KeyVault or HashiCorp Vault to retrieve the variables are a more complex, but more secure way to this.

Related

NIC spontaneously switches between 100 and 1000 Mbit [closed]
Moving an AD user account from one domain to another within same forest
kernel reported iSCSI connection 1:0 error (1022-Invalid or unknown error code) state (3) Fed 25/VessRaid/rsnapshot
Sysprep: Does it remove Windows Credentials from an user account?
Root cannot access a directory - access denied
AWS EC2 access attempts on blocked ports
uwsgi vassal does not use virtualenv
Wireguard routing from wg1 to wg0
Why UFW port range / number for ports is limited to 15 ports? [closed]
Identify cat5 and cat5e wiring visually
"To the best of one's ability" - Synonym?
English equivalent of Greek "στο πτυχίο"