Feature Request: Allow Credential Creation in aws_secretsmanager_secret_version Resource

[bflad]

We recently released the aws_secretsmanager_secret_version resource which allows you to pass in a secret_string to create a secret version in the service. In a post release comment it was suggested that it might be nice if Terraform could generate the secret rather than requiring it to be passed in.

The Secrets Manager API provides an endpoint called GetRandomPassword. This is a feature request to implement support to call that endpoint then pass the result into SecretString or randomly generate a secret via crypto/rand, similar to aws_iam_user_login_profile.

Please vote on this issue by adding a 👍 reaction to the original issue to help prioritize interest. If you're interested in implementing this feature request, please comment below.

Terraform Version

terraform 0.10+

Affected Resource(s)

• aws_secretsmanager_secret_version

Terraform Configuration Files

# Example implementation with GetRandomPassword, may change when developed
resource "aws_secretsmanager_secret_version" "example" {
  # ... other configuration ...
  generate_random_password { # optional
    exclude_characters = false
    exclude_lowercase = false
    exclude_numbers = false
    exclude_punctuation = false
    exclude_uppercase = false
    include_space = false
    password_length = 32
    require_each_included_type = true
  }
}

Expected Behavior

Resource does not require secret_string attribute and generates a random password (via call to GetRandomPassword or crypto/rand implementation).

Actual Behavior

New feature.

References

• https://docs.aws.amazon.com/sdk-for-go/api/service/secretsmanager/#GetRandomPasswordInput
• Feature Request: Support AWS Secrets Manager Secrets #4060 (comment)

[teamhanded]

This would be phenomenal, since the endpoint is a part of Secrets Manager itself instead of using Terraform resources. For example, I'm resorting to this right now, which is hackish:

resource "random_string" "secret" {
  length   = "${var.secret_length}"
  special  = true
  number = true
  upper    = true
  lower     = true
}

resource "aws_secretsmanager_secret_version" "dummy-test-credentials" {
  secret_id       = "${var.secrets_manager_secret_id}"
  secret_string = "${random_string.secret.result}"
}

In my opinion, creating the credential (e.g. prod/platforms/mysql/credentials/root) natively (using the AWS-provided API endpoint) is much more manageable.

[teamhanded]

@bflad Any updates on this?

[bflad]

This is not currently planned on our internal roadmap, but we would happily take a look at a pull request.

[joshuatalb]

Any updates on this? I'm currently using the hacky approach in @teamhanded's comment and getting this merged would be awesome.

[tomaszdudek7]

Any updates?

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.