Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a hash to random_password #73

Closed
wants to merge 1 commit into from
Closed

Add a hash to random_password #73

wants to merge 1 commit into from

Conversation

tommyknows
Copy link
Contributor

Hi,

Problem

We have experienced cases where we need to hash a password with bcrypt. The bcrypt function in terraform always generates a new hash on every run (which is according to spec). However, this can be annoying to use.
For example:

resource "random_password" "admin_password" {
  length  = 20
  special = true
}

# store the password in vault
resource "vault_generic_secret" "password" {
  path         = "/passwords/mypassword" 
  disable_read = true

  data_json = <<EOT
{
  "password": "${random_password.password.result}",
  "bcrypt_hash": "${bcrypt(random_password.password.result)}" 
}
EOT
}

In this example, vault_generic_secret.password gets changed on every run. There is also no way (at least no obvious one) to work around this problem - ignore_changes cannot be used when this kind of interpolation is required.

Solution

The solution to this is to add a bcrypt_hash field to the random_password resource. This always returns the same hash (as it is stored in the terraform state), unless the password (random string) itself is changed.
With that, the above usecase can be done just by doing

  data_json = <<EOT
{
  "password": "${random_password.password.result}",
  "bcrypt_hash": "${random_password.password.bcrypt_hash)}" 
}
EOT

@ghost ghost added size/XL and removed size/L labels Sep 30, 2019
@tommyknows
Copy link
Contributor Author

@appilon
@radeksimko

some feedback would be highly appreciated, thanks.

@tommyknows
Copy link
Contributor Author

Noticed that with the cost as a a variable, all resources would get recreated and thus may break existing things.
I have removed the cost and am just using the default value now instead.

@mstarostik
Copy link

Just what I've been looking for for a while now and seems to be working as intended. Please go for it, this increases bcrypt()'s usefulness by orders of magnitude.

@pepakriz pepakriz mentioned this pull request Mar 20, 2020
Closed
@hashicorp-cla
Copy link

hashicorp-cla commented Jun 8, 2020
edited
Loading

CLA assistant check
All committers have signed the CLA.

@tommyknows tommyknows force-pushed the password-hash branch 2 times, most recently from a87203d to db3a41d Compare June 9, 2020 08:11
@ghost ghost added size/M and removed size/XL labels Jun 9, 2020
Add a bcrypt hash to the random_password resource
6861f70 
Using the `bcrypt` function from terraform can be annoying to use
in cases where you cannnot ignore changes with `lifecycle` (like
data resources or interpolation).
In these cases, a password can be generated with the random_password
resource and the hash can be used directly from the newly added
attribute.
@ghost ghost added size/L dependencies and removed size/M labels Jun 9, 2020
@tommyknows
Copy link
Contributor Author

signed the CLA, rebased and cleaned up the commit.

@stefansedich
Copy link

Looking for this myself!

@JSN-1
Copy link

JSN-1 commented Jul 7, 2020

i would really like this option as well.

@yunuscanemre
Copy link

yunuscanemre commented Sep 23, 2020
edited
Loading

we are also eagerly waiting on this fix. any idea when it will be merged ?

@xanderflood
Copy link

xanderflood commented Sep 24, 2020
edited
Loading

Also very eager to be able to use this!

@xanderflood
Copy link

I posted a workaround in this related GH issue for anyone struggling with this

Base automatically changed from master to main February 1, 2021 17:23
@KarstenSiemer
Copy link

will this ever come? 😭

This was referenced May 13, 2022
Merged
Merged
@bendbennett
Copy link
Contributor

Hi @tommyknows, thank you for submitting this PR and apologies that it has taken a while for us to get to this.

The proposed changes look good. There have been some significant changes to random provider since your original submission. In order to incorporate your changes, could you either rebase or let us know that you'd like us to move forward with your proposal?

@bendbennett bendbennett added this to the v3.2.0 milestone May 17, 2022
@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies documentation enhancement size/L
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.
10 participants
@tommyknows @mstarostik @hashicorp-cla @stefansedich @JSN-1 @yunuscanemre @xanderflood @KarstenSiemer @bendbennett @radeksimko