Azure / bicep

Bicep is a declarative language for describing and deploying Azure resources
MIT License
3.24k stars 748 forks source link

Password Generation #440

Open Tapanila opened 4 years ago

Tapanila commented 4 years ago

Is your feature request related to a problem? Please describe. Generating random password for VM is cumbersome when doing deployments.

Describe the solution you'd like I would like to see an bicep feature that would generate random password.

alex-frankel commented 4 years ago

interesting idea that we will discuss. If we schedule the work, it will be done at the ARM JSON level so you can use it in either bicep or ARM Templates

slavizh commented 4 years ago

that could be ARM function similar to guid() or may be if PowerShell support inside bicep files is allowed that is run on bicep build?

Tapanila commented 4 years ago

interesting idea that we will discuss. If we schedule the work, it will be done at the ARM JSON level so you can use it in either bicep or ARM Templates

This would be amazing

Satak commented 4 years ago

PowerShell support inside bicep files

This would be truly a game changer. You could write any logic you want in your Powershell file/function and just import it to bicep file. Great idea!

slavizh commented 4 years ago

Proposed that here #417 if you want to vote and discuss.

alex-frankel commented 4 years ago

We discussed this today. This is not something we would like to take on as generating a cryptographically secure password, with a variety of restrictions based on the resource type is better handled in a deployment script or by using a key vault to generate the password.

elygre commented 2 years ago

@alex-frankel Do you know if this is something being considered by the key vault team?

Their ARM templates could perhaps support a syntax specifying that a secret is to be created, populated by a secure random value of some sort (which characters, how long).

alex-frankel commented 2 years ago

I don't know if this is something the key vault team is working on. It would be great if someone can open up this request through one of the Key Vault teams feedback channels (I don't think it is UserVoice anymore).

elygre commented 2 years ago

Added a request here: https://feedback.azure.com/d365community/idea/48f64fff-4f51-ec11-a819-0022484e8090

ghost commented 2 years ago

since you can use PowerShell inline, why not just use PowerShell to generate the password?

resource runPowerShellInline

https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/deployment-script-bicep#sample-bicep-files

$PasswordProfile = New-Object -TypeName Microsoft.Open.AzureAD.Model.PasswordProfile
$PasswordProfile.Password = ([char[]]([char]33..[char]95) + ([char[]]([char]97..[char]126)) + 0..9 | sort {Get-Random})[0..13] -join ''
ghost commented 2 years ago

just fyi that's the ps used for generating key vault secrets and MS cryptography module\api. maybe bicep can just build off of this @alex-frankel?

alex-frankel commented 2 years ago

Generating the password via script is a viable option with the deploymentScripts resource type. You will need to make sure the code is idempotent though, otherwise you will generate a new password and if you update that in a key vault, you are effectively rotating passwords. If the code was reliable and the team approved, we could even create a module in the public registry for password generation.

Even still, it would be more optimal if the KeyVault RP provided (and maintained) the API for this as they are experts in this space.

stan-sz commented 2 years ago

Mildly related to #2806 where, per @alex-frankel's above reply, life would be easier (and more secure) if the corresponding RP would provide a way to generate the cryptographic value (password, SAS token).

ghost commented 2 years ago

that would certainly make it easier, it would make sense if kv had an api to just call. either way, I've created a module that I can call to generate a password.

resource runPowerShellInlineWithOutput 'Microsoft.Resources/deploymentScripts@2020-10-01' = {
  name: 'runPowerShellInlineWithOutput'
  location: location
  kind: 'AzurePowerShell'
  properties: {
    forceUpdateTag: utcValue
    azPowerShellVersion: '6.4'
    scriptContent: '''
    $charlist = [char]94..[char]126 + [char]65..[char]90 + [char]47..[char]57
    $PasswordProfile = ($charlist | Get-Random -count 66) -join ''
    Write-Output $PasswordProfile
    $DeploymentScriptOutputs = @{}
    $DeploymentScriptOutputs["text"] = $PasswordProfile
    '''
    arguments: '-name'
    timeout: 'PT1H'
    retentionInterval: 'P1H'
  }
}
output result string = runPowerShellInlineWithOutput.properties.outputs.text
kilasuit commented 2 years ago

my issue with having to make use of a deployment script to do this is that you are just pushing the compute that could be done prior to the deployment to another costing resource. It makes more sense for this to be as part of pre-deployment actions run ether locally or in your pipeline than do it in this manner.

Also thats outputting in plain text so isn't viable for any organisation that requires secure development processes to be followed & definitely should not be used in production.

ghost commented 2 years ago

well, I can secure the output, plus the output only lasts for about an hour then disappears, and I can inject and secure the output to key vault. I just wanted to prove that it could be done through bicep, I would use a different process of just managing the password rotation after the fact with laps or cyber ark. but some people want to handle this through the dsl, if terraform has the ability to do this then bicep should offer it too, I mean honestly, all you really need is an extensible random string generator, you can model the formula I pasted, bicep already has a newguid and unique string function, why not a strong random string function? I'd use pulumi first before terraform though.

onionhammer commented 2 years ago

This would be a very useful addition for when keys are unavoidable.

keamas commented 1 year ago

please implemente password generator +++

Jackmt9 commented 7 months ago

This would be very useful, as windows vm's currently require a password and do not support entra id only. It would only make sense to be able to automatically generate a password on the initial run, save it to kv, and then reference it when trying to deploy a vm. I'm unsure why there hasn't been any movement on this ticket.

moha999 commented 6 months ago

I think my search is around this case. I need to create azure pipeline that generate a random password and save this password into KV. The pipeline is trigger every time the generation function called by a bicep file which includes resource deployment file. For example new VM. I’d appreciate any help with my issue.