Feature Request: Provide a way to generate a random password (that doesn't end up in TF state)

[defreng]

Hi!

We are using this provider a lot (in combination with terraforms random_password) to generate some passwords and store them as secrets in Vault.

However, this comes with the big drawback, that this secret is now also stored in the terraform state.

It would be great, if there was a resource in this provider to create a new kv secret in Vault with a generated random password that is not kept in the terraform state store. Something like this:

resource "vault_kv_secret_v2_random" "example" {
  mount = vault_mount.kvv2.path
  name  = "secret"
  field = "password"
}

which would create the secret with a data like this:

{
  "password": "random string...."
}

[ddaws]

Hey @defreng, in this case I think you could just use Vault's transit engine. The transit engine can generate and manage symmetric secrets (aka random passwords for your use case) on demand so you don't need to generate them using Terraform.

You can enable the transit engine and create a key like this

# Enable the transit engine at transit/
resource "vault_mount" "transit" {
  path        = "transit"
  type        = "transit"
  description = "This is an example transit secret engine mount"

  options = {
    convergent_encryption = false
  }
}

# Create a key to be used by your service
resource "vault_transit_secret_backend_key" "key" {
  backend = vault_mount.transit.path
  name    = "my_key"
}

Your service should have a policy like

path "transit/export/encryption-key/my_key/latest" {
  capabilities = ["read"]
}

Then in your service you can get a random password on demand by rendering a template like

{{ with secret "transit/export/encryption-key/my_key/latest" }}
password = {{ .Data.key }}
{{ end }}

You should double check my template, but this is the general idea. Here are some links to the transit engine API for reference

• https://developer.hashicorp.com/vault/api-docs/secret/transit#export-key