Is there a way to generate random encrypted secrets

I love how this module allows me to specify a pgp_key for storing in state, and outputting the random generated password for a user:

Terraform has some encryption helpers for providers to use that make this easy to implement, but is there any way to do something similar directly from a terraform module?

All my searches seems to suggest there’s no way to do so, bar write my own provider.

Edit: fix typo

Oh, neat find!

Unfortunately, I don’t think there’s any way to use that in a module other than writing a custom provider, as you mentioned. The only thing that comes close is using the aws_secretsmanager_secret_version resource to read a secret from AWS Secrets Manager. That resource doesn’t store the secret itself in the state. Of course, as soon as you pass the secret to some other resource, it might be stored in state, so that might not be all that useful.

That PGP approach does look promising; hopefully, they’ll extend it to work with other resources too.

Actually, that’s probably the exact reason they didn’t expose this to module writers: Everyone will end up thinking they’ve something secure and won’t realise they’re exposing secrets.

Could be!

Ideally, you’d have some easy way to globally mark a parameter as sensitive, whereby Terraform will either not store it at all or only store an encrypted version of it in state:

resource "foo" "bar" {
  username = "${var.username}"
  password = "${var.password}"

  sensitive_params = ["username", "password"]

And for certain resources, some params will be sensitive automatically (e.g., all password params).