I know that I can generate random bytes in Terraform easily enough:
resource "random_id" "foo" {
byte_length = 32
}
resource "something_else" "foo" {
secret = sensitive(random_id.foo.b64std)
}
However, the output of the random_id resource is not marked sensitive, and the value is exposed in logs as the resource id, even though its use in something_else is redacted by the sensitive() function.
I know that random_password is treated as secure, but it doesn't provide the ability to generate raw random bytes.
Is there a good way to generate a secure bunch of random bytes as a Terraform-managed resource?
(I'm aware that the value will always be visible in the state file, but we manage that already. I'm worried about output log files that will much more widely visible.)
EDIT: I found a request to mark random_id secure but the idea was rejected as outside the intended use.
I know this is an old topic, but there is also random_bytes, which has its output marked as sensitive per documentation:
resource "random_bytes" "this" {
length = 32
}
you can then get the value as base64 or as hex:
random_bytes.this.hex
random_bytes.this.base64