Generate secure passwords for Bicep deployments

When deploying Azure resources that require instant secure password generation (such as Virtual Machines, SQL Databases, or Key Vault Secrets), it’s crucial to generate strong, random passwords programmatically. A custom PowerShell module could provide a function with secure password generation capabilities. In this post I will break down the usage of a custom PowerShell module named idp.utilities.

Note: Download the idp-utilities module on GitHub

While Bicep files themselves do not directly execute PowerShell, you can leverage this PowerShell module in your deployment process to generate secure passwords and pass them as parameters to your Bicep templates. Here’s how you can achieve this:

1. Import the PowerShell module

Ensure that you download the idp.utilities module and it is imported into your PowerShell session:

# Import the latest version from a specified path
$name = 'idp.utilities'
$params = @{
    Name            = ('.\modules\{0}' -f $name)
    Force           = $true
}
Import-Module @params -ErrorAction Stop

# Verify the module is loaded
Get-Module -Name 'idp.utilities'

2. Prepare a Bicep file with a Secure parameter

Create (or update) a Bicep file to accept a secure password parameter.

This example demonstrates secure parameter handling in Bicep. For simplicity this template outputs the adminPassword, which should never be done in production environments.

// ---------- //
// PARAMETERS //
// ---------- //

@description('Required. This value should be passed.')
@secure()
param adminPassword string

// ------- //
// OUTPUTS //
// ------- //

#disable-next-line outputs-should-not-contain-secrets // Only for test purpose
output adminPassword string = adminPassword

3. Generate a Secure Password and Deploy the Bicep File

Create a PowerShell deployment script named Deploy-WithSecurePassword.ps1 that uses the idp.utilities module to generate a secure password and then deploys the Bicep template.

Note: Use Connect-AzAccount to login to Azure before running this script.

Tip: For production deployments, consider storing the generated password in Azure Key Vault for enhanced security and centralized secret management. Implementing Key Vault integration is beyond the scope of this example.

# Generate a default password as secure string
$secureString = New-PasswordAsSecureString

# Define deployment parameters
$params = @{
    Name          = 'dep-vmwinsecpwd-tst-123456'
    Location      = 'westeurope'
    TemplateFile  = 'main.bicep'
    adminPassword = $secureString
}

# Deploy the Bicep file with Azure PowerShell
$deployment = New-AzDeployment @params -Verbose

# Optional. Check your deployment output
$deployment.outputs.adminPassword

4. Execute the PowerShell Deployment Script

Run the PowerShell script to deploy your Bicep file while leveraging the secure password generation from the idp.utilities module.

.\Deploy-WithSecurePassword.ps1

Conclusion

This approach combines the declarative power of Bicep with the secure password generation capabilities of the idp.utilities PowerShell module, ensuring your Azure deployments follow security best practices with integrated secret management from the start.