The mysql_user_password resource sets and manages a password for a given user on a MySQL server.

~> NOTE on MySQL Passwords: This resource conflicts with the password argument for mysql_user. This resource uses PGP encryption to avoid storing unencrypted passwords in Terraform state.

~> NOTE on How Passwords are Created: This resource automatically generates a random password. The password will be a random UUID.

resource "mysql_user" "jdoe" {
 user = "jdoe"
}

resource "mysql_user_password" "jdoe" {
 user    = "${mysql_user.jdoe.user}"
 pgp_key = "keybase:joestump"
}

You can rotate passwords by running terraform taint mysql_user_password.jdoe. The next time Terraform applies a new password will be generated and the user's password will be updated accordingly.

The following arguments are supported:

• user - (Required) The IAM user to associate with this access key.
• pgp_key - (Required) Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists.
• host - (Optional) The source host of the user. Defaults to localhost.

The following additional attributes are exported:

• key_fingerprint - The fingerprint of the PGP key used to encrypt the password
• encrypted_password - The encrypted password, base64 encoded.

~> NOTE: The encrypted password may be decrypted using the command line, for example: terraform output encrypted_password | base64 --decode | keybase pgp decrypt.