Terraform – FotD – bcrypt()

This is part of an ongoing series of posts documenting the built-in interpolation functions in Terraform. For more information, check out the beginning post. In this post I am going to cover the bcrypt() function. The example files are on GitHub here.

What is it?

Function name: bcrypt(string, count)

Returns: The bcrypt function takes a string and performs the Blowfish based encryption algorithm on it with the specified number of passes, returning a hash. Defaults to 10 passes.

Example:

variable "bcrypt" {
  default = "1234"
}

# Returns varies depending on run
# I got back $2a$05$0uOnQG9a8YjBRCBM4blwfOejPZ9RAfFVK2dxdVAsh2ovkzt0ZkBCO
output "bcrypt" {
  value = "${bcrypt(var.bcrypt,5)}"
}

Example file:

##############################################
# Function: bcrypt
##############################################
##############################################
# Variables
##############################################
variable "bcrypt" {
  default = "So long, and thanks for all the fish!"
}

##############################################
# Resources
##############################################
##############################################
# Outputs
##############################################

#Cost defaults to 10
output "bcrypt_no_cost" {
  value = "${bcrypt(var.bcrypt)}"
}

output "bcrypt_5_cost" {
  value = "${bcrypt(var.bcrypt, 5)}"
}

output "bcrypt_12_cost" {
  value = "${bcrypt(var.bcrypt, 12)}"
}

Run the following from the bcrypt folder to get example output for a number of different cases:

#Start with the default variable
terraform apply

#Try submitting a string
terraform apply -var 'bcrypt="Oh freddled gruntbuggly, Thy micturations are to me, As plurdled gabbleblotchits on a lurgid bee."'

#Empty string test
terraform apply -var "bcrypt="

Why use it?

Bcrypt is a pretty secure way to create a hash or a string. And you can amplify the hash based on the count parameter. The higher the count, the better the security, or at least that’s the overall idea. Again, this is the sort of thing that will probably be used by the External provider or maybe when using the remote_exec provisioner.

Lessons learned

I have to be honest here, I didn’t really know anything about the bcrypt process before I started learning about this function. In that regard, it was an excellent learning experience. If you want to know more about the bcrypt hash, I definitely recommend reading through the Wikipedia article. The format of the output is especially interesting. Take this example:

$2a$12$hUy7uT6.K8B2cPNCdErpCOpx0.fXdeg1CWgHWULEw0Z4Vx2AINh02

The $2a refers to the version of bcrypt being used. The $12 means that 2^12 (4096) passes were performed. The next 22 characters are a 128-bit salt for the hash (hUy7uT6.K8B2cPNCdErpCO) and the remainder is the 184-bit hash (px0.fXdeg1CWgHWULEw0Z4Vx2AINh02). Another thing I realized was that setting the count to something high, like 20, means that your computer will be busy for a while. I recommend exercising caution.

Coming up next is ceil() which I assume has little to do with our mammalian, aquatic friends.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.