Pulumi: how to create an ApplicationPassword and let Azure set the value

Question

I'd like to be able to do the following:

• Generate an ApplicationPassword without generating the actual value for the password (let Azure do it, similar to the way Azure generates the secret value for you in the UI, or that secretText is a return value from this azure api method: https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http)
• Put that secret in an Azure key vault
• Redeploy the stack without having it generate a new secret everytime

Is this possible?

The reason I'd like to not specify the secret value, is that I then need to commit the secret value to code, which I don't want.

The only workaround I can think of is generating the secret value in code, storing it in keyvault, retrieving it from keyvault and using that to create the ApplicationPassword, but then that would cause Pulumi to create a new secret in the keyvault (and then a new ApplicationPassword) each time I deploy the stack.

Answer 1

You can use the RandomPassword resource to generate a password that is stable between multiple runs of the same stack. It's generated once and then stored in the state file.

const password = new random.RandomPassword("password", {
    length: 16,
    special: true,
});

// use password.result somewhere