[deadbunny]

(Using the IAM module because I'm lazy)

module "iam-user_foobar" { source = "terraform-aws-modules/iam/aws//modules/iam-user" version = "2.3.0" name = "foobar" pgp_key = "keybase:foobar" force_destroy = true create_iam_user_login_profile = true create_iam_access_key = false password_length = "${var.password_length}" }

This sets the users password then PGP encrypts the password with their keys from keybase. You can then use the module output to get the pgp encrypted password and pass it to the user (manually, email etc...).

Otherwise it will put the password in plaintext in the state, not a massive issue as you can set it to require changing next login. But eliminates the even slight chance of leakage.

[vageli]

You can also encrypt the state with KMS (for example) and manage access to the key to prevent casual access to your secrets in statefiles. Uploading encrypted values in state is interesting though and using keybase for that is awesome!