Terraform
Ephemerality in resources
Managing infrastructure often requires creating and handling sensitive values that you may not want Terraform to persist outside of the current operation. Terraform provides two tools for resources to manage data you do not want to store in state or plan files: the ephemeral
resource block and ephemeral write-only arguments on specific resources.
Ephemeral resources
The ephemeral
block defines resources that are essentially temporary. Ephemeral resources have a unique lifecycle, and Terraform does not store information about ephemeral resources in state or plan files. Each ephemeral
block describes one or more ephemeral resources, such as a temporary password or connection to another system.
To learn more about the ephemeral
resource block, refer to ephemeral
block reference.
Write-only arguments
Terraform's managed resources, defined by resource
blocks, can include ephemeral arguments, called write-only arguments. Write-only arguments are only available during the current Terraform operation, and Terraform does not store them in state or plan files.
Use write-only arguments to securely pass temporary values to resources during a Terraform operation without worrying about Terraform persisting those values. For example, the aws_db_instance
resource has a write-only password_wo
argument that accepts a database password:
ephemeral "random_password" "db_password" {
length = 16
override_special = "!#$%&*()-_=+[]{}<>:?"
}
resource "aws_secretsmanager_secret" "db_password" {
name = "db_password"
}
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string_wo = ephemeral.random_password.db_password.result
secret_string_wo_version = 1
}
ephemeral "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}
resource "aws_db_instance" "example" {
instance_class = "db.t3.micro"
allocated_storage = "5"
engine = "postgres"
username = "example"
skip_final_snapshot = true
password_wo = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string
password_wo_version = aws_secretsmanager_secret_version.db_password.secret_string_wo_version
}
When Terraform creates the aws_db_instance
resource, Terraform sends the password_wo
value to the aws
provider. The aws
provider then uses the password_wo
value to create the database instance, and then Terraform discards the password value without ever storing it.
To learn more about this example and using write-only arguments, refer to the Use write-only arguments.