{"id":1785,"date":"2025-03-03T20:19:10","date_gmt":"2025-03-03T20:19:10","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/03\/03\/terraform-1-11-brings-ephemeral-values-to-managed-resources-with-write-only-arguments\/"},"modified":"2025-03-03T20:19:10","modified_gmt":"2025-03-03T20:19:10","slug":"terraform-1-11-brings-ephemeral-values-to-managed-resources-with-write-only-arguments","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/03\/03\/terraform-1-11-brings-ephemeral-values-to-managed-resources-with-write-only-arguments\/","title":{"rendered":"Terraform 1.11 brings ephemeral values to managed resources with write-only arguments"},"content":{"rendered":"

Today, we are announcing the general availability of HashiCorp Terraform 1.11, which is ready for download<\/a> and immediately available for use in HCP Terraform<\/a>. This version introduces write-only arguments, which let you use ephemeral values in specific managed resource arguments. <\/p>\n

Extending ephemeral values with write-only arguments<\/h2>\n

In Terraform 1.10<\/a>, we introduced ephemeral values to provide a more secure way to handle sensitive data, such as private keys, API tokens, and other secrets. Ephemeral values in Terraform are not persisted in artifacts like the plan or state file. Terraform 1.10 introduced:<\/p>\n

Ephemeral input variables and output values for temporary or sensitive data, such as short-lived tokens or session identifiers.
\nEphemeral resources, a new language construct that allows Terraform to temporarily reference external data by opening and closing a remote object. <\/p>\n

In Terraform 1.10, ephemeral values could only be used in other ephemeral contexts, such as: <\/p>\n

Ephemeral input variables
\nOutput values
\nProvider and provisioner blocks
\nEphemeral resources<\/p>\n

With Terraform 1.11, you can use ephemeral values in managed resources through the introduction of write-only arguments. <\/p>\n

Write-only arguments are arguments in a resource that can only be written to, and not read. Similar to ephemeral values, write-only arguments are not stored in Terraform artifacts like the plan or state file. <\/p>\n

This enhancement makes it possible to securely pass secrets, such as a generated password or a fetched token, directly to managed resources without risking exposure in the state file or plan file.<\/p>\n

By extending ephemeral values to managed resources, Terraform 1.11 strengthens the security of workflows involving sensitive data, ensuring your secrets remain secure across input variables and output values, ephemeral resources, and write-only arguments in managed resources.<\/p>\n

Write-only arguments in practice<\/h3>\n

To illustrate this new feature, let\u2019s look at an example. You\u2019re using ephemeral resources and write-only arguments in Terraform to provision an AWS RDS instance and generate a random password with the random provider. In the configuration below, the ephemeral resource random.password generates a random password, which is then passed to the password_wo argument of the managed aws_db_instance resource.<\/p>\n

Write-only arguments are different from other managed resource arguments in several ways: <\/p>\n

They accept ephemeral values.
\nTheir values are never persisted in Terraform\u2019s plan or state files.
\nSince the values of write-only arguments are not persisted, write-only arguments are updated using their version-specific attributes (e.g. value_wo_version). The values of the version-specific attributes get stored in state. To trigger an update of a write-only argument, increment the version argument’s value in your configuration.<\/p>\n

The configuration below ensures that the password remains ephemeral throughout the workflow \u2014 from its generation in the ephemeral resource to its secure use in the RDS instance with the write-only argument \u2014 without being exposed in Terraform’s plan file or state file.<\/p>\n

provider “aws” {
\n region = “eu-west-2”
\n}<\/p>\n

locals {
\n db_password_version = 1
\n}<\/p>\n

ephemeral “random_password” “db_password”{
\n length = 16
\n}<\/p>\n

resource “aws_db_instance” “test” {
\n instance_class = “db.t3.micro”
\n allocated_storage = “5”
\n engine = “postgres”
\n username = “newuser”
\n skip_final_snapshot = true<\/p>\n

# ‘password_wo’ is a write-only argument
\n# ‘password_wo_version’ controls when the password_wo gets updated
\n password_wo = ephemeral.random_password.db_password.result
\n password_wo_version = local.db_password_version
\n}<\/p>\n

Available with Terraform 1.11<\/h3>\n

These are the current write-only arguments supported in the following managed resources:<\/p>\n

AWS<\/h4>\n

aws_db_instance<\/p>\n

Attribute: password_wo<\/p>\n

aws_secretsmanager_secret_version<\/p>\n

Attribute: secret_string_wo<\/p>\n

aws_rds_cluster<\/p>\n

Attribute: master_password_wo<\/p>\n

aws_redshift_cluster<\/p>\n

Attribute: master_password_wo<\/p>\n

aws_redshiftseverless_namespace<\/p>\n

Attribute: admin_user_password_wo<\/p>\n

aws_docdb_cluster<\/p>\n

Attribute: master_password_wo<\/p>\n

aws_ssm_parameter<\/p>\n

Attribute: value_wo<\/p>\n

And more!<\/p>\n

Azure<\/h4>\n

azurerm_mssql_server.administrator<\/p>\n

Attribute: administrator_login_password_wo<\/p>\n

azurerm_mysql_flexible_server<\/p>\n

Attribute: administrator_password_wo<\/p>\n

azurerm_mssql_job_credential<\/p>\n

Attribute:password_wo<\/p>\n

azurerm_postgresql_flexible_server<\/p>\n

Attribute: administrator_password_wo<\/p>\n

azurerm_postgresql_server<\/p>\n

Attribute: administrator_login_password_wo
\n#### Google Cloud<\/p>\n

google_secret_manager_secret_version<\/p>\n

Attribute: secret_data_wo<\/p>\n

google_sql_user<\/p>\n

Attribute: password_wo<\/p>\n

google_bigquery_data_transfer_config<\/p>\n

Attribute: sensitive_params.secret_access_key_wo<\/p>\n

Kubernetes<\/h4>\n

Kubernetes_secret_v1<\/p>\n

Attributes: data_wo, binary_data_wo<\/p>\n

Helm<\/h4>\n

helm_release<\/p>\n

Attributes: set_wo <\/p>\n

Partner spotlight<\/h3>\n

Terraform language features truly solve problems only when our tech partners extend them to their providers. Addressing the \u2018secrets in state\u2019 challenge fully for our mutual users requires every Terraform provider to handle sensitive credentials as ephemeral, short-lived constructs.<\/p>\n

That\u2019s why we\u2019d like to give a massive shoutout to our tech partners, Juniper<\/strong>, Palo Alto Networks<\/strong>, and Fortinet<\/strong> for leading the way! With Juniper\u2019s apstra_api_token<\/a>, Palo Alto Networks\u2019 panos_api_key<\/a> and panos_vm_auth_key<\/a>, and Fortinet\u2019s fortiflexvm_groups_nexttoken<\/a>, these providers offer more secure, temporary credentials that minimize exposure.<\/p>\n

Missed our workshop on implementing ephemeral values in your providers? Watch the recording here<\/a>.<\/p>\n

We encourage our partners to explore implementing ephemeral values in their providers and enhance security across the ecosystem!<\/p>\n

Upgrades to Terraform tests<\/h2>\n

Terraform 1.11 includes other enhancements outlined in the changelog<\/a>, including new features in the test framework:<\/p>\n

Terraform tests have a new state_key attribute for run blocks, allowing test authors control over which internal state file should be used for the current test run. This allows multiple run blocks to target the same infrastructure. For example, you can use a setup module and execute multiple tests on it by utilizing the state_key attribute.
\nTerraform test runs now support using mocked or overridden values during unit test runs (e.g. with command = “plan”). Set override_during = plan in the test configuration to use the overridden values during the plan phase. The default value is override_during = apply.
\nThe -junit-xml CLI flag for the terraform test command is now generally available. This flag allows the command to create a test report in JUnit<\/a> XML format.<\/p>\n

Next steps<\/h2>\n

To get started with HashiCorp Terraform:<\/p>\n

Download Terraform 1.11<\/a>
\nSign up for a free HCP Terraform account<\/a>
\nGet hands-on with the Upgrade RDS major version tutorial<\/a> at HashiCorp Developer<\/a><\/p>\n

As always, this release wouldn\u2019t have been possible without the valuable feedback from the community, including contributions via GitHub issues, HashiCorp Discuss forums, and our customers. Thank you, everyone!<\/p>","protected":false},"excerpt":{"rendered":"

Today, we are announcing the general availability of HashiCorp Terraform 1.11, which is ready for download and immediately available for […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1785","post","type-post","status-publish","format-standard","hentry","category-terraform"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=1785"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1785\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=1785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=1785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=1785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}