Terraform 1.10: Secure Secrets with Ephemeral Values

Amaresh Pelleti

Managing infrastructure securely has always been a top priority for DevOps teams, and HashiCorp Terraform continues to lead the way in simplifying secure workflows. With the release of Terraform 1.10, we’re excited to introduce ephemeral values—a groundbreaking feature designed to improve how secrets are handled during infrastructure provisioning. This update ensures that sensitive data, such as API tokens, private keys, and passwords, is no longer persisted in Terraform’s state or plan files, significantly reducing the risk of exposure.

In this blog post, we’ll explore what ephemeral values are, how they work, and why they’re a game-changer for secure infrastructure management. We’ll also walk through practical examples and discuss other key improvements in Terraform 1.10.

Why Secure Secrets Handling Matters

Secrets like database credentials, API tokens, and encryption keys are essential components of modern infrastructure. However, managing these secrets securely can be challenging. Traditionally, Terraform stored such secrets in plaintext within its state file or plan file, which posed a security risk if unauthorized users gained access to these artifacts.

To address this issue, Terraform 1.10 introduces ephemeral values, ensuring that sensitive information is never persisted in any Terraform artifact. This enhancement provides an additional layer of security, making it easier for teams to comply with regulatory requirements and best practices for secret management.

What Are Ephemeral Values?

Ephemeral values are temporary constructs that exist only during a specific Terraform phase (e.g., planning or applying) and are not stored in any persistent artifact. They are ideal for handling sensitive data that doesn’t need to persist beyond its immediate use case. Here’s how ephemeral values are implemented in Terraform 1.10:

1. Ephemeral Input and Output Variables

You can now mark input and output variables as ephemeral. These variables are treated as transient and are not written to the state or plan files. For example:

variable "api_token" {
  type      = string
  ephemeral = true
}

This is particularly useful for short-lived tokens, session identifiers, or one-time credentials.

2. Ephemeral Resources

Ephemeral resources are a new resource mode introduced alongside managed resources and data sources. Declared using ephemeral blocks, these resources are created or fetched during each Terraform phase and explicitly closed before the phase ends. For instance:

ephemeral "aws_secretsmanager_secret_version" "db_master" {
  secret_id = "arn:aws:secretsmanager:region:account-id:secret:example-secret"
}

Ephemeral resources ensure that sensitive data, such as secrets fetched from AWS Secrets Manager, are used temporarily and securely.

3. Write-Only Attributes for Managed Resources

Coming in Terraform 1.11, write-only attributes will allow you to define properties in managed resources that can only be written to, not read. This feature complements ephemeral values by further securing sensitive configurations.

How Ephemeral Values Work in Practice

Let’s take a look at a real-world example to understand how ephemeral values enhance security. In this scenario, we’ll fetch a database secret from AWS Secrets Manager and use it to configure a PostgreSQL provider.

Before Terraform 1.10

Previously, you might have used a data source to fetch the secret:

data "aws_secretsmanager_secret_version" "db_master" {
  secret_id = "arn:aws:secretsmanager:region:account-id:secret:example-secret"
}

provider "postgresql" {
  username = jsondecode(data.aws_secretsmanager_secret_version.db_master.secret_string)["username"]
  password = jsondecode(data.aws_secretsmanager_secret_version.db_master.secret_string)["password"]
}

The problem? The secret was stored in both the plan and state files, creating a potential security vulnerability.

With Terraform 1.10

Using ephemeral resources, the secret is fetched securely and never persisted:

ephemeral "aws_secretsmanager_secret_version" "db_master" {
  secret_id = "arn:aws:secretsmanager:region:account-id:secret:example-secret"
}

locals {
  credentials = jsondecode(ephemeral.aws_secretsmanager_secret_version.db_master.secret_string)
}

provider "postgresql" {
  username = local.credentials["username"]
  password = local.credentials["password"]
}

With this approach, the secret remains ephemeral, ensuring it is used only during the current Terraform phase and discarded afterward.

Supported Providers and Resources

Ephemeral resources are already available for several popular providers, including:

  • AWS: aws_secretsmanager_secret_version, aws_lambda_invocation
  • Azure: azurerm_key_vault_secret, azurerm_key_vault_certificate
  • Kubernetes: kubernetes_token_request, kubernetes_certificate_signing_request

Additionally, support for Google Cloud Platform (GCP) will be available soon, with ephemeral resources like:

  • google_service_account_access_token
  • google_service_account_id_token
  • google_service_account_jwt
  • google_service_account_key

These integrations make it easier than ever to manage secrets securely across multiple cloud platforms.

Other Improvements in Terraform 1.10

In addition to ephemeral values, Terraform 1.10 includes several performance enhancements and usability improvements:

1. Performance Optimizations

The latest release refactors how Terraform handles plan changes, reducing redundant decoding of resource states. This optimization improves the speed of plan and apply operations, especially when working with large infrastructures.

2. New Functions

Two new functions have been added:

  • ephemeralasnull: Converts ephemeral values to null when accessed outside their intended scope.
  • terraform.applying: Indicates whether Terraform is currently in the apply phase.

These functions provide greater flexibility and control over ephemeral workflows.

Getting Started with Terraform 1.10

Ready to upgrade and take advantage of ephemeral values? Here’s how you can get started:

  1. Download Terraform 1.10: Visit the official download page to install the latest version.
  2. Explore Documentation: Check out the upgrade guide for detailed instructions on migrating to Terraform 1.10.
  3. Try Hands-On Tutorials: Dive into interactive tutorials on HashiCorp Developer.

Final Thoughts

Terraform 1.10 marks a significant step forward in secure infrastructure management. By introducing ephemeral values, HashiCorp has addressed a critical pain point for DevOps teams, ensuring that sensitive data is handled securely without compromising usability.

Whether you’re generating temporary credentials, fetching secrets, or setting up ephemeral network tunnels, this update empowers you to build and manage infrastructure with confidence. As always, HashiCorp remains committed to listening to community feedback, so don’t hesitate to share your thoughts and suggestions!

Upgrade to Terraform 1.10 today and experience the future of secure infrastructure automation.

Uncategorized

Leave a Reply