Terraform Ephemeral Values
Jul 13, 2025
Released in Terraform 1.10, there is now a way to pass secrets to your resources without saving it in state.
The nice win being that you could have all your infrastructure in state, without having to encrypt the state file which HashiCorp does not reccomend
Ephemeral Resources in Action
The actual resource is pretty simple, it plugs in with certain resources you may already know about. The provider just needs to enable the functionality.
ephemeral "random_password" "db_password" {
length = 16
override_special = "!#$%&*()-_=+[]{}<>:?"
}
# Or
ephemeral "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}You can’t just reference it with the value alone. You have to follow special rules.
Specifically using wo_version and wo_value which translate to write only.
resource "aws_secretsmanager_secret_version" "db_password" {
secret_id = aws_secretsmanager_secret.db_password.id
secret_string_wo = ephemeral.random_password.db_password.result
secret_string_wo_version = 1
}
resource "aws_db_instance" "example" {
instance_class = "db.t3.micro"
...
password_wo = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string
password_wo_version = aws_secretsmanager_secret_version.db_password.secret_string_wo_version
}By appending wo_version or wo_value to the existing resources parameters (given
that the provider enables this - had to say it a second time) you can use
ephemeral resource functionality.
wo_valuedefines itself with the value.wo_versionholds a certain state. Where any change informs terraform that the value should be changed, thuswrite itagain.
If you were to run terraform apply everything would proceed accordingly, except the operation would not show secrets, and either would the state file.
Gotcha’s
I have to repeat, the provider for your terraform resource needs to enable this. For example: https://github.com/hashicorp/terraform-provider-tls/issues/645