AZURE HEROES
  • Home-Updates
  • Blog
    • Azure Blog
    • Azure Heroes Events >
      • Azure Heroes Sessions #1
      • Azure Heroes Sessions #2
      • Azure Heroes Sessions #3
      • Azure Heroes Sessions #4
      • Azure Heroes Sessions #5
      • Azure Heroes Sessions #6
      • Azure Heroes Sessions #7
  • Who We Are!
  • eBooks
  • Azure All In One!
    • Azure Disk & Storage
    • Azure Network
    • Azure VPN
    • Azure VMs
  • Free Azure Support!
  • Contact Us
  • Events
    • Beginners Event
    • Developers Event
    • Special Event
    • Azure Workshop #4
    • Azure Workshop #5
    • Azure Workshop #6
    • Azure Workshop #7
    • Azure Workshop #8
    • Azure Heroes Sessions #9
    • Azure Heroes Sessions #10
    • Azure Heroes Sessions #11
    • Azure Heroes Sessions #12
    • Azure Heroes Sessions #13
    • Azure Heroes Sessions #14
    • Azure Heroes Sessions #15
    • Azure Heroes Sessions #16
    • Azure Heroes Sessions #17
    • Azure Heroes Sessions #18
  • Registration Form
  • Privacy Policy
  • Home-Updates
  • Blog
    • Azure Blog
    • Azure Heroes Events >
      • Azure Heroes Sessions #1
      • Azure Heroes Sessions #2
      • Azure Heroes Sessions #3
      • Azure Heroes Sessions #4
      • Azure Heroes Sessions #5
      • Azure Heroes Sessions #6
      • Azure Heroes Sessions #7
  • Who We Are!
  • eBooks
  • Azure All In One!
    • Azure Disk & Storage
    • Azure Network
    • Azure VPN
    • Azure VMs
  • Free Azure Support!
  • Contact Us
  • Events
    • Beginners Event
    • Developers Event
    • Special Event
    • Azure Workshop #4
    • Azure Workshop #5
    • Azure Workshop #6
    • Azure Workshop #7
    • Azure Workshop #8
    • Azure Heroes Sessions #9
    • Azure Heroes Sessions #10
    • Azure Heroes Sessions #11
    • Azure Heroes Sessions #12
    • Azure Heroes Sessions #13
    • Azure Heroes Sessions #14
    • Azure Heroes Sessions #15
    • Azure Heroes Sessions #16
    • Azure Heroes Sessions #17
    • Azure Heroes Sessions #18
  • Registration Form
  • Privacy Policy

Terraform Ephemeral Resources

12/2/2024

0 Comments

 
Terraform 1.10 introduced a groundbreaking concept called ephemeral resources. An ephemeral resource is not persisted to the state file. Take a moment to let that sink in!
Ephemeral resources address a long-standing issue: secret values being stored in the state file as plaintext. With ephemeral resources, your secrets are no longer at risk if the state file is compromised. This solution is particularly valuable for enhancing the security of sensitive data.

Picture
Initially, only a few providers support ephemeral resources. As of now, these include:
  • Microsoft Azure (azurerm):

    • azurerm_key_vault_secret
    • azurerm_key_vault_certificate
  • Kubernetes (kubernetes):
    • kubernetes_token_request
    • kubernetes_certificate_signing_request
This list is expected to expand over time.Declaring an Ephemeral ResourceEphemeral resources introduce a new root-level block in HCL: the ephemeral block. Its syntax resembles a regular resource block:

ephemeral "<resource type>" "<resource name>" {
  # attributes, meta-arguments, nested blocks
}
ephemeral "<resource type>" "<resource name>"
{
# attributes, meta-arguments, nested blocks
}
Similar to normal resources, supported attributes and nested blocks vary based on the resource type.

Using an Ephemeral ResourceReferencing an ephemeral resource is analogous to referencing a data source. Such references use the ephemeral. prefix.
For example:

ephemeral "azurerm_key_vault_secret" "secret" {
  # attributes
}
You can access its attributes using ephemeral.azurerm_key_vault_secret.secret.<attribute>.

Ephemeral resources can only be used in contexts where their values are not stored in the state file. Supported contexts include:

  • Other ephemeral resource blocks

  • Local values

  • Ephemeral variable and output blocks (discussed below)
  • Provider configurations within provider blocks
  • Provisioner and connection blocks in regular resources
These restrictions ensure the security and temporary nature of ephemeral resources. For example, referencing an ephemeral resource in a state-persisted context would defeat its purpose.
When used in local values, ephemeral references implicitly create ephemeral local values. You cannot explicitly declare ephemeral locals; they are only derived through ephemeral references.

Example: Using Ephemeral Resources

# Read secrets from AWS Secrets Manager
ephemeral "aws_secretsmanager_secret_version" "secret" {
  secret_id = "<secret id>"
}

locals {
  # Decode the JSON secret value
  credentials = jsondecode(ephemeral.aws_secretsmanager_secret_version.db.secret_string)
}

# Configure the PostgreSQL provider using the credentials
provider "postgresql" {
  host     = "<postgres endpoint>"
  port     = 5432
  username = local.credentials["username"]
  password = local.credentials["password"]
}
In this example, the ephemeral resource aws_secretsmanager_secret_version retrieves a PostgreSQL database password. The password is JSON-decoded into a local value and used to configure the PostgreSQL provider—all without persisting the sensitive data in the state file.
Supported Meta-ArgumentsEphemeral resources support the following meta-arguments:
  • depends_on: Define explicit dependencies
  • count: Create multiple identical ephemeral resources
  • for_each: Create one ephemeral resource for each value in a set or map
  • provider: Use a provider alias
  • lifecycle: Hook into the resource lifecycle
However, ephemeral resources do not support the provisioner meta-argument—a best practice you should generally avoid anyway.


The Lifecycle of an Ephemeral ResourceEphemeral resources behave differently from regular resources and data sources. They are opened (or read) when Terraform needs their values and closed when those values are no longer required. The specifics of opening and closing depend on the resource type.
For instance, in HashiCorp Vault, opening a secret means obtaining a lease, and closing it means explicitly ending that lease. Most importantly, ephemeral resources ensure that their values are never stored in the state file.

Summary
Ephemeral resources, variables, and outputs are a powerful addition to Terraform. They eliminate the risk of sensitive values being stored as plaintext in the state file, addressing a long-standing security concern.
While the state file will still contain other sensitive information, such as a complete map of your infrastructure, ephemeral resources significantly reduce its sensitivity. By leveraging these new capabilities, you can build more secure and robust Terraform configurations.
Ephemeral resources mark a significant step forward in Terraform’s evolution, and their adoption is expected to grow rapidly in the coming years.

0 Comments



Leave a Reply.

    Author

    Mohammad Al Rousan is a Microsoft MVP (Azure), Microsoft Certified Solution Expert (MCSE) in Cloud Platform & Azure DevOps & Infrastructure, An active community blogger and speaker. Al Rousan has over 11 years of professional experience in IT Infrastructure and very passionate about Microsoft technologies and products.

    Picture
    Picture
    Top 10 Microsoft Azure Blogs

    Archives

    January 2025
    December 2024
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    May 2024
    April 2024
    February 2024
    September 2023
    August 2023
    May 2023
    November 2022
    October 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    February 2022
    January 2022
    December 2021
    November 2021
    May 2021
    February 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    June 2020
    April 2020
    January 2020
    July 2019
    June 2019
    May 2019
    February 2019
    January 2019

    Categories

    All
    AKS
    Azure
    Beginner
    CDN
    DevOps
    End Of Support
    Fundamentals
    Guide
    Hybrid
    License
    Migration
    Network
    Security
    SQL
    Storage
    Virtual Machines
    WAF

    RSS Feed

    Follow
    Free counters!
Powered by Create your own unique website with customizable templates.