HashiTalks 2025 Learn about unique use cases, homelab setups, and best practices at scale at our 24-hour virtual knowledge sharing event. Register
Terraform
Terraform Home

Ephemerality in resources

Managing infrastructure often requires creating and handling temporary sensitive values, such as passwords, that you may not want Terraform to persist outside of the current operation. Terraform provides two tools for resources to manage data you do not want to store in state or plan files: the ephemeral resource block and ephemeral write-only arguments on specific resources.

Ephemeral resources

Ephemeral resources are Terraform resources that are essentially temporary. Ephemeral resources have a unique lifecycle, and Terraform does not store them in its state. Each ephemeral block describes one or more ephemeral resources, such as a temporary password or connection to another system.

In your configuration, you can only reference an ephemeral block in other ephemeral contexts.

Lifecycle

The lifecycle of an ephemeral resource is different from resources and data sources. When Terraform provisions ephemeral resources, it performs the following steps:

  1. If Terraform needs to access the result of an ephemeral resource, it opens that ephemeral resource. For example, if Terraform opens an ephemeral resource for a Vault secret, the Vault provider obtains a lease and returns a secret.

  2. If Terraform needs access to the ephemeral resource for longer than the remote system's enforced expiration time, Terraform asks the provider to renew it periodically. For example, if Terraform renews a Vault secret ephemeral resource, the Vault provider then calls Vault's lease renewal API endpoint to extend the expiration time.

  3. Once Terraform no longer needs an ephemeral resource, Terraform closes it. This happens after the providers that depend on a certain ephemeral resource complete all of their work for the current Terraform run phase. For example, closing a Vault secret ephemeral resource means the Vault provider explicitly ends the lease, allowing Vault to immediately revoke the associated credentials.

Terraform follows these lifecycle steps for each instance of an ephemeral resource in a given configuration.

Configuration model

To learn more about the ephemeral block, refer to the Ephemeral resource reference.

Write-only arguments

Public Beta: Write-only arguments are in public beta and available in Terraform v1.11 and later. Public beta features and APIs are subject to change.

Terraform resources can include ephemeral arguments, also known as attributes, for data that only needs to exist temporarily. An ephemeral argument on a resource is called a "write-only argument". Write-only arguments can help store generated sensitive data for the current Terraform operation, such as a short-lived password, token, or session identifier.

Write-only arguments are only available during runtime, and Terraform omits them from state and plan files. On a new Terraform operation, a write-only argument always start as null before Terraform overwrites it with a new value from your configuration.

Write-only arguments are unique among other ephemeral constructs in Terraform because you can assign both ephemeral and non-ephemeral data as the value of a write-only argument.

Edit this page on GitHub