List of Ephemeral Resources released by Top Terraform Providers

Introduction

This guide provides an overview of ephemeral resources in Terraform and lists the resources currently available from top Terraform providers.

Note: Ephemeral resources are available in Terraform v1.10.0 and later.

Key Concepts

Ephemeral Resources

An ephemeral resource is a temporary resource with the following characteristics:

• It is newly read during each phase of Terraform evaluation.
• It is never stored in the Terraform state file.
• It always produces ephemeral values.

Ephemeral Values

An ephemeral value is a temporary value used during a Terraform run.

• Input variables and outputs can be defined as ephemeral.
• These values are not stored in the state file.
• Not all resources support ephemeral values as inputs. Refer to your provider's documentation for compatibility.

The ephemeralasnull Function

The ephemeralasnull function takes a value of any type and returns a similar value of the same type, but with any ephemeral values replaced with non-ephemeral null values. All non-ephemeral values are preserved. You can use this function to remove ephemerality from a value by setting it to null, as there is currently no way to reverse ephemerality directly.

Example Configuration

This configuration uses an ephemeral resource to get information about an existing Azure Key Vault Secret. The secret must already exist in Azure. For more information, refer to the documentation for the ephemeral azurerm_key_vault_secret.

terraform {
  ## ...
}

provider "azurerm" {
  features {
    key_vault {
      purge_soft_deleted_secrets_on_destroy = true
      recover_soft_deleted_secrets          = true
    }
  }
}

data "azurerm_client_config" "current" {}

variable "name" {}

resource "azurerm_resource_group" "example" {
  ## ...
}

## This data will be stored in state.
data "azurerm_key_vault" "example" {
  name                = var.name
  resource_group_name = azurerm_resource_group.example.name
}

## Use this to access information about an EXISTING Key Vault Secret.
## No data is stored in state.
ephemeral "azurerm_key_vault_secret" "example" {
  name         = var.name
  key_vault_id = data.azurerm_key_vault.example.id
}

Supported Ephemeral Resources by Provider

Provider teams announce newly released ephemeral resources in their CHANGELOG.md file, such as the one for the Terraform Kubernetes Provider. You can also find ephemeral resources listed in the provider's documentation, for example, Ephemeral: aws_kms_secrets.

AWS

• v5.85.0
  • aws_secretsmanager_random_password
• v5.84.0
  • aws_eks_cluster_auth
• v5.83.0
  • aws_cognito_identity_openid_token_for_developer_identity
• v5.81.0
  • aws_ssm_parameter
• v5.77.0
  • aws_kms_secrets
  • aws_lambda_invocation
  • aws_secretsmanager_secret_version

AzureRM

• v4.11.0
  • azurerm_key_vault_certificate
  • azurerm_key_vault_secret

Google and Google-beta

• v6.23.0
  • google_sql_user resource supports password_wo (write-only argument)
  • google_bigquery_data_transfer_config supports secret_access_key_wo
  • google_secret_manager_secret_version supports secret_data_wo and payload.secret_data_wo
• v6.13.0
  • google_service_account_access_token
  • google_service_account_id_token
  • google_service_account_jwt
  • google_service_account_key

Kubernetes

• v2.34.0
  • kubernetes_certificate_signing_request_v1
  • kubernetes_token_request_v1