Terraform ephemeral secrets,
why is it a big thing?

Author

Kevin Duterne

CTO

This post will explore the storage of secret values, in plaintext, within state files, in Terraform.

Terraform is an Infrastructure-as-Code (IaC) software tool created by HashiCorp. IaC is the process of managing and provisioning cloud providers or data center resources through machine-readable definition files, which enables a more reproducible configuration in cloud environments than using the UI to manage and provision infrastructure.

Terraform enables users to define and provide cloud infrastructure using a declarative configuration language known as HashiCorp Configuration Language (HCL)

The benefits of Terraform and Infrastructure as Code (IaC) are undeniable. However, there has been a longstanding concern about the storage of secret values, in plaintext, within state files. This concern is pertinent because Terraform’s management of infrastructure involves handling secrets, such as private keys, certifications, API tokens, etc. For example, a data source may fetch a secret and write it to a managed resource’s attribute. Alternatively, a secret can be generated by a resource type. The secret could take the form of a random password. This is written to another resource type – such as a dedicated secrets manager.

Currently, these secrets persist in the plan or state file. These secrets are stored in plaintext within these artifacts. Thus, any inappropriate access to or manipulation of these files would compromise the integrity of these secrets. This concern has been remedied with the release of Terraform 1.10 with the introduction of Ephemeral Values.

Ephemeral Values

Ephemeral Values are not stored in any artifact such as the plan file or the state file. They do not remain consistent from plan to apply, or from one plan/apply round to the next. Ephemeral values are characterised by the following syntax variables:

  • Ephemeral input variables and output variables:

    similar to marking a value as sensitive, you can now mark the input variables and output variables as ephemeral. Marking an input variable as ephemeral is useful for data that only needs to exist temporarily, such as a short-lived token or session identifier.
  • Ephemeral resources:

    a new third resource mode alongside managed resource types and data resources. These are declared with ephemeral blocks, which declare that something needs to be created or fetched separately for each Terraform phase, then used to configure some other ephemeral object, and then explicitly closed before the end of the phase.
  • Managed resources’ write-only attribute:

    a new attribute for managed resources, which has a property that can only be written to, not read. Write-only attributes will be available in Terraform 1.11.

This is a leap forward in addressing security concerns. The availability of Ephemeral Values means that when you generate credentials and fetch a token, the related values are not persisted in Terraform artifacts.1

Key Security Improvements

Regarding concerns over the storage of secret values in Terraform, the introduction of Ephemeral Values brings the following improvements:

Ephemeral resources are not persisted to the state file. Thus, effectively eliminates the risk of exposing sensitive information, if the state file is compromised [1]. This is crucial for maintaining the confidentiality of secrets such as database passwords, API keys, and other sensitive credentials.

Initially, ephemeral resources are available for select providers, including AWS, Azure, Google Cloud Platform, and Kubernetes [1]. These cover critical security-related resources such as:

  • AWS Secrets Manager secret versions 
  • Azure Key Vault secrets and certificates 
  • Google Cloud service account tokens and keys 
  • Kubernetes token requests and certificate signing requests 

Ephemeral resources can be used in various contexts, without compromising security. These include:

  • Within other ephemeral resource blocks 
  • In local values 
  • In ephemeral variable and output blocks 
  • For configuring providers 
  • In provisioner and connection blocks of normal resources [1] 

Implementation and Best Practices

Declaring Ephemeral Resources

Ephemeral resources are defined by using a new `ephemeral` block in HCL. This is similar to regular resource blocks [1]. The ephemeral block enables easy integration into existing Terraform configurations.

  • Declaring Ephemeral Resources:

    ephemeral resources are defined using a new `ephemeral` block in HCL, similar to regular resource blocks [1]. This allows for easy integration into existing Terraform configurations.
  • Ephemeral Variables and Outputs:

    the introduction of ephemeral variables and outputs further enhances security by ensuring that sensitive data is not persisted in the state file, even when passed between modules [1].
  • Lifecycle Management:

    ephemeral resources have a unique lifecycle where they are opened when needed and closed when no longer required [1]. This dynamic approach minimizes the exposure window of sensitive data.

Security Implications and Recommendations

  • State File Protection:

    while ephemeral resources significantly reduce risks, it’s important to note that state files still contain sensitive infrastructure mapping and this must be protected [1].
  • Audit and Review:

    teams must audit their Terraform configurations to identify opportunities to replace sensitive regular resources with ephemeral alternatives.
  • Gradual Adoption:

    as support for ephemeral resources expands, organizations should plan for gradual adoption in their Terraform stacks, prioritizing the most sensitive data first.
  • Training and Awareness:

    DevOps and security teams should be trained on the proper use of ephemeral resources to maximize security benefits.
  • Compliance Alignment:

    utilizing ephemeral resources can help organizations better align with data protection regulations and security best practices.

Examples of ephemeral resources available in different cloud providers:

AWS offers the following ephemeral resources: 

  • `aws_secretsmanager_secret_version`: Retrieves a secret value from AWS Secrets Manager 
  • `aws_lambda_invocation`: Invokes an AWS Lambda function 
  • `aws_kms_secrets`: Decrypts secrets using AWS Key Management Service 

Azure provides these ephemeral resources: 

  • `azurerm_key_vault_secret`: Fetches a secret from Azure Key Vault 
  • `azurerm_key_vault_certificate`: Retrieves a certificate from Azure Key Vault 

Google Cloud will support the following ephemeral resources: 

  • `google_service_account_access_token`: Generates a short-lived access token for a service account 
  • `google_service_account_id_token`: Creates an OpenID Connect ID token for a service account 

Kubernetes offers these ephemeral resources: 

  • `kubernetes_token_request`: Requests a token for authenticating to the Kubernetes API 
  • `kubernetes_certificate_signing_request`: Generates a certificate signing request 

These ephemeral resources allow developers to securely handle sensitive data like credentials and secrets without persisting them in Terraform state files, significantly enhancing security in infrastructure-as-code practices [1][4][5].

In conclusion, the introduction of ephemeral resources in Terraform 1.10 marks a significant leap forward in securing infrastructure-as-code practices. By implementing this feature in Terraform stacks, that handle sensitive data, organizations can substantially reduce the risk of secret exposure and enhance their overall security posture in cloud and infrastructure management.

Questions?

Sources:

[1] Ephemeral Environments in Cloud Infrastructure: Use Cases and … https://www.withcoherence.com/articles/ephemeral-environments-in-cloud-infrastructure-use-cases-and-benefits 

[2] Exploring Ephemeral Resources | Terraform Tuesdays – YouTube https://www.youtube.com/watch?v=JnXEiWA1TE0 

[3] Kubernetes Resource Management: A Practical Guide | Spot.io https://spot.io/resources/kubernetes-architecture/kubernetes-resource-management-a-practical-guide/ 

[4] Terraform Ephemeral Resources – mattias.engineer https://mattias.engineer/blog/2024/terraform-ephemeral-resources/ 

[5] Terraform 1.10 improves handling secrets in state with ephemeral … https://www.hashicorp.com/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values 

[6] Ephemeral resource configuration reference | Terraform https://developer.hashicorp.com/terraform/language/resources/ephemeral 

[7] Automating Ephemeral Environments with Kubernetes: A Quick Guide https://www.qovery.com/blog/automating-ephemeral-environments-with-kubernetes-a-quick-guide/ 

[8] Plugin Development – Framework: Ephemeral Resources | Terraform https://developer.hashicorp.com/terraform/plugin/framework/ephemeral-resources 

[9] Acceptance Testing: Ephemeral Resources | Terraform https://developer.hashicorp.com/terraform/plugin/testing/acceptance-tests/ephemeral-resources 

[10] Use ephemeral resources in the Google Cloud provider | Guides https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/using_ephemeral_resources 

Related blogposts