Last active
March 4, 2025 21:31
-
-
Save bschaatsbergen/cec07997d0d187d8e8c7889af96a8c45 to your computer and use it in GitHub Desktop.
Ephemerality in Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| provider "aws" { | |
| region = "us-west-2" | |
| } | |
| ephemeral "random_password" "db_password" { | |
| length = 16 | |
| } | |
| resource "aws_secretsmanager_secret" "db_password" { | |
| name = "db-password" | |
| } | |
| resource "aws_secretsmanager_secret_version" "db_password" { | |
| secret_id = aws_secretsmanager_secret.db_password.id | |
| secret_string_wo = ephemeral.random_password.db_password.result | |
| secret_string_wo_version = 1 | |
| } | |
| ephemeral "aws_secretsmanager_secret_version" "db_password" { | |
| secret_id = aws_secretsmanager_secret_version.db_password.secret_id | |
| } | |
| resource "aws_db_instance" "example" { | |
| instance_class = "db.t3.micro" | |
| allocated_storage = "5" | |
| engine = "postgres" | |
| username = "example" | |
| skip_final_snapshot = true | |
| password_wo = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string | |
| password_wo_version = aws_secretsmanager_secret_version.db_password.secret_string_wo_version | |
| } | |
Thank you for catching the outdated reference, @ktham, and ++ for finding the updated documentation improvement I had submitted! I noticed I had shown you the plan and apply output of the correct example, but the Gist did not match that. Thanks again!
This is how the dependency graph should look like, using:
ephemeral "aws_secretsmanager_secret_version" "db_master" {
secret_id = aws_secretsmanager_secret_version.db_password.secret_id
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Actually, I will retract my last comment, I realized that the code in your Gist is actually an old version of your code.
I see that in hashicorp/terraform#36605, instead of
you have
This resolves the "timing" concern I mentioned above with respect to when the ephemeral resource attempts to read the value for a secret version, and which version to read (which is whatever
AWSCURRENTis pointing to after TF creates/re-creates theaws_secretsmanager_secret_versionresource)I have one suggestion to make it more explicit and clear in https://github.com/hashicorp/terraform/pull/36605/files#r1980138389