How to stop secrets from ending up in your state file!
In this article, we will examine the brand new ephemeral resource that you can add to your Terraform configuration. We will explore what they are, what problems they solve, before moving on to some practical example configurations. Let’s dive in!
Previously, Terraform would always store sensitive values in the state and plan output files, making them available to read in plain text. Even if you marked your variables as sensitive using the sensitve = true flag, this would only hide the secret from your outputs, and would still be written to the plan and state files.
The mitigation for this was always provided by strictly locking down access to the state file using network and authentication controls, and making sure the storage where the state file is held is encrypted-at-rest, making it unreadable should it be stolen.
This was not an ideal situation as the secrets were still committed to the file in plain text, meaning if the file was compromised, the secret could be obtained and used to access the system in question.
