On this article, we’ll look at the model new ephemeral useful resource that you may add to your Terraform configuration. We are going to discover what they’re, what issues they resolve, earlier than transferring on to some sensible instance configurations. Let’s dive in!
Beforehand, Terraform would all the time retailer delicate values within the state and plan output recordsdata, making them accessible to learn in plain textual content. Even when you marked your variables as delicate utilizing the sensitve = true
flag, this is able to solely disguise the key out of your outputs, and would nonetheless be written to the plan and state recordsdata.
The mitigation for this was all the time offered by strictly locking down entry to the state file utilizing community and authentication controls, and ensuring the storage the place the state file is held is encrypted-at-rest, making it unreadable ought to it’s stolen.
This was not a perfect state of affairs because the secrets and techniques have been nonetheless dedicated to the file in plain textual content, which means if the file was compromised, the key may very well be obtained and used to entry the system in query.