-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform Ephemeral Resources #992
Comments
Hi @grahamneville, thank you for opening this issue. I wasn't familiar with ephemeral resources, so I've spend the last few minutes reading up on them. It looks to me like ephemeral resources work something like data sources (in the sense that they're read-only) and they're not persisted to the terraform state. This gives me the impression that they're not very applicable to the Apstra provider because (with one interesting exception, below) Apstra doesn't provide read access to secrets. Consider the following configuration: ephemeral "secret_from_vault" "bgp_peer_password" {
secret_id = "something"
}
resource "bgp_configuration" "x" {
neighbor_ip = "1.1.1.1"
neighbor_asn = 1
secret = ephemeral.secret_from_vault.bgp_peer_password.secret_value
} In this case, it looks to me like the ephemeral resource retrieves the secret from the vault without persisting it to the tf state (yeah!), but the BGP resource does persist it to the tf state. It doesn't look like it's going to solve any current problems that we have. That's my impression anyway. Happy to be corrected on this. There's another feature being cooked up by our friends at Hashicorp which may improve things a bit: write-only attributes When that feature becomes available, perhaps the bgp secret (above) or device credentials (Apstra managed_device or agent_profile resources) could sprout username/password attributes in a way that doesn't put the credential at risk by storing it in the state file. We'll definitely be watching that. The case that jumps out at me as a good use of an ephemeral resource in the Apstra provider is in fetching and making available an API token. Some users want to be able to intersperse some imperative operations (e.g. python scripts) along with their terraform. This kind of thing might be interesting: ephemeral "apstra_api_token" "x" {
# no configuration attributes needed
}
resource "terraform_data" "imperative_stuff" {
provisioner "local-exec" {
command = format("%s/scripts/something.py", path.module)
environment = {
API_TOKEN = ephemeral.apstra_api_token.x
}
}
} I'm happy to hear more thoughts about what we can/should be doing in this area. |
Terraform 1.10 now includes support for ephemeral resources.
I think this will be useful for resources like device login credentials as well as BGP keys and even Configlets where credentials could enter the state file.
Are there plans to incorporate this?
https://mattias.engineer/blog/2024/terraform-ephemeral-resources
The text was updated successfully, but these errors were encountered: