Ephemeral inputs are not used in apply step

[erzz]

Problem description

With the introduction of ephemeral inputs in terraform 1.10 we finally have a way to utilise sensitive values such as passwords and keys in a plan without them entering the state file.

However - we discovered they do not quite work when using the apply action.

The action itself performs a plan step followed by an apply step. It seems to me that the value for the ephemeral input is present during the plan step, but then not present during the apply step.

Terraform version

1.10

Backend

gcp

Workflow YAML

- name: Terraform Apply
  uses: dflook/terraform-apply@v1
  id: apply
  with:
    path: terraform
    workspace: production
    backend_config: |
      bucket=${{ secrets.state-bucket }}
    auto_approve: true
    variables: |
      cloudflare_api_token = "${{ secrets.CLOUDFLARE_API_TOKEN }}"    # this input is ephemeral

Workflow log

....<plan output which obviously meant that the ephemeral input was used during plan phase>
Plan: 0 to add, 0 to change, 2 to destroy.
Automatically approving plan
Releasing state lock. This may take a few moments...

Error: No value for required variable

  on variables.tf line 3:
   3: variable "cloudflare_api_token" {

The root module input variable "cloudflare_api_token" is not set, and has no
default value. Use a -var or -var-file command line argument to provide a
value for this variable.

Has debug logging been enabled?

• Yes, the ACTIONS_STEP_DEBUG secret was set to true when capturing the workflow log above. I understand that if I have not done this, I may not recieve a response.

[dflook]

Hi @erzz, thanks for creating an issue. Support for ephemeral input variables has been added in v1.46.0 😄

[erzz]

Absolutely awesome! Keep up the fantastic work!