Terraform Ephemeral Resources: Keep Secrets Out of State in Terraform 1.10+
Terraform 1.10 introduced ephemeral resources, and the feature matters for one reason above all others: it gives Terraform a way to work with temporary or sensitive data without persisting that data into plan or state artifacts. If you have ever looked at a state file and felt mildly sick about what ended up in there, this feature is aimed at you.
That does not make it a general replacement for data sources or variables. It is narrower than that. That is exactly why it is useful.
What “ephemeral” means in Terraform terms
HashiCorp’s definition is pretty direct. Ephemeral resources reference external data, but Terraform guarantees that the resulting data is not persisted in plan or state artifacts. The produced values can only be referenced in specific ephemeral contexts. If you try to use them where Terraform expects persistent values, Terraform throws an error.
That constraint is not annoying boilerplate. It is the whole point.
Why this exists
Teams wanted something in between:
- ordinary variables, which are easy but often end up persisted indirectly
- data sources, which are dynamic but still part of the normal plan/state model
- provisioner hacks, which are awkward and usually worse
Ephemeral resources solve the “I need this value during execution, but I do not want Terraform to keep it” problem.
The real use cases
| Use case | Why ephemeral resources fit |
|---|---|
| Temporary credentials | Useful during apply, dangerous in state |
| Short-lived passwords or tokens | Need execution-time access, not persistence |
| External session material in CI/CD | Sensitive and short-lived |
| Just-in-time connections to outside systems | Execution-scoped by nature |
That last one is especially important in pipeline environments. CI runners are already short-lived. It makes little sense to carefully use temporary credentials and then persist their outputs into Terraform artifacts anyway.
What they do not replace
Ephemeral resources do not replace normal data sources. If the value is safe and useful to persist as part of Terraform’s normal model, a regular data source is still the right answer.
They also do not replace state design. If your module structure is sloppy or your outputs expose too much sensitive information, ephemeral resources will not save you from that.
Think of the comparison like this:
| Need | Best fit |
|---|---|
| Persistent queried infrastructure metadata | Data source |
| Lifecycle-aware helper resource | terraform_data |
| Temporary sensitive execution-time value | Ephemeral resource |
That middle category matters because teams often try to force one construct to solve all three problems. Terraform is more readable when each construct keeps a narrower job.
The main gotcha
The biggest gotcha is that ephemeral values can only flow through specific contexts. That is by design. If you are expecting to grab one and sprinkle it through the configuration like any normal value, Terraform will push back.
In other words, this feature makes secret handling safer partly by making it less convenient. That is a reasonable trade.
The second gotcha is versioning. Ephemeral resources are supported in Terraform 1.10 and later. If your team still supports older versions across shared modules or old runners, do not design around the feature until the estate is actually upgraded.
When I would use it
I would use ephemeral resources when:
- the value is sensitive or short-lived
- the value is needed only during execution
- persisting it would create unnecessary security risk
I would not use them just because the word “ephemeral” sounds modern. If the value is part of the normal long-lived infrastructure model, keep the simpler construct.
How this fits into a healthier Terraform practice
This feature is easiest to appreciate when you care about state hygiene. If your team is already cleaning up module boundaries, remote state layout, and policy controls, ephemeral resources are a natural next step.
They pair well with:
- Terraform Stacks when you are separating environment concerns
- Terraform Testing in 2026 when you are tightening module behavior
- OPA + Terraform when you are building stronger policy guardrails
- the newer helper-resource model in Terraform terraform_data vs null_resource in 2026
My recommendation
Use ephemeral resources for temporary sensitive values that should never become part of Terraform’s durable artifacts. Do not use them as a fashionable replacement for ordinary data sources. Their value comes from being stricter, narrower, and safer.
That makes them one of the most quietly important Terraform language changes in a while.
Explore more like this
Amazon SNS Message Data Protection Availability Change: Migration Options Before April 30, 2026
Amazon SNS message data protection has a hard availability change on April 30, 2026. AWS says the feature will no longer be available to new customers after that date. Existing...
AWS Security Hub Extended: Full-Stack Risk Correlation Across AWS and Multicloud
AWS published the Security Hub Extended technical walkthrough on April 22, 2026, after announcing the multicloud expansion on March 10, 2026. The short version: Security Hub is becoming more than...
AWS CloudWatch Auto-Enablement: Organization-Wide Logs, Metrics, and AI Agent Telemetry
On April 2, 2026, AWS expanded Amazon CloudWatch auto-enablement so teams can automatically configure telemetry for Amazon CloudFront Standard access logs, AWS Security Hub CSPM finding logs, and Amazon Bedrock...
Comments