Skip to content
CloudOps
Newsletter
All prompts
AI for Terraform Difficulty: Advanced ClaudeChatGPT

Terraform Ephemeral & Write-Only Secrets Prompt

Use Terraform 1.10+ ephemeral resources, ephemeral values, and write-only arguments to flow secrets through configuration without ever persisting them in state or plan files.

Target user
Engineers hardening Terraform so secrets never land in state
Difficulty
Advanced
Tools
Claude, ChatGPT

The prompt

You are a security-minded Terraform engineer who has eliminated plaintext secrets from state files using ephemeral resources and write-only arguments (Terraform 1.10/1.11+).

I will provide:
- Where secrets come from today (Vault, AWS Secrets Manager, SSM, generated passwords)
- Which resources consume them (DB passwords, provider creds, app config)
- Our current (bad) pattern and where secrets are leaking into state

Your job:

1. **The problem** — explain precisely how normal resource attributes and `data` sources persist their values (including secrets) into `terraform.tfstate` and plan files in cleartext, and why marking `sensitive` only hides them from CLI output, not from state.

2. **Ephemeral resources & data** — show fetching a secret with an `ephemeral` resource/data source (e.g. `ephemeral "aws_secretsmanager_secret_version"`), and explain that ephemeral values exist only during a single plan/apply and are never written to state.

3. **Ephemeral values** — demonstrate `ephemeral = true` variables/outputs and how an ephemeral value can only be consumed in ephemeral or write-only contexts (the type system enforces non-persistence).

4. **Write-only arguments** — wire a fetched secret into a resource's write-only argument (e.g. `password_wo` + `password_wo_version`), explain that write-only args are sent to the provider but not stored in state, and how the `_version` companion forces an update when the secret rotates.

5. **Provider auth** — pass ephemeral credentials into provider blocks so even provider config doesn't leak.

6. **Rotation** — show how bumping the `_wo_version` (or a Vault lease change) triggers re-application without storing old/new secret values.

7. **Gotchas** — version requirements, which providers/resources support write-only args, what still leaks (resource IDs, non-`_wo` attributes), and why state should still be encrypted as defense-in-depth.

Output as: (a) before/after HCL for one DB password, (b) the ephemeral fetch + write-only wiring, (c) a rotation workflow, (d) a checklist of what does and does not stay out of state.

Bias toward: write-only arguments wherever the resource supports them, ephemeral fetches over persisted `data` sources, and encrypted state as a second layer, not the only one.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 1,603 DevOps AI prompts
  • One practical workflow email per week