Today, we are announcing the general availability of HashiCorp Terraform 1.11, which is ready for download and immediately available for use in HCP Terraform. This version introduces write-only arguments, which let you use ephemeral values in specific managed resource arguments.
»Extending ephemeral values with write-only arguments
- Ephemeral input variables and output values for temporary or sensitive data, such as short-lived tokens or session identifiers.
- Ephemeral resources, a new language construct that allows Terraform to temporarily reference external data by opening and closing a remote object.
In Terraform 1.10, ephemeral values could only be used in other ephemeral contexts, such as:
- Ephemeral input variables
- Output values
- Provider and provisioner blocks
- Ephemeral resources
With Terraform 1.11, you can use ephemeral values in managed resources through the introduction of write-only arguments.
Write-only arguments are arguments in a resource that can only be written to, and not read. Similar to ephemeral values, write-only arguments are not stored in Terraform artifacts like the plan or state file.
This enhancement makes it possible to securely pass secrets, such as a generated password or a fetched token, directly to managed resources without risking exposure in the state file or plan file.
By extending ephemeral values to managed resources, Terraform 1.11 strengthens the security of workflows involving sensitive data, ensuring your secrets remain secure across input variables and output values, ephemeral resources, and write-only arguments in managed resources.
»
»
»
»
»
»
»
»
apstra_api_token, Palo Alto Networks’ panos_api_key and panos_vm_auth_key, and Fortinet’s fortiflexvm_groups_nexttoken, these providers offer more secure, temporary credentials that minimize exposure.
Missed our workshop on implementing ephemeral values in your providers? Watch the recording here.
We encourage our partners to explore implementing ephemeral values in their providers and enhance security across the ecosystem!
»
changelog, including new features in the test framework:
- Terraform tests have a new
state_keyattribute forrunblocks, allowing test authors control over which internal state file should be used for the current test run. This allows multiple run blocks to target the same infrastructure. For example, you can use a setup module and execute multiple tests on it by utilizing thestate_keyattribute. - Terraform test runs now support using mocked or overridden values during unit test runs (e.g. with
command = "plan"). Setoverride_during = planin the test configuration to use the overridden values during the plan phase. The default value isoverride_during = apply. - The
-junit-xmlCLI flag for theterraform testcommand is now generally available. This flag allows the command to create a test report in JUnit XML format.
