Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ephemeral/password: Introduce a new ephemeral password resource #625

Merged
merged 25 commits into from
Feb 12, 2025
Merged

ephemeral/password: Introduce a new ephemeral password resource #625

merged 25 commits into from
Feb 12, 2025

Conversation

austinvalle
Copy link
Member

@austinvalle austinvalle commented Nov 12, 2024
edited
Loading

This PR is currently in draft as an ephemeral random password is not particularly useful until managed resources are updated to allow interaction with ephemeral data (via write-only attributes, earliest that will be available is Terraform v1.11.0)

Closes #639

This PR introduces a new random_password ephemeral resource which is functionally similar to the managed resource, minus the keepers and id attributes. Once write-only attribute are introduced in Terraform v1.11, this resource can be used to generate a random password while avoiding storing that password in state.

Notes

  • keepers are not relevant because ephemeral resources do not produce a plan and are never stored in state. Triggers for producing an ephemeral password will eventually be the responsibility of the module author.
  • id is not relevant because the new testing framework doesn't require this information and the practitioner doesn't benefit from the duplication with result.

@austinvalle austinvalle added this to the v3.7.0 milestone Nov 19, 2024
@austinvalle austinvalle mentioned this pull request Jan 9, 2025
Closed
1 task
@austinvalle austinvalle marked this pull request as ready for review January 10, 2025 22:26
@austinvalle austinvalle requested a review from a team as a code owner January 10, 2025 22:26
@ktham
Copy link

ktham commented Jan 10, 2025
edited
Loading

Ultimately, it will be up to the consuming managed resource implementation (for example, an aws_db_instance) to define when the write-only attribute will be consumed, which likely will need to be a separate non-write-only attribute to allow the practitioner to explicitly indicate they want the provider to use the write-only value.

Got it, thank you for explaining :) - aws_db_instance is precisely one of the resources that I'm waiting for a potential implementation of write-only attribute for the password field, and regarding tracking the change of a non-writeonly value to consume the write-only makes sense, thank you for the example, we'll wait for the final version of the implementation and will be eager to start using it. Thanks!

(edit: woops, sorry, I meant to reply in the thread above)

@mitchnielsen mitchnielsen mentioned this pull request Feb 10, 2025
Closed
2 tasks
@bbasata bbasata self-requested a review February 11, 2025 13:55
bbasata
bbasata approved these changes Feb 11, 2025
View reviewed changes
Copy link

@bbasata bbasata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@austinvalle austinvalle merged commit 125a230 into main Feb 12, 2025
53 checks passed
@austinvalle austinvalle deleted the av/ephemeral-password branch February 12, 2025 21:53
@doniz doniz mentioned this pull request Feb 14, 2025
Open
@sov-msaeed sov-msaeed mentioned this pull request Feb 19, 2025
Closed
@sov-msaeed
Copy link

sov-msaeed commented Feb 19, 2025
edited
Loading

@austinvalle sorry to comment on closed pull request, First of all thank you so much for this great feature. can't wait to try it out.

I am using random_password along with aws_secretsmanager_secret_version to create passwords and save them in secrets manager. with this pull request i can achieve one step of the goal but with aws_secretsmanager_secret_version the secret is still written to the state file. I have create this issue hashicorp/terraform-provider-aws#41457 but I wanted to ask if this something will be handled actually by default in the new terraform 1.11 version or an ephemeral resource would need to be created as well for aws_secretsmanager_secret_version similar to random_password ?

Thanks again

@austinvalle austinvalle mentioned this pull request Feb 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktham ktham ktham left review comments

@bbasata bbasata bbasata approved these changes

Assignees
No one assigned
Labels
enhancement size/XL upstream-terraform
Projects
None yet
Milestone
v3.7.0
Development

Successfully merging this pull request may close these issues.

random_password : add ephemeral block support for secret free TF state (Proposal)
4 participants
@austinvalle @ktham @sov-msaeed @bbasata