New resource: ephemeral "terraform_data" #31822
Description
Describe the solution you'd like
I want to create resources managed by terraform without storing "secrets" in terraform state and directly read secrets data from external api request (like: vault kv get). In this workflow i will not store any private data in terraform state and can read secrets directly from Vault.
Describe alternatives you've considered
The solution is to use ephimeral resource and get data through api request. But terraform is not yet support the resource like ephemeral "terraform_data"
# Terraform get a secret into ephemeral resource and do not store in state
ephemeral "terraform_data" "oidc_secret" {
input = jsondecode(
chomp(
run("vault kv get -format=json kv/keycloack/vault_client")
)
).data.data.client_secret
}
# Use this secret inside the resource
resource "vault_jwt_auth_backend" "oidc" {
oidc_client_secret = ephemeral.terraform_data.oidc_secret.output
}
Explain any additional use-cases
Please describe any available solution for this workflow if it is available.
Like this example: https://developer.hashicorp.com/terraform/language/manage-sensitive-data/ephemeral