Can I create a custom data source that doesnt store certain strings in state but still reads them?

red8888 · November 11, 2020, 8:21pm

I use aws secrets manager

Doing this works and is simple and easy:
data “aws_secretsmanager_secret_version” “someservice” {
secret_id = “someservice”
}
provider “someservice” {
creds = data.aws_secretsmanager_secret_version.someservice.secret_string
}

BUT I need to keep secrets out of my statefile and now my statefile has this:

  "mode": "data",
  "type": "aws_secretsmanager_secret_version",
  "name": "someservice",
  "provider": "provider.aws",
  "instances": [
    {
      "schema_version": 0,
      "attributes": {
        "arn": "arn:aws:secretsmanager:us-west-1:11111111:secret:someservice-9fZ5VX",
        "id": "someservice|AWSCURRENT",
        "secret_binary": "",
        "secret_id": "someservice",
        "secret_string": "=======MYSECRETSTRING====",
        "version_id": "123123se23-d812-12e2-a944-12e2qr313r",
        "version_stage": "AWSCURRENT",
        "version_stages": [
          "AWSCURRENT"
        ]
      }
    }
  ]
},

Is it possible to write a custom datasource that wont store the secret_string in state and instead retrieves it from aws secrets manager every time its run?

paddy · December 7, 2020, 7:24pm

Nope, the state file should be treated as sensitive. Terraform currently requires anything that can be interpolated to be written to the state file.

Topic		Replies	Views
Statefile intent for aws_secretsmanager_secret AWS	0	244	September 21, 2022
Store sensitive data in local state file Plugin Development	5	628	March 31, 2023
Passwords/Sensitive data in TfState files Terraform	2	4552	August 21, 2019
Data Resource: Read computed value from state Plugin Development	6	1269	December 9, 2020
How to keep decrypted KMS plaintext out of state file? Google	1	57	April 24, 2025

Can I create a custom data source that doesnt store certain strings in state but still reads them?

Related topics