“Ephemeral output not allowed” when testing

Terraform
1

Description

When developing a Terraform module that includes a test setup submodule using ephemeral resources and outputs, running terraform validate or terraform test at the module root fails with the following error:

$ > terraform test
tests/main.tftest.hcl... in progress
  run "setup"... fail
╷
│ Error: Ephemeral output not allowed
│ 
│   on testing/setup/outputs.tf line 20:
│   20: output "creds" {
│ 
│ Ephemeral outputs are not allowed in context of a root module
╵
  run "apply"... skip
  run "verify"... skip

$ > terraform validate
╷
│ Error: Ephemeral output not allowed
│ 
│   on testing/setup/outputs.tf line 20:
│   20: output "creds" {
│ 
│ Ephemeral outputs are not allowed in context of a root module
╵

Steps to Reproduce

  1. Create a subdirectory testing/setup with:
ephemeral "vault_kv_secret_v2" "proxmox_creds" {
  mount = "infra-secrets"
  name  = "testing/proxmox/creds"
}

locals {
  proxmox_creds = ephemeral.vault_kv_secret_v2.proxmox_creds.data
}

output "creds" {
  description = "Sensitive information obtained from Vault"
  ephemeral   = true
  sensitive   = true

  value = {
    proxmox = {
      username = local.proxmox_creds.username
      password = local.proxmox_creds.password
    }
  }
}
  1. Reference it from a .tftest.hcl file:
run "setup" {
  module {
    source = "./testing/setup"
  }
}
  1. Run:
terraform validate

Environment

OS: NixOS 25.05
Terraform: v1.13.1
Platform: amd64

Question

Is this the expected behavior or not? If so, what is the best way to get around it?

2

Hi @whereyourspace, thanks for sharing this use case. I think the behaviour of validate is expected as it is not designed to be called against non-root modules. However, the behaviour of the test command should support this, could you file this as a bug in the Terraform issue list? Thanks!

1 Like