How to keep decrypted KMS plaintext out of state file?

eeoeasd · April 24, 2025, 12:24pm

Hi!

I’m using the data source google_kms_secret to decrypt sensitive values (auth tokens etc.) during TF execution. Unfortulately, this means that the decrypted plaintext will end up in the TF state file which is something I would like to avoid.

I assumed there is a way to do this with ephemeral resources, but this does not appear to be possible. Am I missing something here, or is there currently no way to do this?

I’m also open to suggestions for alternative ways of storing secrets. I mainly try to not have secrets stored in my TF files in plain text as I track them with git and not have them in the state file.

Thanks!

CraigW · April 24, 2025, 6:23pm

This does seem like something that could be an ephemeral resource. I found this handy support team document that is tracking ephemeral resources in official HashiCorp providers[1] and indeed I do not see this implemented. You may wish to request this as a feature: https://github.com/hashicorp/terraform-provider-google/issues

[1] List of Ephemeral Resources released by Top Terraform Providers – HashiCorp Help Center

Topic		Replies	Views
Terraform Ephemeral Values - a way to handle secrets Terraform	1	668	November 17, 2024
GCP Terraform secret Manager Google	1	513	September 30, 2024
Managing Secrets in Git with Terraform – Best Practices? Vault	3	102	December 3, 2024
Override diffing when dealing with encrypted data Terraform Providers	2	229	August 27, 2021
Feedback needed: TF plan security Terraform	3	596	November 11, 2020

How to keep decrypted KMS plaintext out of state file?

Related topics