How to keep decrypted KMS plaintext out of state file?

Hi!

I’m using the data source google_kms_secret to decrypt sensitive values (auth tokens etc.) during TF execution. Unfortulately, this means that the decrypted plaintext will end up in the TF state file which is something I would like to avoid.

I assumed there is a way to do this with ephemeral resources, but this does not appear to be possible. Am I missing something here, or is there currently no way to do this?

I’m also open to suggestions for alternative ways of storing secrets. I mainly try to not have secrets stored in my TF files in plain text as I track them with git and not have them in the state file.

Thanks!

1 Like

This does seem like something that could be an ephemeral resource. I found this handy support team document that is tracking ephemeral resources in official HashiCorp providers[1] and indeed I do not see this implemented. You may wish to request this as a feature: https://github.com/hashicorp/terraform-provider-google/issues

[1] List of Ephemeral Resources released by Top Terraform Providers – HashiCorp Help Center