[Feature] Add ephemeral resource support to elasticstack_elasticsearch_security_api_key #1410
Description
Is your feature request related to a problem? Please describe.
When using elasticstack_elasticsearch_security_api_key resources, the generated API key values (including the sensitive encoded and api_key attributes) are stored in plain text in the Terraform state file. This creates a security risk, as anyone with access to the state file can extract these credentials.
Describe the resource you would like to have implemented.
I would like the elasticstack_elasticsearch_security_api_key resource to support Terraform's ephemeral resource pattern (introduced in Terraform 1.10).
Describe the solution you'd like
Implement an ephemeral variant of the API key resource, so that the following pattern is possible:
ephemeral "elasticstack_elasticsearch_security_api_key" "my_key" {
name = "My Application API Key"
role_descriptors = jsonencode({
my-role = {
cluster = ["monitor"]
indices = [{
names = ["my-index-*"]
privileges = ["read", "write"]
}]
}
})
}
# Use the ephemeral key value in the same run - never written to state
resource "vault_kv_secret_v2" "api_key" {
data_json = jsonencode({
api_key = ephemeral.elasticstack_elasticsearch_security_api_key.my_key.encoded
})
}Describe alternatives you've considered
- Apply access controls to remotely stored Terraform state files - this mitigates but does not eliminate the security risk
- Generate API keys outside of Terraform - this breaks infrastructure-as-code principles and adds operational complexity
Additional context
https://www.hashicorp.com/en/blog/ephemeral-values-in-terraform