Description
Summary
The 1Password Terraform provider should support Terraform 1.10's ephemeral values to ensure that secrets retrieved from 1Password are never persisted in Terraform state or plan files. This is a critical improvement for organizations that need to enforce strict security policies while managing secrets in their infrastructure.
Use cases
Secure Infrastructure Provisioning
Organizations provisioning infrastructure often require secrets from 1Password, such as database credentials, API keys, or certificates. Without ephemeral values, these secrets risk being stored in Terraform state files, increasing the potential for exposure through misconfiguration, state file compromise, or unauthorized access.
Compliance Requirements
Many enterprises operate under strict security frameworks such as SOC 2, PCI-DSS, ISO 27001, and NIST, which mandate that sensitive information like credentials must not be stored in plaintext or retained longer than necessary. Even encrypted Terraform state files may not meet compliance requirements if secrets can still be extracted.
GitOps and CI/CD Security
Teams following GitOps principles or using CI/CD pipelines need to ensure that secrets retrieved from 1Password are not committed to version control or exposed in Terraform state artifacts. Many organizations rely on remote state backends, such as Terraform Cloud or AWS S3, where improperly handled secrets could be accessible to a broader audience than intended.
Ephemeral and Short-Lived Credentials
Some workflows rely on dynamic secret generation and rotation, where credentials are meant to be short-lived. If secrets are stored in Terraform state, old credentials can be unintentionally restored, leading to operational failures or security vulnerabilities. Ephemeral values would ensure that secrets are only used within the current Terraform execution cycle and are never persisted beyond that.
Least Privilege and Access Control
By leveraging ephemeral values, role-based access control (RBAC) policies can be better enforced. Infrastructure teams can limit who has access to secrets while ensuring that Terraform itself does not retain sensitive data in a way that circumvents security policies.
Proposed solution
The 1Password Terraform provider should integrate ephemeral resources and ephemeral input/output variables to align with Terraform 1.10’s security model. This will allow secrets to be retrieved at runtime, used for configuration, and discarded immediately—never persisting in any Terraform-generated artifacts.
Is there a workaround to accomplish this today?
Currently, organizations must resort to manual workarounds such as:
- Fetching secrets externally via the 1Password CLI (
op) and passing them as environment variables - Running
terraform state rmafter apply, which is not scalable or reliable - Using external secrets managers (e.g., AWS Secrets Manager, HashiCorp Vault) instead of 1Password, which adds complexity and operational overhead
References & Prior Work
- Terraform 1.10 Release Announcement: Introduction of ephemeral values for secure secret handling
- AWS, Azure, and Kubernetes providers: Already implementing ephemeral resources for secrets management
- Enterprise security frameworks: SOC 2, PCI-DSS, ISO 27001, and NIST compliance requirements
By integrating ephemeral values into the 1Password Terraform provider, security risks associated with state file exposure can be eliminated, making Terraform a safer tool for managing secrets in modern infrastructure environments.