DEV Community

SHUBHENDU SHUBHAM
SHUBHENDU SHUBHAM

Posted on

No More Secrets in State! Write-Only Arguments in Terraform 1.11

#terraform #iaac #devops #sre

If you’ve been working with Terraform for a while, you’ve probably run into this frustrating situation: you need to pass a password or API token to a resource, but you don’t want that sensitive data sitting in your state file for everyone to see. Maybe you’ve tried creative workarounds with external data sources or complex scripting, but let’s be honest – it always felt like a hack.

Well, good news! Terraform 1.11 introduces write-only arguments, and they’re about to change how we handle secrets in our infrastructure code. Think of them as a secure handoff mechanism – you can pass sensitive data to resources during deployment, but Terraform immediately forgets about it once the job is done.

What Are Write-Only Arguments?

Write-only arguments are exactly what they sound like: arguments that you can write to (pass values to) but Terraform never stores anywhere. No state file, no plan file, no logs – nowhere. It’s like whispering a secret that gets forgotten the moment it’s used.

Here’s the key insight: most of the time, we don’t actually need Terraform to remember passwords and tokens. We just need to pass them to the cloud provider during resource creation or updates. Once the resource is created, the cloud provider handles the secret internally.

The Problem This Solves

Before write-only arguments, here’s what typically happened:

`# The old way - DON'T do this!

resource "aws_db_instance" "example" {
instance_class = "db.t3.micro"
allocated_storage = "5"
engine = "postgres"
username = "dbuser"
password = "super-secret-password" # This ends up in state!
skip_final_snapshot = true
}`

That password would sit in your state file, readable by anyone with access to it. Not great for security.

How Write-Only Arguments Work

With Terraform 1.11, providers can now mark certain arguments as write-only. The AWS provider, for example, introduces password_wo (write-only) arguments for database resources:

resource "aws_db_instance" "example" {
instance_class = "db.t3.micro"
allocated_storage = "5"
engine = "postgres"
username = "dbuser"
password_wo = "super-secret-password" # Never stored!
password_wo_version = 1
skip_final_snapshot = true
}

Notice two things:

  • The password_wo argument – this is write-only
  • The password_wo_version argument – this is how we trigger updates

Learn in detailed here Blog

Top comments (0)