OpenTofu, a community-driven IaC tool (a fork of Terraform) under the Linux Foundation’s stewardship, has introduced ephemeral attributes in its nightly builds — a long-time requested feature designed to prevent sensitive values from being persisted in state files. But before we go further, let me clarify what exactly we’re talking about.
As their name suggests, ephemeral attributes allow values to exist only during a single execution of the OpenTofu CLI (plan/apply) and are discarded immediately afterward. In practice, this means that when you mark specific attributes as ephemeral, they will not be stored in the state.
The goal is pretty clear – it’s all about security, helping eliminate one of the longstanding risks in Terraform-style workflows: accidentally exposing secrets or keys saved in state. So, with this new support, users configured attributes as ephemeral, get:
- The attribute will accept input (e.g., a password, a key) during plan or apply.
- It’s never written to the state.
- It cannot be read later (since it doesn’t persist).
- It’s usable only in contexts where the attribute is allowed (for resources that support it).
Until now, marking values as “Sensitive” has only prevented their display in logs; such values still appear in plaintext in state files. And while state encryption is supported, it serves as a protective layer rather than a means of preventing storage. With ephemeral attributes, however, the data is never stored initially — assuming the workflow supports it.
Additionally, OpenTofu supports a complementary concept, write-only attributes, which enable the passing of ephemeral data into non-ephemeral resources. In other words, a managed resource may accept a write-only input (e.g., a secret) that is used during provisioning but is not retained in the state.
Together, ephemeral + write-only gives users a way to model workflows in which secret handling is transient — for example, SSH tunnels, KMS keys, or password injection tasks — without ever leaving traces in a state that could be leaked.
However, like anything else, the ephemeral attributes are not a silver bullet. Because the data is not stored, you cannot later inspect or re-use it from state. Additionally, not all resources or providers may immediately adopt support for ephemeral or write-only attributes; compatibility depends on the specific resource implementations.
And last but not least, there’s another important caveat: this feature is currently only in nightly builds of OpenTofu — not production-ready — and slated to appear in version 1.11. So, in light of this, the project maintainers explicitly warn against trying it on production workloads.
For more information, see the announcement.
