Terraform restricts where ephemeral resource values can be used to prevent sensitive data from being stored in state files. This error occurs when you reference an ephemeral resource in a context that doesn't support ephemerality.
Ephemeral resources (introduced in Terraform v1.10) are temporary resources designed to keep sensitive data out of state files. However, they can only be referenced in specific contexts. This error occurs when you try to use an ephemeral value outside these allowed contexts, such as in a managed resource argument, output without ephemeral declaration, or module input variable not declared as ephemeral. The constraint exists because Terraform's state file and plan file persistence mechanisms would compromise the security benefits of ephemeral resources.
Run terraform plan and note the exact location of the error. Check whether it's in an output, variable assignment, or resource argument. The error message will indicate the invalid context.
Update your output block to declare it as ephemeral:
output "secret_password" {
value = ephemeral.random_password.db.result
sensitive = true
ephemeral = true
}In the child module's variables.tf, add ephemeral = true to accept ephemeral values:
variable "master_password" {
type = string
ephemeral = true
}Ephemeral values can only be referenced in:
- Provider blocks
- Local values
- Other ephemeral resources
- Write-only arguments in managed resources
- Provisioner blocks
Remove any references in regular managed resource arguments.
If you need to use an ephemeral value multiple places, capture it in a local:
locals {
password = ephemeral.random_password.db.result
}This makes the local ephemeral, and you can reference it in provider blocks or provisioners.
If passing sensitive values to managed resources, use write-only arguments (available in Terraform 1.11+):
resource "aws_rds_cluster" "example" {
# ...
master_password = ephemeral.aws_secretsmanager_secret_version.db.secret_string
}Ephemeral resources were introduced in Terraform v1.10 (November 2024) as a security feature to prevent sensitive data from being persisted in state files. The 'ephemeral value not allowed' constraint is fundamental to this feature's design. Write-only arguments (Terraform 1.11+) provide an alternative for passing ephemeral values directly to managed resources. The ephemeral lifecycle includes three phases: opening (reading the value), renewing (if the remote system enforces expiration), and closing (after providers complete their work). Understanding these constraints is essential when working with sensitive data like passwords, API keys, or temporary credentials. Currently supported by AWS, Azure, GCP, Vault, Kubernetes, and Infisical providers.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform