Allow the use of ephemeral values in the output for test modules

[whereyourspace]

Terraform Version

Terraform v1.13.1
on linux_amd64

Use Cases

1. Create a subdirectory testing/setup with:

ephemeral "vault_kv_secret_v2" "proxmox_creds" {
  mount = "infra-secrets"
  name  = "testing/proxmox/creds"
}

locals {
  proxmox_creds = ephemeral.vault_kv_secret_v2.proxmox_creds.data
}

output "creds" {
  description = "Sensitive information obtained from Vault"
  ephemeral   = true
  sensitive   = true

  value = {
    proxmox = {
      username = local.proxmox_creds.username
      password = local.proxmox_creds.password
    }
  }
}

2. Reference it from a .tftest.hcl file:

run "setup" {
  module {
    source = "./testing/setup"
  }
}

3. Run:

terraform test

And you will see errors related to the fact that terraform does not allow the use of ephemeral values in the output of root modules.

$ > terraform test
tests/main.tftest.hcl... in progress
  run "setup"... fail
╷
│ Error: Ephemeral output not allowed
│ 
│   on testing/setup/outputs.tf line 20:
│   20: output "creds" {
│ 
│ Ephemeral outputs are not allowed in context of a root module
╵
  run "apply"... skip
  run "verify"... skip

$ > terraform validate
╷
│ Error: Ephemeral output not allowed
│ 
│   on testing/setup/outputs.tf line 20:
│   20: output "creds" {
│ 
│ Ephemeral outputs are not allowed in context of a root module
╵

I think this is not entirely correct, although it is not critical, given that corresponding data sources are deprecated.

> $ terraform validate
╷
│ Warning: Deprecated Resource
│ 
│   with data.vault_kv_secret_v2.proxmox_creds,
│   on testing/setup/main.tf line 1, in data "vault_kv_secret_v2" "proxmox_creds":
│    1: data "vault_kv_secret_v2" "proxmox_creds" {
│ 
│ Deprecated. Please use new Ephemeral KVV2 Secret resource `vault_kv_secret_v2` instead
╵
Success! The configuration is valid, but there were some validation warnings as shown above.

Attempted Solutions

I didn't find it. I had to use data sources instead of ephemeral data.

Proposal

No response

References

No response

[crw]

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

[nimjor]

It seems this only applies to the stacks and test commands. Should the validate command receive the same treatment?

Consider this real life use case of developing a reusable module for creating an EKS cluster with certain org-specific controls in place. I want to use

ephemeral "aws_eks_cluster_auth" "foo" {
  name = local.cluster_name
}

instead of

data "aws_eks_cluster_auth" "foo" {
  name = local.cluster_name
}

within the module and set it as an output value so that the caller can pass it to the kubernetes provider. However, when calling terraform validate at the root of the reusable module repo throws this error about ephemeral outputs not being allowed in root module context. I understand that terraform isn't really aware that this is a reusable module I'm developing and not an actual full infrastructure configuration to be planned and applied, but the help doc for validate suggests that doing just this sort of check on a reusable module is its main purpose:

Validate runs checks that verify whether a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state. It is thus primarily useful for general verification of reusable modules, including correctness of attribute names and value types.

It would be great if validate could either just ignore this error (since a reusable module would never be intended to serve as a root module anyway) or if there could be a flag to make it behave that way.