Skip to main content
Terraform is a declarative system, which means that you describe the desired state of your infrastructure rather than the steps to achieve it. Terraform stores the current infrastructure state in a .tfstate file. Because this file contains a complete snapshot of your infrastructure, it must be stored securely, for example, in a private S3 bucket. However, for some values, even S3 isn’t secure enough. Since version 1.11, Terraform supports a new concept: write-only values. These values let you pass sensitive data to the provider without storing it in the state file. The Terraform provider by Nebius AI Cloud also supports write-only values.

Write-only arguments

In the Terraform provider by Nebius AI Cloud, write-only arguments are stored in the sensitive nested object within a resource. Following Terraform’s best practices, each write-only argument has a corresponding managed argument. In other words, the same attribute appears both in the sensitive object and as the first-level argument. For example: 
resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name           = "test_cluster"
  parent_id      = "your-projectid"
  admin_username = "user"
  admin_password = "password"         # Managed argument
  sensitive = {
    admin_password = "password"       # Write-only argument
  }
  ...
}
Set only one of these arguments depending on whether you want the value saved in the *.tf files and the state file. We recommend using the argument inside sensitive to avoid saving secrets. If you try to use the managed version, you’ll receive a warning.

How to update write-only arguments

Since write-only arguments are excluded from the state file, Terraform cannot detect changes to them during the plan phase. To signal changes, the Terraform provider by Nebius AI Cloud introduces the sensitive.version attribute. You can update this string when changing a sensitive field to force Terraform to re-apply the resource. For example: 
resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "your-projectid"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = "password"
  }
  ...
}
Write-only values are required and are updated on every update of the resource, even if version is unchanged but another attribute is modified. If you modify the resource and don’t specify the write-only value, you will be prompted to enter it when you run terraform apply. The ephemeral resources will be recreated.

Ephemerals for sensitive values

Terraform also supports a special type called ephemeral, which includes ephemeral resources and ephemeral variables. They are never written to the state file and can only be used in other ephemeral objects, write-only arguments or provider settings. The ephemeral variables in write-only arguments are excluded from the plan phase and only used during the apply phase. This ensures that sensitive values never appear in the state file, even indirectly.

How to use ephemeral variables

You can use ephemeral variables for your write-only arguments. If you do so, Terraform prompts you to enter their values at apply time. For example: 
variable "secret" {
  type      = string
  ephemeral = true
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "your-projectid"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = var.secret
  }
  ...
}
To avoid prompts, supply the values in environment variables. For example: 
export TF_VAR_secret="your secret value"

How to trigger updates from environment variables

To trigger resource updates when an environment variable changes, use the following solution:
  1. Configure the versioned_ephemeral_values block in your provider settings.
  2. Use the nebius_hash resource to hash the value.
For example: 
variable "secret" {
  type      = string
  ephemeral = true
}

provider "nebius" {
  versioned_ephemeral_values = {
    "secret_to_hash" = var.secret
  }
}

resource "nebius_hash" "secret_hash" {
  name = "secret_to_hash"
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "your-projectid"
  admin_username = "user"
  sensitive = {
    version        = resource.nebius_hash.secret_hash.hash
    admin_password = var.secret
  }
  ...
}
This allows Terraform to detect ephemeral variable changes during the plan phase. Otherwise, changes might not be detected at all.

How to use ephemeral resources

Write-only arguments can also be populated using ephemeral resources. Here’s how to use a TLS resource as an example: 
ephemeral "tls_private_key" "rsa-4096-example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name           = "test_cluster"
  parent_id      = "your-projectid"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = ephemeral.tls_private_key.rsa-4096-example.private_key_pem
  }
  ...
}
You also need to inform Terraform of any updates to the ephemeral resource. You can use the same procedure as for environment variables, by creating a versioned_secret_variables block in the provider. Alternatively, use another resource or data source that provides a safe, deterministic view of your ephemeral secret.