> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to work with sensitive values in the Terraform provider by Nebius AI Cloud

Terraform is a declarative system, which means that you describe the desired state of your infrastructure rather than the steps to achieve it. Terraform stores the current infrastructure state in a `.tfstate` file. Because this file contains a complete snapshot of your infrastructure, it must be stored securely, for example, in a private S3 bucket. However, for some values, even S3 isn't secure enough.

Since version 1.11, Terraform supports a new concept: [write-only values](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only). These values let you pass sensitive data to the provider without storing it in the state file. The Terraform provider by Nebius AI Cloud also supports write-only values.

## Write-only arguments

In the Terraform provider by Nebius AI Cloud, write-only arguments are stored in the `sensitive` nested object within a resource. Following Terraform's best practices, each write-only argument has a corresponding managed argument. In other words, the same attribute appears both in the `sensitive` object and as the first-level argument. For example:

```hcl theme={null}
resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name           = "test_cluster"
  parent_id      = "<project_ID>"
  admin_username = "user"
  admin_password = "password"         # Managed argument
  sensitive = {
    admin_password = "password"       # Write-only argument
  }
  ...
}
```

Set only one of these arguments depending on whether you want the value saved in the `*.tf` files and the state file. We recommend using the argument inside `sensitive` to avoid saving secrets. If you try to use the managed version, you’ll receive a warning.

### How to update write-only arguments

Since write-only arguments are excluded from the state file, Terraform cannot detect changes to them during the plan phase. To signal changes, the Terraform provider by Nebius AI Cloud introduces the `sensitive.version` attribute. You can update this string when changing a sensitive field to force Terraform to re-apply the resource.

For example:

```hcl theme={null}
resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "<project_ID>"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = "password"
  }
  ...
}
```

<Warning>
  Write-only values are required and are updated on every update of the resource, even if `version` is unchanged but another attribute is modified. If you modify the resource and don't specify the write-only value, you will be prompted to enter it when you run `terraform apply`. The ephemeral resources will be recreated.
</Warning>

## Ephemerals for sensitive values

Terraform also supports a special type called [ephemeral](https://developer.hashicorp.com/terraform/language/resources/ephemeral), which includes ephemeral resources and ephemeral variables. They are never written to the state file and can only be used in other ephemeral objects, write-only arguments or provider settings. The ephemeral variables in write-only arguments are excluded from the plan phase and only used during the apply phase. This ensures that sensitive values never appear in the state file, even indirectly.

### How to use ephemeral variables

You can use `ephemeral` variables for your write-only arguments. If you do so, Terraform prompts you to enter their values at `apply` time. For example:

```hcl theme={null}
variable "secret" {
  type      = string
  ephemeral = true
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "<project_ID>"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = var.secret
  }
  ...
}
```

To avoid prompts, supply the values in environment variables. For example:

```bash theme={null}
export TF_VAR_secret="<secret_value>"
```

### How to trigger updates from environment variables

To trigger resource updates when an environment variable changes, use the following solution:

1. Configure the `versioned_ephemeral_values` block in your provider settings.
2. Use the `nebius_hash` resource to hash the value.

For example:

```hcl theme={null}
variable "secret" {
  type      = string
  ephemeral = true
}

provider "nebius" {
  versioned_ephemeral_values = {
    "secret_to_hash" = var.secret
  }
}

resource "nebius_hash" "secret_hash" {
  name = "secret_to_hash"
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name      = "test_cluster"
  parent_id = "<project_ID>"
  admin_username = "user"
  sensitive = {
    version        = resource.nebius_hash.secret_hash.hash
    admin_password = var.secret
  }
  ...
}
```

This allows Terraform to detect ephemeral variable changes during the plan phase. Otherwise, changes might not be detected at all.

### How to use ephemeral resources

Write-only arguments can also be populated using ephemeral resources. Here’s how to use a TLS resource as an example:

```hcl theme={null}
ephemeral "tls_private_key" "rsa-4096-example" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "nebius_msp_mlflow_v1alpha1_cluster" "test_cluster" {
  name           = "test_cluster"
  parent_id      = "<project_ID>"
  admin_username = "user"
  sensitive = {
    version        = "1"
    admin_password = ephemeral.tls_private_key.rsa-4096-example.private_key_pem
  }
  ...
}
```

You also need to inform Terraform of any updates to the ephemeral resource. You can use the same procedure as for [environment variables](#how-to-trigger-updates-from-environment-variables), by creating a `versioned_ephemeral_values` block in the provider. Alternatively, use another resource or data source that provides a safe, deterministic view of your ephemeral secret.
