Support Write-Only Attributes + Ephemeral Guidance for Secret Fields (Terraform ≥1.12 / OpenTofu ≥1.11)

[aaronsteers]

Support Write-Only Attributes + Ephemeral Guidance for Secret Fields (Terraform ≥1.12 / OpenTofu ≥1.11)

---

Summary

We should consider adding write-only secret-handling in the Airbyte Terraform provider to support:

1. Write-only attributes for connector credentials and API secrets
2. Clear documentation for ephemeral input values (Terraform ≥1.12 / OpenTofu ≥1.11)
3. Avoid reliance on secret values in diff/state logic

This prevents secrets from being persisted to Terraform state files while remaining fully compatible with modern Terraform and OpenTofu.

---

Background

Historically we’ve relied on Sensitive: true in schema.
This hides values from CLI output but does not prevent secrets from being written to state.

Terraform ≥1.12 and OpenTofu ≥1.11 now support write-only attributes and ephemeral values.

Given that Airbyte secrets are sent to the API and not retrievable afterward, we are a strong candidate for adopting write-only attributes.

---

Goals

• Prevent connector secrets from being stored in Terraform state
• Align with modern Terraform security best practices
• Improve provider security posture
• Provide clear user guidance for ephemeral variable usage

---

Proposed Changes

1. Convert secret fields to write-only attributes (Sensitive + WriteOnly, omit in Read()).
2. Ensure diff logic does not depend on secret values.
3. Document ephemeral variable usage for Terraform ≥1.12 / OpenTofu ≥1.11.

---

Acceptance Criteria

• Secret attributes converted to write-only where appropriate
• Read() logic does not return secrets
• Documentation updated
• Terraform 1.12+ compatibility confirmed
• Tests validate secrets are not stored in state

---

Related Resources

• Terraform Ephemeral Values: https://developer.hashicorp.com/terraform/language/values/ephemeral
• Terraform Plugin Framework Write-Only Attributes: https://developer.hashicorp.com/terraform/plugin/framework/handling-data/write-only
• OpenTofu Ephemerality: https://opentofu.org/docs/v1.11/language/ephemerality/
• Terraform Sensitive Values: https://developer.hashicorp.com/terraform/language/values/sensitive

[bflad]

Hi Aaron ("AJ") Steers (@aaronsteers) 👋

Looks like you found it already, but just to confirm, Speakeasy supports WriteOnly attributes via the x-speakeasy-terraform-write-only: true extension. More information about that can be found at: https://www.speakeasy.com/docs/terraform/customize/property-customization#write-only

We're also in the process of releasing generation support for ephemeral resources, which will be announced soon. On very recent versions of the generator, you can use x-speakeasy-entity-operation with open lifecycle (close is being merged shortly as well, if needed): https://www.speakeasy.com/docs/terraform/customize/entity-mapping#ephemeral-resource-terraform-operations

Hope this helps 👍

[aaronsteers]

Brian Flad (@bflad) - super helpful, thank you!!

I'm digging in and learning more by the minute! I will read up on the resources you shared and will circle back after digesting. 😅