Support Write-Only Attributes + Ephemeral Guidance for Secret Fields (Terraform ≥1.12 / OpenTofu ≥1.11)
Summary
We should consider adding write-only secret-handling in the Airbyte Terraform provider to support:
- Write-only attributes for connector credentials and API secrets
- Clear documentation for ephemeral input values (Terraform ≥1.12 / OpenTofu ≥1.11)
- Avoid reliance on secret values in diff/state logic
This prevents secrets from being persisted to Terraform state files while remaining fully compatible with modern Terraform and OpenTofu.
Background
Historically we’ve relied on Sensitive: true in schema.
This hides values from CLI output but does not prevent secrets from being written to state.
Terraform ≥1.12 and OpenTofu ≥1.11 now support write-only attributes and ephemeral values.
Given that Airbyte secrets are sent to the API and not retrievable afterward, we are a strong candidate for adopting write-only attributes.
Goals
- Prevent connector secrets from being stored in Terraform state
- Align with modern Terraform security best practices
- Improve provider security posture
- Provide clear user guidance for ephemeral variable usage
Proposed Changes
- Convert secret fields to write-only attributes (Sensitive + WriteOnly, omit in Read()).
- Ensure diff logic does not depend on secret values.
- Document ephemeral variable usage for Terraform ≥1.12 / OpenTofu ≥1.11.
Acceptance Criteria
- Secret attributes converted to write-only where appropriate
- Read() logic does not return secrets
- Documentation updated
- Terraform 1.12+ compatibility confirmed
- Tests validate secrets are not stored in state
Related Resources
Support Write-Only Attributes + Ephemeral Guidance for Secret Fields (Terraform ≥1.12 / OpenTofu ≥1.11)
Summary
We should consider adding
write-onlysecret-handling in the Airbyte Terraform provider to support:This prevents secrets from being persisted to Terraform state files while remaining fully compatible with modern Terraform and OpenTofu.
Background
Historically we’ve relied on Sensitive: true in schema.
This hides values from CLI output but does not prevent secrets from being written to state.
Terraform ≥1.12 and OpenTofu ≥1.11 now support write-only attributes and ephemeral values.
Given that Airbyte secrets are sent to the API and not retrievable afterward, we are a strong candidate for adopting write-only attributes.
Goals
Proposed Changes
Acceptance Criteria
Related Resources