Support for Ephemeral Values in Terraform Auth0 Provider

[schammah]

Checklist

• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

The Auth0 Terraform provider should support Terraform 1.10's ephemeral values to ensure that secrets retrieved provided in some resources are never persisted in Terraform state or plan files. This is a critical improvement for organizations that need to enforce strict security policies while managing secrets in their infrastructure.

Describe the ideal solution

The Provider Supports that
and variables can be defined with ephemeral=true without failing on errors such as:

Ephemeral values are not valid for "secrets", because it is not an assignable attribute.

Alternatives and current workarounds

No response

Additional context

No response

[duedares-rvj]

Hello @schammah
Thank you for taking the time out and report this.

Could you provide some more details around this?

1. A sample use case.
2. Any steps for reproducing this error Ephemeral values are not valid for "secrets", because it is not an assignable attribute.
3. Any one API of ours which might be returning a sensitive value back in response or storing the value in statefile.

I'd be happy to discuss this thoroughly with you and make any necessary improvements that we can agree upon :)
Thanks!

[duedares-rvj]

@schammah Hello 👋
Just catching up again on this.

[schammah]

hi @duedares-rvj
thanks for following up

my reference is about variable assigned with ephemeral=true this was introduced with 1.10
more about ephemeral resources

1. a use case would be configure a resource such as "auth0_connection`` then defining the client_secret` inside of it.

resource "auth0_connection" "okta_workforce" {
  for_each = var.okta_connections

  name           = "${each.key}-okta-workforce"
  display_name   = "${title(each.key)} Okta Workforce Connection"
  strategy       = "okta"
  show_as_button = false

  options {
    client_id              = each.value.client_id
    client_secret          = data.aws_secretsmanager_secret_version.okta_client_secret[each.key].secret_string
.......

in this case i read the secret from a data source defined as

data "aws_secretsmanager_secret_version" "okta_client_secret" {
  for_each  = var.okta_connections
  secret_id = each.value.client_secret
}

replacing this with:

ephemeral "aws_secretsmanager_secret_version" "okta_client_secret" {
  for_each  = var.okta_connections
  secret_id = each.value.client_secret
}

would break and is the answer for #2

So with data source works, but then the problem is in this case the secret is also stored in the state file, using ephemeral allow you to read secrets and apply them to the resources without them being stored in the state file, which pose a security risk.

to resolve this you would need to define fields that can be ephemeral in your provider schema

[dzmitry-kankalovich]

Having absolutely the same problem - in exactly the same place (connection resource, options section - client_id / client_secret)

It would be great to have these ephemeral values support especially for Auth0 provider of all - just by the nature of the thing people are very very likely to use secrets in TF scripts to provide configuration for connections, etc.

The original issue by me was opened in main TF repo: hashicorp/terraform#37202

[duedares-rvj]

@schammah @dzmitry-kankalovich Thank you guys for laying out the use case here.
I'm creating a task internally and shall pick this up soon.

I don't have strict timelines at this point, but expect to hear back from us soon!
Thanks!