Add support for ephemeral password input in mongodbatlas_database_user resources

Terraform [v1.10](https://github.com/hashicorp/terraform/releases/tag/v1.10.0) added ephemeral resources that are not persisted in state, and [v1.11](https://github.com/hashicorp/terraform/releases/tag/v1.11.0) then added support for write-only resource attributes. To make use of this new resource type, resources must take a write-only input for applicable variables. To make use of this in `mongodbatlas_database_user`, I propose adding an alternative `password_wo` input that is mutually exclusive with the existing `password` input, along with a supplementary `password_wo_version` value that will trigger a change if required (this is the pattern used in [`aws_secretsmanager_secret_version`](https://registry.terraform.io/providers/hashicorp/aws/5.92.0/docs/resources/secretsmanager_secret_version)). The database user could then be configured as such, without the password being present in the terraform state: ```terraform variable "password_version" { description = "Used to track changes to the password" type = number default = 0 } ephemeral "random_password" "example" { length = 16 special = true override_special = "!#$%&*()-_=+[]" } resource "mongodbatlas_database_user" "example" { username = "example" password_wo = ephemeral.random_password.example.result password_wo_version = var.password_version ... } ```

Post comment

Guest

May 16, 2025

Adding support for ephemeral values is on our roadmap. Once we get closer to work we'll update this entry. Thank you!

Reply
Hide replies
Like

Guest

May 10, 2025

It goes without saying that this is the most critical security issue in the provider. Ideally everyone would use OIDC or any other way for temporary credentials, but that is not always possible.

Reply
Hide replies
Like

Please enter your email address

RELATED FEEDBACK

Add support for ephemeral password input in mongodbatlas_database_user resources