[New ephemeral]: aws_eks_cluster_auth should be turned into an ephemeral resource

Description

The data source aws_eks_cluster_auth causes the token to be saved in the plan and potentially expiring before the apply. This is discussed in https://github.com/hashicorp/terraform-provider-aws/issues/13189. The new ephemeral resources in terraform 1.10 should address this perfectly:

https://developer.hashicorp.com/terraform/language/v1.10.x/resources/ephemeral
https://www.hashicorp.com/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values

Requested Resource(s) and/or Data Source(s)

ephemeral aws_eks_cluster_auth

Potential Terraform Configuration

data "aws_eks_cluster" "example" {
  name = "example"
}

ephemeral "aws_eks_cluster_auth" "example" {
  name = "example"
}

provider "kubernetes" {
  host                   = data.aws_eks_cluster.example.endpoint
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.example.certificate_authority[0].data)
  token                  = ephemeral.aws_eks_cluster_auth.example.token
}

References

Original issue: https://github.com/hashicorp/terraform-provider-aws/issues/13189.

Documentation:

https://developer.hashicorp.com/terraform/language/v1.10.x/resources/ephemeral
https://www.hashicorp.com/blog/terraform-1-10-improves-handling-secrets-in-state-with-ephemeral-values

Example of other ephemeral resources in terraform-provider-aws:

Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/ephemeral-resources/secretsmanager_secret_version
PR: https://github.com/hashicorp/terraform-provider-aws/pull/40009

Would you like to implement a fix?

None

hashicorp / terraform-provider-aws

[New ephemeral]: aws_eks_cluster_auth should be turned into an ephemeral resource #40343

Description

Requested Resource(s) and/or Data Source(s)

Potential Terraform Configuration

References

Would you like to implement a fix?

Community Note