Security Enhancement: Make use of Ephemeral Resources #1022
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
What is the outcome that you are trying to reach?
The goal is to explore migrating from standard data blocks to ephemeral resources to reduce the presence of sensitive, short-lived credentials in the state file. Currently, using data "aws_eks_cluster_auth" contains the risk of these tokens being stored in the state file in plaintext. My understanding is that adopting an ephemeral model would allow these credentials to stay in memory during execution without being persisted to the state backend, improving the overall security posture of the blueprint.
Describe the solution you would like
I suggest updating infra/terraform/main.tf to use Terraform's ephemeral resources for EKS cluster authentication.
Specifically, I suggest replacing the data "aws_eks_cluster_auth" block with an ephemeral block (ephemeral "aws_eks_cluster_auth") and updating the subsequent provider references for Kubernetes, Helm, and Kubectl. I believe this would ensure that the cluster authentication token remains entirely in-memory.
Describe alternatives you have considered
None
Additional context
See Terraform ephemeral resources: https://developer.hashicorp.com/terraform/language/manage-sensitive-data/ephemeral