[datadog_api_key] Implement ephemeral datadog_api_key resource #3227
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LiuVII
commented
Sep 19, 2025
datadog/docs/ephemeral-resources/ephemeral_security_guidelines.md
Outdated
Show resolved
Hide resolved
Add core infrastructure for ephemeral resources in Terraform Plugin Framework: - Framework wrapper with schema enrichment and secure logging - Private data utilities for state management between Open/Renew/Close - Security guidelines and patterns for handling sensitive data - Test coverage for wrapper functionality This enables secure, stateless access to sensitive resources without storing secrets in Terraform state files.
LiuVII
force-pushed
the
mf/ephemerals-poc
branch
from
ed1a604 to
ae52c9c
Compare
Implements ephemeral API key resource using Terraform Plugin Framework: - New ephemeral.datadog_api_key resource for stateless key access - Secure retrieval without storing sensitive values in state - Framework provider integration with EphemeralResources registry - Test coverage and validation for ephemeral operations Enables secure patterns where API keys are fetched at runtime without persistence in Terraform state files.
Add provider-level control over sensitive data storage in state: - New store_sensitive_state provider configuration (defaults true) - API key resources respect flag to conditionally store key values - When false, key field is set to null in state for security - Updated documentation with ephemeral resource usage patterns - Examples demonstrating secure ephemeral resource patterns Enables users to prevent sensitive API keys from being stored in Terraform state while maintaining resource functionality through ephemeral resource access patterns.
LiuVII
force-pushed
the
mf/ephemerals-poc
branch
from
ae52c9c to
5e961e1
Compare
LiuVII
changed the title
LiuVII
changed the title
LiuVII
changed the title
LiuVII
changed the title
domalessi
approved these changes
Sep 25, 2025
| subcategory: "" | ||
| description: |- | ||
| Use this data source to retrieve information about an existing api key. Deprecated. This will be removed in a future release with prior notice. Securely store your API keys using a secret management system or use the datadog_api_key resource to manage API keys in your Datadog account. | ||
| Use this data source to retrieve information about an existing API key. Deprecated: This will be removed in a future release with prior notice. For secure access to API key values without storing them in Terraform state, use the ephemeral datadog_api_key resource instead. See the ephemeral resource documentation for examples of secure API key access patterns. |
There was a problem hiding this comment.
Suggested change
| Use this data source to retrieve information about an existing API key. Deprecated: This will be removed in a future release with prior notice. For secure access to API key values without storing them in Terraform state, use the ephemeral datadog_api_key resource instead. See the ephemeral resource documentation for examples of secure API key access patterns. | |
| Use this data source to retrieve information about an existing API key. Deprecated: This data source will be removed in a future release with prior notice. To access API key values without storing them in Terraform state, use the ephemeral datadog_api_key resource. See the ephemeral resource documentation for examples of secure API key access patterns. |
| # datadog_api_key (Data Source) | ||
|
|
||
| Use this data source to retrieve information about an existing api key. Deprecated. This will be removed in a future release with prior notice. Securely store your API keys using a secret management system or use the datadog_api_key resource to manage API keys in your Datadog account. | ||
| Use this data source to retrieve information about an existing API key. **Deprecated**: This will be removed in a future release with prior notice. For secure access to API key values without storing them in Terraform state, use the ephemeral `datadog_api_key` resource instead. See the ephemeral resource documentation for examples of secure API key access patterns. |
There was a problem hiding this comment.
Suggested change
| Use this data source to retrieve information about an existing API key. **Deprecated**: This will be removed in a future release with prior notice. For secure access to API key values without storing them in Terraform state, use the ephemeral `datadog_api_key` resource instead. See the ephemeral resource documentation for examples of secure API key access patterns. | |
| Use this data source to retrieve information about an existing API key. **Deprecated**: This data source will be removed in a future release with prior notice. To access API key values without storing them in Terraform state, use the ephemeral `datadog_api_key` resource. See the ephemeral resource documentation for examples of secure API key access patterns. |
| ### Read-Only | ||
|
|
||
| - `key` (String, Sensitive) The value of the API Key. | ||
| - `key` (String, Sensitive) The value of the API Key. **Security Note**: This field exposes sensitive data in Terraform state. For secure access without state storage, use the ephemeral `datadog_api_key` resource instead. |
There was a problem hiding this comment.
Suggested change
| - `key` (String, Sensitive) The value of the API Key. **Security Note**: This field exposes sensitive data in Terraform state. For secure access without state storage, use the ephemeral `datadog_api_key` resource instead. | |
| - `key` (String, Sensitive) The value of the API Key. **Security note**: This field exposes sensitive data in Terraform state. For secure access without state storage, use the ephemeral `datadog_api_key` resource. |
| - `http_client_retry_max_retries` (Number) The HTTP request maximum retry number. Defaults to 3. | ||
| - `http_client_retry_timeout` (Number) The HTTP request retry timeout period. Defaults to 60 seconds. | ||
| - `org_uuid` (String) The organization UUID; used for cloud-provider-based authentication. See the [Datadog API documentation](https://docs.datadoghq.com/api/v1/organizations/) for more information. | ||
| - `store_sensitive_state` (String) Whether to expose API key values in Terraform state. Valid values are [`true`, `false`]. Defaults to `true` for backwards compatibility. When false, API key resources will not include the key value, requiring the use of ephemeral datadog_api_key resources instead. |
There was a problem hiding this comment.
Suggested change
| - `store_sensitive_state` (String) Whether to expose API key values in Terraform state. Valid values are [`true`, `false`]. Defaults to `true` for backwards compatibility. When false, API key resources will not include the key value, requiring the use of ephemeral datadog_api_key resources instead. | |
| - `store_sensitive_state` (String) Whether to expose API key values in Terraform state. Valid values are [`true`, `false`]. Defaults to `true` for backwards compatibility. When `false`, API key resources do not include the key value; use the ephemeral `datadog_api_key` resource instead. |
tyjet
reviewed
Sep 29, 2025
| } | ||
|
|
||
| // 2. Fetch API key from Datadog API | ||
| apiKey, httpResp, err := r.Api.GetAPIKey(r.Auth, config.ID.ValueString()) |
There was a problem hiding this comment.
question (blocking) - Is there a way to make this configurable such that someone could retrieve their API key from their own Secret Manager instead of relying on the Datadog API?
There was a problem hiding this comment.
@tyjet do you mean using some external (non-Datadog) API/provider?
If so, yes, if someone wants to configure their infra to use a secret manager instead of using this ephemeral resource they 💯 can do that, most known secret managers have terraform providers and resources devs can use.
That would mean, that devs won't be using this resource, as this is specifically to make a state-secure way to fetch this data via Datadog API.
I believe this leads to an important question: do we want to allow a way to get API key via our provider or do we want to just cut this API path from our provider entirely and force devs to use external secret managers?
And if we believe restricting this in our Terraform provider (despite still having API support because of reasons) is "the way" to lead devs to better/proper patterns then we don't need an ephemeral resource for datadog_api_key at all.
There was a problem hiding this comment.
Thanks for the explanation, I think I understand much better now.
do we want to allow a way to get API key via our provider or do we want to just cut this API path from our provider entirely and force devs to use external secret managers?
^^ -- At this point, yes, we want to allow API key access via the provider (and public API). Restricting the terraform provider would be too onerous.
tyjet
approved these changes
Oct 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is the initial PR to start implementation of ephemeral resources requested by Github Issue.
Add core infrastructure for ephemeral resources in Terraform Plugin Framework
This enables secure, stateless access to sensitive resources without
storing secrets in Terraform state files.
Implement ephemeral API key resource using Terraform Plugin Framework
Enables secure patterns where API keys are fetched at runtime
without persistence in Terraform state files.
Add provider-level control over sensitive data storage in state
Enables users to prevent sensitive API keys from being stored
in Terraform state while maintaining resource functionality
through ephemeral resource access patterns.