This repository contains custom Checkov policies designed to enforce best practices around ephemeral resources and write-only attributes in Terraform configurations. These checks help identify opportunities to improve security and reduce state management complexity by preferring ephemeral data sources and write-only attributes where appropriate.
The Checkov custom checks includes three main categories of checks:
- Ephemeral Creation Checks - Identify resources that could be replaced with ephemeral data sources
- Ephemeral Retrieval Checks - Detect data sources that should be marked as ephemeral
- Write-Only Attribute Checks - Flag sensitive attributes that should be write-only
Important: Ephemeral resources and write-only attributes are only fully supported in Terraform versions below 1.11.0. These checks are designed to work with Terraform configurations that target these earlier versions where ephemerality features are available.
If you're using Terraform 1.11.0 or later, some of the ephemeral resource recommendations may not be applicable to your configuration.
-
CKV2_EPH_CREATE - Prefer Ephemeral Resources for Creation Identifies Terraform resources that create ephemeral data (like secrets, tokens, or temporary credentials) and suggests using ephemeral data sources instead. This helps reduce state file exposure and improves security posture.
-
CKV2_EPH_RET - Prefer Ephemeral Resources for Retrieval
Detects data sources that retrieve sensitive or temporary information and recommends marking them as ephemeral to prevent storage in state files. -
CKV2_EPH_WO - Prefer Write-Only Attributes Flags sensitive resource attributes that should be configured as write-only to prevent them from being stored in or read from the Terraform state file.
You can also run the checks directly with Checkov:
checkov \
--external-checks-dir ./checks \
--directory ./tests \
--framework terraform \
--check CKV2_EPH_CREATE,CKV2_EPH_RET,CKV2_EPH_WOTo run specific checks, use the check IDs:
# Run only ephemeral creation checks
checkov --external-checks-dir ./checks --directory ./tests --check CKV2_EPH_CREATE
# Run only write-only attribute checks
checkov --external-checks-dir ./checks --directory ./tests --check CKV2_EPH_WOThe checks are driven by data files in the data/ directory:
ephemerality.json- Combined resource classifications (automatically generated)- Contains
ephemeralarray from generated schema analysis - Contains
resourcesarray from manual curation - Contains
write_onlyobject with resource-to-attribute mappings
- Contains
ephemeral/gen_schema_ephemerals.json- Ephemeral resources discovered from Terraform provider schemaswrite-only/gen_write_only.json- Write-only attributes discovered from provider schemas
ephemeral/manual_resources.json- Manually curated ephemeral resources
This repository includes an automated workflow that:
- Runs daily at 4:00 UTC to check for new provider resources
- Analyzes Terraform provider schemas to discover new ephemeral resources and write-only attributes
- Combines generated data with manual configurations into
ephemerality.json - Creates pull requests automatically when changes are detected
- Can be triggered manually via GitHub Actions workflow dispatch
- Checkov
- Terraform (for testing and generation)
- Clone this repository
- Install Checkov:
pip install checkov - Run the checks using Checkov with the either
--external-checks-dir.
Or
Run the checkov command with the $TARGET_DIR replaced with your target directory.
checkov -f "$TARGET_DIR/main.tf" \
--external-checks-git https://github.com/quixoticmonk/checkov-ephemerality-custom-checks.git \
--external-checks-dir checks \
--framework terraform \
--check CKV2_EPH_CREATE,CKV2_EPH_RET,CKV2_EPH_WO # only runs the checks listed in this repo
This Checkov custom checks is inspired by and builds upon the work from drewmullen/policy-library-ephemerality. Special thanks to Drew for the foundational concepts and approach to this.