Add `cloudinit_config` ephemeral resource

[akli-ime]

Terraform CLI and Provider Versions

Terraform v1.14.3
Provider cloudinit v2.3.7
Provider vault v5.7.0

Terraform Configuration

ephemeral "vault_kv_secret_v2" "secret" { 
  mount = "mount"
  name  = "path" // to do: use variables  
}

data "cloudinit_config" "conf" {
  gzip          = false
  base64_encode = true

  part {
    filename     = "cloud-config.tpl"
    content_type = "text/cloud-config"
    content      = templatefile(
      "${path.module}/path/cloud-init.yaml", 
      { key = ephemeral.vault_kv_secret_v2.secret.data.key } 
    )
  }
}

Expected Behavior

The cloudinit_config.part.content attribute should accept ephemeral values, allowing secrets to be injected directly from Vault KV v2 into cloud-init templates without storing them in Terraform state. This would enable fully dynamic and secure cloud-init generation entirely within Terraform.

Actual Behavior

Terraform returns an error:

Error: Invalid use of ephemeral value

  with data.cloudinit_config.conf,
  on main.tf line XXX, in data "cloudinit_config" "conf":
  XXX: data "cloudinit_config" "conf" {

Ephemeral values are not valid for "part", because it is not an assignable
attribute.

Steps to Reproduce

List of steps to reproduce the issue.

1. Define an ephemeral vault_kv_secret_v2 block
2. Reference ephemeral.vault_kv_secret_v2.secret.data.key in cloudinit_config.part.content
3. Run terraform apply

How much impact is this issue causing?

High

Logs

No response

Additional Information

Current workaround exists using the deprecated data source:

data "vault_kv_secret_v2" "secret" { 
  mount = "mount"
  name  = "path"
}

• But relying on the deprecated data source is not a long-term solution.
• This feature would allow fully declarative, secret-safe cloud-init generation entirely within Terraform.

Code of Conduct

• I agree to follow this project's Code of Conduct

[mathias-polarise]

We have the same issue. Using variables declared as ephemeral doesn't work, too.

[SBGoods]

Hi @akli-ime 👋🏾,
Ephemeral values are not allowed to be used with data sources in Terraform. In the context of a provider, ephemeral values can only be used in ephemeral resources, provider configuration blocks, or write-only attributes in managed resources. I think for this use case, adding a cloudinit_config ephemeral resource would be the most natural solution.

I will be updating the title and labels to reflect this request.