A few weeks ago I published a similar blog that shows how you can update your modules to optionally utilize ephemeral secrets, removing secrets from state for all new deployments. However, to maintain totally programmatic, older deployments still retained the secret. This blog explores a method to fully remove secrets from state, even on old deployments. However, it requires manual effort on behalf of users and involves some risk. Setup V1 of your module had a resource which introduced a secret into state: resource "tls_private_key" "legacy" { algorithm = "RSA" rsa_bits = 4096 } resource "vault_kv_secret_v2" "legacy" { mount = "kvv2" name = "mytls" data_json = jsonencode ({ private_key = tls_private_key . legacy . private_key_pem }) } Enter fullscreen mode Exit fullscreen mode tls_private_key.legacy.private_key_pem contains a secret value that is stored in state.…