improve write-only attribute example

bschaatsbergen · bschaatsbergen · commit ac62910a7e35 · 2025-03-03T01:09:28.000+01:00
diff --git a/website/docs/language/resources/ephemeral/index.mdx b/website/docs/language/resources/ephemeral/index.mdx
@@ -44,21 +44,43 @@ Use write-only arguments to securely pass temporary values to resources during a
 <CodeBlockConfig highlight="11">
 
 ```hcl
-ephemeral "random" "password" {
+ephemeral "random_password" "db_password" {
   length = 16
 }
 
-resource "aws_db_instance" "test" {
-  instance_class      = "db.t5.micro"
+resource "aws_secretsmanager_secret" "db_password" {
+  name = "db_password"
+}
+
+resource "aws_secretsmanager_secret_version" "db_password" {
+  secret_id                = aws_secretsmanager_secret.db_password.id
+  secret_string_wo         = ephemeral.random_password.db_password.result
+  secret_string_wo_version = 1
+}
+
+ephemeral "aws_secretsmanager_secret_version" "db_password" {
+  secret_id = aws_secretsmanager_secret.db_password.id
+}
+
+resource "aws_db_instance" "example" {
+  instance_class      = "db.t3.micro"
   allocated_storage   = "5"
   engine              = "postgres"
-  username            = "admin"
+  username            = "example"
   skip_final_snapshot = true
-  password_wo         = ephemeral.random.password.value
+
+  password_wo         = ephemeral.aws_secretsmanager_secret_version.db_password.secret_string
   password_wo_version = 1
 }
 ```
 
+### Deferring ephemeral resources
+
+If an input argument of an ephemeral resource references a value that is not yet known but will be during or after the plan, Terraform defers the resource’s execution to the apply stage instead of running it during the plan. This behavior allows Terraform to evaluate the ephemeral resource at the correct time and ensures that the resource is not executed prematurely.
+
+In the above example, the ephemeral resource aws_secretsmanager_secret_version references an input argument that is initially unknown. As a result, Terraform defers its execution to the apply stage, ensuring that the resource is evaluated at the correct time. 
+This allows Terraform to first create the secret using the ephemeral `random_password`, then retrieve it using the ephemeral `aws_secretsmanager_secret_version` resource, and finally write the password to the write-only `password_wo` argument of the `aws_db_instance` resource.
+
 </CodeBlockConfig>
 
 When Terraform creates the `aws_db_instance` resource, Terraform sends the `password_wo` argument to the `aws` provider. The `aws` provider then uses the `password_wo` value to configure the database instance, and then Terraform discards the password value without ever storing it. 
