Support for azurerm_container_registry_task docker_task supporting ephemeral types

[markti]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates"
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide

azurerm_container_registry_task: docker_step.context_access_token rejects ephemeral values from HCP Terraform varsets

Summary

When passing a short-lived GitHub PAT as an ephemeral variable from an HCP Terraform varset into azurerm_container_registry_task.docker_step.context_access_token, the plan/apply fails with:

Error: Invalid use of ephemeral value
Ephemeral values are not valid for "docker_step", because it is not an assignable attribute.

This prevents using ephemeral credentials (the recommended approach for short-lived secrets) with ACR Tasks that pull build context from GitHub.

Affected Resource(s)

• azurerm_container_registry_task

Terraform / Provider Versions

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 4.38.0"
    }
    azapi = {
      source  = "Azure/azapi"
      version = "~> 2.6.1"
    }
    random = {
      source  = "hashicorp/random"
      version = "~> 3.7.2"
    }
  }
}

• Terraform CLI: (please fill in exact version, e.g., 1.9.x)
• HCP Terraform: using varsets with an ephemeral variable for github_pat

Minimal Configuration to Reproduce

var.github_pat is supplied via an HCP Terraform varset as an ephemeral value (not persisted in state).

variable "container_registry" {
  # Object with field 'id'
  type = object({ id = string })
}

variable "github_pat" {
  type      = string
  sensitive = true
  # value provided as ephemeral in HCP Terraform varset
}

resource "azurerm_container_registry_task" "backend" {
  name                  = "crt-backend"
  container_registry_id = var.container_registry.id

  platform {
    os = "Linux"
  }

  docker_step {
    dockerfile_path      = "Dockerfile"
    context_path         = "https://github.com/org/repo#main:src/dotnet/DotNetProject.Api"
    context_access_token = var.github_pat  # <- ephemeral varset value
    image_names          = ["foobar:v1.0.0"]
  }
}

Actual Behavior

Apply fails with:

Error: Invalid use of ephemeral value
on src/terraform/apps/backend.tf line 1, in resource "azurerm_container_registry_task" "backend":
resource "azurerm_container_registry_task" "backend" {
Ephemeral values are not valid for "docker_step", because it is not an assignable attribute.

Expected Behavior

• docker_step.context_access_token should accept ephemeral values from HCP Terraform varsets (like other sensitive secret inputs), allowing short-lived tokens to be used without persisting credentials.

Why This Matters

• Ephemeral values are designed to avoid persisting secrets in state.
• context_access_token is a prime candidate for short-lived credentials (e.g., GitHub fine-grained PATs or brokered tokens).
• Rejecting ephemeral values blocks recommended secret-handling patterns and forces less secure or more operationally complex workarounds.

Workarounds Tried

• ✅ Passing a regular sensitive variable (non-ephemeral) works, but defeats the purpose of ephemeral credentials.
• 🔄 Storing a secret in Key Vault and reading via data sources still surfaces the same limitation if the upstream is ephemeral.
• 🔁 Using non-token auth (e.g., switching build context source) may not be feasible for all workflows.

Proposed Fix / Enhancement

• Mark docker_step.context_access_token as ephemeral-compatible in the provider schema so that ephemeral values can be assigned.
• If the underlying SDK/framework requires block-level handling: allow ephemeral flow-through for attribute fields within nested blocks, or move the validation to the specific attribute (context_access_token) rather than the parent block.

Additional Context

• Error appears to be triggered at the block level (docker_step reported as “not an assignable attribute”), even though the ephemeral value is assigned to an attribute (context_access_token) within the block.
• This might indicate a provider/schema constraint with ephemeral support inside nested blocks.

References

• Resource docs: azurerm_container_registry_task (ACR Task)
• HCP Terraform ephemeral variables (short-lived secret handling)

---

Description

When passing a short-lived GitHub PAT as an ephemeral variable from an HCP Terraform varset into azurerm_container_registry_task.docker_step.context_access_token, the plan/apply fails with:
Error: Invalid use of ephemeral value
Ephemeral values are not valid for "docker_step", because it is not an assignable attribute.
This prevents using ephemeral credentials (the recommended approach for short-lived secrets) with ACR Tasks that pull build context from GitHub.

New or Affected Resource(s)/Data Source(s)

azurerm_container_registry_task

Potential Terraform Configuration

resource "azurerm_container_registry_task" "backend" {
  name                  = "crt-backend"
  container_registry_id = var.container_registry.id

  platform {
    os = "Linux"
  }

  docker_step {
    dockerfile_path      = "Dockerfile"
    context_path         = "https://github.com/org/repo#main:src/dotnet/DotNetProject.Api"
    context_access_token = var.github_pat  # <- ephemeral varset value
    image_names          = ["foobar:v1.0.0"]
  }
}

References

No response