website/docs/language/ephemerality/write-only-attributes.mdx
:::info Write-only attributes can be used only with OpenTofu v1.11 onwards. :::
This attribute is only found in managed resources that are designed to accept transient values that will never be stored in the state or plan.
For example, a secret can be read by using an ephemeral resource and then passed into the write-only
attribute password_wo of a managed resource.
The lifecycle of these attributes is quite different compared with other types of attributes:
When present in the plan/apply cli output, it will always be displayed as (write-only attribute).
As OpenTofu has no way to know what value is currently in the remote resource (ie: null value in the state) and doesn't know what value has been (or planned to be) stored remotely (ie: provider returns null value for these attributes), it cannot generate a change for such attributes. As a recommendation for the provider authors, alongside the write-only attribute, there should be included also a non-write-only attribute meant to instruct the provider that the value given in the configuration of the write-only attribute should be used to update the resource.
For example, aws_secretsmanager_secret_version
offers 2 fields for this: secret_string_wo which is the write-only attribute and secret_string_wo_version that is
the non-write-only attribute. By changing the value of secret_string_wo_version from what is stored currently in the state,
provider will trigger an update of the secret_string_wo attribute with the value provided in the configuration.
For an in-depth example on how to use write-only attributes, please refer to this example.