Terraform ephemeral resources, Waypoint actions, and more at HashiDays 2025

Enterprises are struggling to protect their hybrid cloud infrastructure from security risks due to misconfigurations and lack of proper guardrails throughout its lifecycle. HashiCorp’s Infrastructure Lifecycle Management (ILM) portfolio automates how companies build, deploy, and manage their infrastructure over time, ensuring that developers can move fast while always using the approved approach with governance baked in.

As organizations scale their IT estates, infrastructure automation becomes even more critical. With scale comes the challenge of balancing developer agility with the security and compliance needs of the organization. Infrastructure lifecycle management (ILM) helps make the secure, cost-effective approach the simplest path for developers.

At HashiDays London, we are announcing the general availability of several features to help simplify infrastructure lifecycle management and accelerate time-to-value:

• HashiCorp Terraform ephemeral resources: Protect sensitive data, such as passwords or API keys, that should not persist in state files.
• Pre-written Sentinel policies: Reduce the barrier of adoption for policy as code infrastructure workflows with new pre-written policy libraries co-developed with AWS.
• Private VCS access: Access private version control system (VCS) repositories securely by ensuring that your source code and static credentials are not exposed over the public internet.
• Module lifecycle management – revocation: Streamline module management by revoking outdated or vulnerable modules.
• HCP Waypoint actions: Empower platform teams to expose Day 2+ operations — including restarts, rollbacks, and build promotions — as golden workflows that developers can safely trigger via UI, CLI, or API.
• HashiCorp Nomad 1.10 - dynamic host volumes: Allow on-demand provisioning of host storage, simplifying operations and enhancing governance compared to previously available options.

»Terraform ephemeral values

Terraform recently introduced ephemeral resources, ephemeral input variables, and write-only arguments for improved efficiency and security in resource management. Ephemeral resources are temporary, dynamically created, and managed within a single Terraform operation. This approach minimizes long-term costs by promptly deleting unused resources and optimizes resource usage due to their ephemeral nature.

Write-only arguments, conversely, are data embedded in Terraform's state file that can only be modified as write-only. These are important for securely holding sensitive information and preventing unintended exposure or inclusion in version control systems.

Below is a code snippet showing one of the new ephemeral resources, vault_kv_secret_v2, that was introduced as part of version 5.0 of the Vault provider:

»Pre-written Sentinel policies

Sentinel is a policy as code framework that provides logic-based policy enforcement over infrastructure configurations in Terraform. This approach lets organizations treat policies like application code, meaning the code can be version controlled, audited, tested, and understood by stakeholders across the organization.

While Sentinel can be used as a powerful tool to ensure cloud governance at scale, we understand that adopting policy as code workflows may be a daunting and time-consuming process. This is especially true for organizations that lack the resources and expertise to write policies from scratch. Starting from the ground up can lead to significant delays in the development and implementation of policies, and increase the risk of human error and misconfigurations.

That’s why we are releasing multiple pre-written Sentinel policy sets in collaboration with AWS for use in the Terraform registry. These policy libraries aim to lower the barrier of adoption by providing a turnkey solution for complex governance challenges and empowering organizations to move faster without trade-offs between speed and security. These new policy sets are co-created and co-owned by HashiCorp and AWS and are written specifically for AWS services in compliance with industry standards including the Center for Internet Security (CIS) and Amazon Foundational Best Security Practices (FSBP).

»Private VCS access

Large organizations face greater data security risks and therefore require stricter security controls when using SaaS or managed services. As a result, some prefer to keep Terraform operations — such as VCS management—off the public internet. Without this option, organizations are often forced to choose between accepting a weaker security posture or managing Terraform themselves.

Private VCS access, now available in HCP Terraform Premium, addresses this concern by using egress-only connections to HCP Terraform, ensuring that the on-premises agent is not accessible from the internet. This reduces the potential attack surface and enhances an organization’s security posture.

»Module lifecycle management - revocation

Modules accelerate infrastructure provisioning by eliminating the need to start from scratch. They are often developed, shared, and consumed across multiple teams. The HCP Terraform private registry provides a centralized workflow for publishing and discovering modules. However, without a reliable method to revoke outdated modules, organizations risk using obsolete or non-compliant configurations.

For instance, if a module author deletes a module version from the private registry without notifying consumers, affected workspaces may fail and require manual updates to restore functionality.

Module lifecycle management features in HCP Terraform reduce the overhead of module management while mitigating security and compliance risks. The latest module lifecycle management feature — revocation — is now available in HCP Terraform Premium to help ensure that only compliant, up-to-date versions of modules are in use.

In HCP Terraform, deprecated modules will surface a warning to users, but the run will continue, allowing teams to address the issue without disruption. Revocation takes this one step further and blocks runs that contain revoked modules. This allows organizations to prevent users from provisioning resources with outdated or vulnerable module versions while including a custom message to provide guidance, increasing developer velocity while decreasing the security and compliance risks.

»HCP Waypoint actions

Introduced in public beta at HashiDays London last year, HCP Waypoint actions is now generally available as a part of HCP Terraform Premium. Actions let platform teams package Day 2+ operations — such as restarts, rollbacks, build promotions, feature-flag toggles — into golden workflows that developers trigger safely from the HCP UI, CLI, or API. By binding these actions to Waypoint templates, every application inherits the same “click-to-operate” guardrails, replacing tribal scripts and ticket queues with standardized, self-service tasks.

GA status for HCP Waypoint actions brings production SLAs, HCP API parity, and the confidence to codify Day 0 to Day 2+ automation on your existing Terraform foundation — eliminating bottlenecks, shrinking ticket volume, and accelerating incident response without sacrificing governance. In short, developers move faster while platform teams stay firmly in control, delivering on the promise of an internal developer platform that doesn’t stop at deployment. Read more in our HCP Waypoint actions GA release blog.

»Nomad dynamic host volumes

HashiCorp Nomad 1.10 adds dynamic host volumes, which significantly enhance storage management by enabling on-demand creation of volumes directly via the API or CLI, eliminating the need for pre-configuration in agent files or client restarts. This functionality adds agility and self-service capabilities for operators, allowing them to provision storage with custom specifications (like capacity and capabilities) precisely when and where they are needed. The result is a simplified, more flexible workflow for deploying stateful applications, reducing administrative overhead and enabling dynamic resource allocation. Additionally, with Nomad Enterprise, governance features further strengthen this capability, allowing operators to use Sentinel policies to enforce specific rules on a volume's specification, such as mandating precise parameters or restricting storage tiers based on environment or namespace.

»Get started

From securing infrastructure before deployment to streamlining Day 2+ operations at scale, these new HashiDays announcements reflect our continued commitment to simplifying Infrastructure Lifecycle Management and helping organizations do cloud right at scale.

You can try many of these new features now. If you are new to our ILM products, sign up for an HCP account to get started today, and also check out our tutorials. HCP Terraform includes a $500 credit that allows users to quickly get started and experience all features included in all plans, including HCP Terraform Premium. Contact our sales team if you’re interested in trying our self-managed offerings of Terraform and Nomad.