Sensitive variables and outputs in Terraform are security features designed to protect confidential information such as passwords, API keys, and other secrets from being exposed in logs, console output, or state files.
**Sensitive Variables:**
When declaring input variables, you can mark them as s…Sensitive variables and outputs in Terraform are security features designed to protect confidential information such as passwords, API keys, and other secrets from being exposed in logs, console output, or state files.
**Sensitive Variables:**
When declaring input variables, you can mark them as sensitive by setting the `sensitive` argument to `true`. This prevents Terraform from displaying the variable's value in the CLI output during plan and apply operations.
Example:
hcl
variable "database_password" {
type = string
description = "The database password"
sensitive = true
}
When you reference a sensitive variable, Terraform will show `(sensitive value)` instead of the actual content in any output. This helps prevent accidental exposure of credentials in CI/CD logs or shared terminal sessions.
**Sensitive Outputs:**
Similarly, outputs can be marked as sensitive to prevent their values from being displayed. This is crucial when you need to pass sensitive data between modules or export values that contain confidential information.
Example:
hcl
output "db_connection_string" {
value = aws_db_instance.main.connection_string
sensitive = true
}
**Key Considerations:**
1. Sensitive values are still stored in the Terraform state file in plain text, so protecting your state file remains essential.
2. If a sensitive variable is used to compute a non-sensitive output, Terraform will raise an error unless you explicitly mark that output as sensitive.
3. Environment variables prefixed with `TF_VAR_` can pass sensitive values securely.
4. Using a secrets management tool like HashiCorp Vault is recommended for production environments.
**Best Practices:**
- Always mark variables containing credentials as sensitive
- Encrypt your state files at rest
- Use remote backends with encryption enabled
- Avoid hardcoding sensitive values in configuration files
- Consider using the `sensitive` function to mark specific expressions as sensitive dynamically
Sensitive Variables and Outputs in Terraform
Why Sensitive Variables and Outputs Matter
When working with infrastructure as code, you frequently handle confidential information such as passwords, API keys, database credentials, and private certificates. Terraform needs access to these secrets to provision resources, but exposing them in logs, state files, or console output creates significant security risks. Understanding how to properly handle sensitive data is crucial for both real-world Terraform usage and the certification exam.
What Are Sensitive Variables and Outputs?
Terraform provides a sensitive attribute that can be applied to both input variables and output values. When marked as sensitive:
• The value is redacted from CLI output • The value is hidden in plan and apply outputs • The value is still stored in the state file (important to remember!)
Declaring Sensitive Variables
To mark an input variable as sensitive, use the sensitive = true argument:
When this variable is used, Terraform displays (sensitive value) instead of the actual content in any output.
Declaring Sensitive Outputs
Similarly, outputs can be marked sensitive:
output "connection_string" { value = "Server=${var.db_host};Password=${var.db_password}" sensitive = true }
How Sensitivity Propagation Works
Terraform automatically propagates sensitivity. If you use a sensitive variable within an expression or resource attribute, that resulting value also becomes sensitive. This is called sensitivity propagation or sensitivity inheritance.
For example, if var.password is sensitive, then "prefix-${var.password}" is also treated as sensitive.
Key Behaviors to Remember
1. State File Storage: Sensitive values ARE stored in plain text in the state file. The sensitive flag only prevents display in CLI output.
2. Required for Sensitive Outputs: If an output references a sensitive value, you must mark that output as sensitive, or Terraform will produce an error.
3. No Encryption: The sensitive attribute does not encrypt data. Use proper state backend encryption and access controls.
4. Terraform Cloud: Sensitive variables in Terraform Cloud are encrypted at rest and write-only after creation.
Best Practices
• Store state files in encrypted backends (S3 with encryption, Terraform Cloud) • Use environment variables for sensitive inputs: TF_VAR_db_password • Integrate with secret management tools like HashiCorp Vault • Restrict access to state files using IAM policies or workspace permissions
Exam Tips: Answering Questions on Sensitive Variables and Outputs
1. Remember the scope: The sensitive attribute affects CLI display only, NOT state file storage. Questions often test whether candidates know that state files contain sensitive values in plain text.
2. Syntax recognition: Know the exact syntax: sensitive = true within variable or output blocks.
3. Error scenarios: If a question describes an error when creating outputs that use sensitive variables, the answer typically involves adding sensitive = true to the output block.
4. Propagation questions: Understand that sensitivity flows through expressions. Any value derived from a sensitive source becomes sensitive.
5. State security: When asked about protecting sensitive data in state files, look for answers involving backend encryption, access controls, or remote state with proper permissions—not the sensitive attribute alone.
6. Terraform Cloud distinction: Know that Terraform Cloud handles sensitive variables differently, providing encryption at rest and preventing values from being read after they are written.
7. Common distractors: Watch for wrong answers suggesting that sensitive = true encrypts values or prevents them from being stored in state.