Terraformcloud~5 mins

Sensitive output values in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you want to keep certain output information private, like passwords or keys. Terraform lets you mark outputs as sensitive so they don't show up in normal command outputs. This helps keep secrets safe while still sharing important info.

When you output a database password from Terraform but don't want it to appear in the terminal.

When you share Terraform state with your team but want to hide API keys in outputs.

When you automate deployments and need to pass secret values without exposing them in logs.

When you want to prevent accidental copying of sensitive data from Terraform output.

When you use Terraform outputs in scripts but want to keep secrets secure.

Config File - main.tf

main.tf

terraform {
  required_version = ">= 1.0"
}

output "db_password" {
  value     = "supersecret123"
  sensitive = true
}

output "app_url" {
  value = "https://myapp.example.com"
}

This Terraform file defines two outputs.

db_password is marked as sensitive = true so Terraform hides it in normal output.

app_url is a normal output and will show in the terminal.

Commands

This command sets up Terraform in the current folder by downloading necessary plugins and preparing the environment.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/random... - Installing hashicorp/random v3.4.3... - Installed hashicorp/random v3.4.3 (signed by HashiCorp) Terraform has been successfully initialized!

This command applies the Terraform configuration to create or update resources and outputs the results. The -auto-approve flag skips manual confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: app_url = "https://myapp.example.com" Note: sensitive output "db_password" is hidden.

→

-auto-approve - Automatically approve the apply without asking for confirmation

This command shows the outputs from the last apply. Sensitive outputs are hidden to protect secrets.

Terminal

terraform output

Expected OutputExpected

app_url = "https://myapp.example.com" Note: sensitive output "db_password" is hidden.

This command shows the value of the sensitive output explicitly. Use this carefully because it reveals the secret.

Terminal

terraform output db_password

Expected OutputExpected

supersecret123

Key Concept

If you remember nothing else from this pattern, remember: marking outputs as sensitive hides them from normal Terraform output to protect secrets.

Common Mistakes

Not setting sensitive = true on secret outputs

Secrets like passwords will show in terminal output and logs, risking exposure.

Always add sensitive = true to outputs that contain secret or private information.

Trying to see sensitive output with just terraform output

Terraform hides sensitive outputs by default, so you won't see the secret value.

Use terraform output <output_name> to explicitly view a sensitive output when needed.

Summary

Use sensitive = true in output blocks to keep secrets hidden from normal Terraform output.

Run terraform apply to apply changes and see non-sensitive outputs.

Use terraform output <name> to view sensitive outputs carefully when needed.