0
0
Terraformcloud~10 mins

Sensitive output values in Terraform - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Sensitive output values
Define output variable
Mark output as sensitive?
NoOutput visible in CLI and state
Yes
Output value hidden in CLI
Output stored in state file
This flow shows how marking an output as sensitive hides its value from CLI output but still stores it securely in the state file.
Execution Sample
Terraform
output "db_password" {
  value     = aws_db_instance.example.password
  sensitive = true
}
Defines a sensitive output for a database password that hides the value in CLI output.
Process Table
StepActionOutput Value Visible?State File Storage
1Define output 'db_password' with sensitive=trueNo (hidden)Stored in state file
2Run 'terraform apply'No (hidden in CLI)Stored in state file
3Run 'terraform output db_password'No (hidden)Stored in state file
4Remove sensitive flagYes (visible in CLI)Stored in state file
5Run 'terraform output db_password'Yes (visible)Stored in state file
💡 Sensitive outputs hide values in CLI but keep them stored securely; removing sensitive flag shows values.
Status Tracker
VariableStartAfter Step 1After Step 4Final
db_passwordundefinedhidden in CLI, stored in statevisible in CLI, stored in statevisible in CLI, stored in state
Key Moments - 3 Insights
Why can't I see the sensitive output value in the CLI after apply?
Because the output is marked sensitive (see execution_table step 2), Terraform hides it in CLI to protect secrets.
Is the sensitive output value lost or not stored anywhere?
No, it is stored in the state file (execution_table step 1 and 2), just hidden from CLI output.
What happens if I remove the sensitive flag from the output?
The output value becomes visible in CLI (execution_table step 4 and 5).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step does the output value become visible in CLI?
AStep 4
BStep 3
CStep 2
DStep 1
💡 Hint
Check the 'Output Value Visible?' column in execution_table rows.
According to variable_tracker, what is the state of 'db_password' after step 1?
AUndefined
BVisible in CLI, stored unencrypted
CHidden in CLI, stored in state
DVisible in CLI, stored encrypted
💡 Hint
Look at the 'After Step 1' column for 'db_password' in variable_tracker.
If you want to keep the output value visible in CLI, what should you do?
ASet sensitive = true
BRemove sensitive = true
CEncrypt the state file manually
DUse a different output name
💡 Hint
Refer to execution_table steps 4 and 5 about sensitive flag effect.
Concept Snapshot
Terraform outputs can be marked sensitive to hide their values in CLI output.
Sensitive outputs are still stored securely in the state file.
Removing the sensitive flag makes the output visible in CLI.
Use sensitive outputs to protect secrets like passwords from accidental exposure.
Full Transcript
This lesson shows how Terraform handles sensitive output values. When you mark an output as sensitive, Terraform hides its value in the command line interface to protect secrets. However, the value is still stored securely in the state file. If you remove the sensitive flag, the output value becomes visible in the CLI. This helps keep sensitive information safe while still allowing you to output necessary data.