Terraformcloud~5 mins

Sensitive variables in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to keep secrets like passwords or keys safe when using Terraform. Sensitive variables help hide these secrets so they don't show up in logs or outputs.

When you need to store a database password in your Terraform configuration without exposing it.

When you want to keep API keys secret while deploying cloud resources.

When sharing Terraform code but want to avoid leaking sensitive information.

When you want Terraform to warn you if a secret is accidentally printed.

When you want to pass sensitive data securely between Terraform modules.

Config File - variables.tf

variables.tf

variable "db_password" {
  description = "The password for the database"
  type        = string
  sensitive   = true
}

variable "db_user" {
  description = "The username for the database"
  type        = string
  sensitive   = false
}

output "db_user_output" {
  value = var.db_user
}

output "db_password_output" {
  value     = var.db_password
  sensitive = true
}

This file defines two variables: db_password marked as sensitive to hide its value, and db_user which is not sensitive. It also defines outputs for both variables. The password output is marked sensitive so Terraform will not show it in the output.

Commands

This command initializes the Terraform working directory and downloads necessary provider plugins.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!

This command shows what Terraform will do, passing the sensitive password and user as variables. The password value will not be shown in the plan output.

Terminal

terraform plan -var='db_password=MySecret123' -var='db_user=admin'

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # example_resource will be created + resource "example_resource" "db" { + user = "admin" + password = (sensitive value) } Plan: 1 to add, 0 to change, 0 to destroy.

→

-var - Passes variable values to Terraform

This command applies the changes to create resources using the sensitive variables. The password will not be shown in the output.

Terminal

terraform apply -auto-approve -var='db_password=MySecret123' -var='db_user=admin'

Expected OutputExpected

example_resource.db: Creating... example_resource.db: Creation complete after 2s [id=12345] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skips interactive approval prompt

→

-var - Passes variable values to Terraform

This command shows the outputs. The sensitive output value will be hidden.

Terminal

terraform output

Expected OutputExpected

db_user_output = admin Warning: Output "db_password_output" is sensitive, and its value will not be shown.

Key Concept

If you remember nothing else from this pattern, remember: marking variables and outputs as sensitive keeps secrets hidden from Terraform logs and outputs.

Common Mistakes

Not marking a secret variable as sensitive

Terraform will show the secret value in logs and outputs, exposing it.

Add sensitive = true to the variable definition to hide its value.

Marking outputs as sensitive but not variables

The secret value can still appear in plan or apply logs if the variable is not sensitive.

Mark both variables and outputs as sensitive to fully protect the secret.

Passing sensitive values directly in command line without care

Command history or process lists may expose the secret.

Use environment variables or Terraform Cloud variables to pass secrets more securely.

Summary

Define variables with sensitive = true to hide secret values.

Pass sensitive variables using -var flag or secure methods.

Terraform hides sensitive values in plan, apply, and output commands.