0
0
Terraformcloud~10 mins

Sensitive variables in Terraform - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Sensitive variables
Define variable with sensitive = true
Terraform reads variable
Value is marked sensitive
Use variable in resources or outputs
Terraform hides value in CLI output
Value stored securely in state file
Apply or plan runs without exposing value
Terraform marks variables as sensitive to hide their values in outputs and logs, protecting secrets during deployment.
Execution Sample
Terraform
variable "db_password" {
  type      = string
  sensitive = true
}

output "db_password" {
  value     = var.db_password
  sensitive = true
}
Defines a sensitive variable and outputs it without revealing the actual value in CLI or logs.
Process Table
StepActionVariable StateOutput BehaviorNotes
1Define variable db_password with sensitive=truedb_password marked sensitiveNo output yetVariable is flagged sensitive
2Terraform reads variable value during plandb_password value loaded securelyValue hidden in plan outputSensitive flag prevents showing value
3Use variable in resource or outputdb_password remains sensitiveOutput shows <sensitive> placeholderActual value not printed
4Terraform writes state fileSensitive value stored securelyNo value leakageState file protects sensitive data
5Run terraform applySensitive variable used internallyCLI output hides valueSensitive data safe from exposure
6Attempt to print output without sensitive flagValue still sensitiveOutput shows <sensitive>Terraform enforces hiding
7Output with sensitive=true setValue remains sensitiveOutput masked as <sensitive>Explicit sensitive output
8End of executionSensitive variable protectedNo sensitive data shownExecution ends safely
💡 Terraform execution ends with sensitive variables protected from CLI and log exposure
Status Tracker
VariableDefinedAfter PlanAfter ApplyFinal
db_passwordsensitive=true, value hiddenvalue loaded, hidden in outputused internally, hidden in CLIremains sensitive, never exposed
Key Moments - 3 Insights
Why does Terraform show <sensitive> instead of the actual variable value in outputs?
Terraform masks variables marked sensitive to prevent accidental exposure in CLI or logs, as shown in execution_table rows 3 and 6.
Is the sensitive variable value stored in the Terraform state file?
Yes, but it is stored securely to protect secrets, as explained in execution_table row 4.
Can you disable the sensitive flag to see the variable value in outputs?
If you remove sensitive=true, Terraform will show the value, but this risks exposing secrets. Keeping sensitive=true ensures safety, as shown in rows 6 and 7.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3. What does Terraform show when outputting a sensitive variable?
A<sensitive>
BThe actual secret value
CAn error message
DNull
💡 Hint
Check the Output Behavior column at step 3 in the execution_table.
At which step does Terraform store the sensitive variable securely in the state file?
AStep 2
BStep 6
CStep 4
DStep 8
💡 Hint
Look for the note about state file storage in the execution_table.
If you remove sensitive=true from the variable definition, what changes in the execution_table output behavior?
ATerraform still hides the value
BTerraform shows the actual value in outputs
CTerraform throws an error
DTerraform skips the variable
💡 Hint
Refer to key_moments about disabling sensitive flag and output visibility.
Concept Snapshot
Terraform sensitive variables:
- Define with sensitive = true
- Values hidden in CLI outputs and logs
- Stored securely in state file
- Protect secrets from accidental exposure
- Outputs show <sensitive> placeholder
- Use for passwords, keys, tokens
Full Transcript
This visual execution shows how Terraform handles sensitive variables. First, you define a variable with sensitive = true. Terraform then marks this variable as sensitive and hides its value during plan and apply steps. When used in outputs or resources, Terraform replaces the actual value with <sensitive> to avoid exposing secrets in CLI or logs. The sensitive value is stored securely in the Terraform state file, protecting it from unauthorized access. Even if you try to print the output without marking it sensitive, Terraform will still mask the value. Removing the sensitive flag will expose the value but risks security. This process ensures your secrets like passwords or API keys stay safe during infrastructure deployment.