Bird
Raised Fist0
Terraformcloud~5 mins

Sensitive variable handling in Terraform - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you need to keep secrets like passwords or keys safe when setting up cloud resources. Sensitive variable handling in Terraform helps you protect these secrets so they don't show up in logs or outputs.
When you need to store a database password without exposing it in your Terraform plan or state files.
When you want to pass an API key to a cloud service without printing it in the console.
When you configure Terraform variables that contain private information like tokens or certificates.
When sharing Terraform code with others but want to keep some values hidden.
When automating infrastructure deployment and need to keep secrets secure in CI/CD pipelines.
Config File - main.tf
main.tf
variable "db_password" {
  description = "The password for the database"
  type        = string
  sensitive   = true
}

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  name                 = "exampledb"
  username             = "admin"
  password             = var.db_password
  parameter_group_name = "default.mysql8.0"
  skip_final_snapshot  = true
}

output "db_password_output" {
  value     = var.db_password
  sensitive = true
}

This Terraform file defines a sensitive variable db_password to hold the database password securely.

The aws_db_instance resource uses this password to create a MySQL database instance.

The output db_password_output is marked sensitive to prevent it from showing in the console output.

Commands
This command initializes the Terraform working directory, downloading necessary provider plugins.
Terminal
terraform init
Expected OutputExpected
Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!
This command shows the changes Terraform will make, passing the sensitive password variable securely without storing it in the config file.
Terminal
terraform plan -var='db_password=SuperSecret123!'
Expected OutputExpected
An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_db_instance.example will be created + resource "aws_db_instance" "example" { + allocated_storage = 20 + engine = "mysql" + engine_version = "8.0" + instance_class = "db.t3.micro" + name = "exampledb" + username = "admin" + password = (sensitive value) + parameter_group_name = "default.mysql8.0" + skip_final_snapshot = true } Plan: 1 to add, 0 to change, 0 to destroy.
-var - Passes variable values directly on the command line
This command applies the changes to create the database using the sensitive password, without prompting for confirmation.
Terminal
terraform apply -var='db_password=SuperSecret123!' -auto-approve
Expected OutputExpected
aws_db_instance.example: Creating... aws_db_instance.example: Still creating... [10s elapsed] aws_db_instance.example: Creation complete after 20s [id=exampledb] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
-auto-approve - Skips interactive approval before applying changes
This command tries to show the sensitive output value, but Terraform hides it to keep it secret.
Terminal
terraform output db_password_output
Expected OutputExpected
(sensitive value)
Key Concept

If you remember nothing else from this pattern, remember: marking variables and outputs as sensitive keeps secrets hidden from logs and console output.

Common Mistakes
Not marking a secret variable as sensitive in the variable definition.
Terraform will show the secret value in plan and apply outputs, exposing it to anyone with access.
Always add sensitive = true to variables holding secrets.
Printing sensitive outputs without marking them sensitive.
Outputs will display secret values in the console, risking exposure.
Set sensitive = true in output blocks that contain secrets.
Hardcoding secrets directly in Terraform files.
Secrets become visible in code repositories and logs.
Pass secrets via variables at runtime or use secret management tools.
Summary
Define sensitive variables with sensitive = true to keep secrets hidden.
Pass secret values at runtime using -var flag instead of hardcoding.
Mark outputs containing secrets as sensitive to prevent console exposure.

Practice

(1/5)
1. What does setting sensitive = true on a Terraform variable do?
easy
A. It hides the variable's value in Terraform plan and apply outputs.
B. It encrypts the variable value in the Terraform state file.
C. It makes the variable read-only in the configuration.
D. It automatically rotates the variable value periodically.

Solution

  1. Step 1: Understand the purpose of sensitive attribute

    The sensitive = true flag tells Terraform to hide the variable's value in output logs and plans to avoid accidental exposure.

  2. Step 2: Clarify what it does not do

    It does not encrypt the state file or rotate values; those are separate concerns.

  3. Final Answer:

    It hides the variable's value in Terraform plan and apply outputs. -> Option A

  4. Quick Check:

    sensitive = true hides output values [OK]
Hint: Sensitive true hides values in output, not encryption [OK]
Common Mistakes:
  • Thinking sensitive encrypts the state file
  • Assuming sensitive makes variables read-only
  • Believing sensitive rotates secrets automatically
2. Which of the following is the correct syntax to declare a sensitive variable in Terraform?
easy
A. variable "db_password" { type = string sensitive = true }
B. variable "db_password" { type = string sensitive = true }
C. variable "db_password" { type = string, sensitive = true }
D. variable "db_password" { type = string; sensitive = true }

Solution

  1. Step 1: Recall Terraform block syntax

    Terraform uses HCL syntax where attributes inside blocks are separated by new lines without commas or semicolons.

  2. Step 2: Identify correct formatting

    variable "db_password" { type = string sensitive = true } correctly places sensitive = true on a new line without commas or semicolons.

  3. Final Answer:

    variable "db_password" { type = string sensitive = true } -> Option B

  4. Quick Check:

    HCL uses new lines, no commas or semicolons [OK]
Hint: Use new lines, no commas or semicolons in variable blocks [OK]
Common Mistakes:
  • Adding commas between attributes
  • Using semicolons inside blocks
  • Putting attributes on the same line without proper syntax
3. Given this Terraform output block: 
output "db_password" {
  value     = var.db_password
  sensitive = true
}
What will Terraform display when you run terraform output?
medium
A. It will show (sensitive) instead of the password.
B. It will cause an error because outputs cannot be sensitive.
C. It will show the actual password value.
D. It will show an empty string.

Solution

  1. Step 1: Understand sensitive outputs behavior

    When an output is marked sensitive, Terraform hides its value in the output command to avoid exposing secrets.

  2. Step 2: Confirm expected output

    Terraform replaces the actual value with (sensitive) text instead of showing the secret.

  3. Final Answer:

    It will show (sensitive) instead of the password. -> Option A

  4. Quick Check:

    sensitive output hides value with (sensitive) [OK]
Hint: Sensitive outputs show (sensitive), not actual values [OK]
Common Mistakes:
  • Expecting actual secret to print
  • Thinking sensitive outputs cause errors
  • Assuming output is empty string
4. You have marked a variable as sensitive = true but when running terraform plan, the secret value still appears. What is the most likely cause?
medium
A. You forgot to run terraform apply first.
B. Terraform does not support sensitive variables in plans.
C. The variable is used directly in a resource argument that prints its value.
D. The variable type is not set to string.

Solution

  1. Step 1: Understand sensitive variable behavior in plans

    Terraform hides sensitive variable values in outputs but if the variable is interpolated directly into resource arguments that display in plan, the value can appear.

  2. Step 2: Identify cause of exposure

    Using sensitive variables in resource arguments that Terraform shows in plan can reveal the secret despite the sensitive flag.

  3. Final Answer:

    The variable is used directly in a resource argument that prints its value. -> Option C

  4. Quick Check:

    Direct use in resource can expose sensitive values [OK]
Hint: Sensitive hides output but not direct resource interpolation [OK]
Common Mistakes:
  • Assuming sensitive hides all plan values
  • Thinking apply is needed to hide values
  • Believing variable type affects sensitivity
5. You want to securely store a database password in Terraform and avoid exposing it in state files or outputs. Which combination of practices is best?
hard
A. Use sensitive = false and rely on Terraform's default security.
B. Mark the variable as sensitive = true and print it in outputs for verification.
C. Store the password in plain text variable and restrict access to the Terraform config files.
D. Mark the variable as sensitive = true, use sensitive outputs, and encrypt the Terraform state file.

Solution

  1. Step 1: Protect variable visibility

    Marking the variable as sensitive hides it in outputs and plans, reducing accidental exposure.

  2. Step 2: Secure outputs and state file

    Using sensitive outputs keeps secrets hidden when showing results, and encrypting the state file protects stored secrets.

  3. Final Answer:

    Mark the variable as sensitive = true, use sensitive outputs, and encrypt the Terraform state file. -> Option D

  4. Quick Check:

    Combine sensitive flag, outputs, and state encryption [OK]
Hint: Combine sensitive flag, outputs, and state encryption [OK]
Common Mistakes:
  • Printing sensitive variables in outputs
  • Storing secrets in plain text variables
  • Relying on defaults without encryption