Terraformcloud~5 mins

Sensitive variable handling in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes you need to keep secrets like passwords or keys safe when setting up cloud resources. Sensitive variable handling in Terraform helps you protect these secrets so they don't show up in logs or outputs.

When you need to store a database password without exposing it in your Terraform plan or state files.

When you want to pass an API key to a cloud service without printing it in the console.

When you configure Terraform variables that contain private information like tokens or certificates.

When sharing Terraform code with others but want to keep some values hidden.

When automating infrastructure deployment and need to keep secrets secure in CI/CD pipelines.

Config File - main.tf

main.tf

variable "db_password" {
  description = "The password for the database"
  type        = string
  sensitive   = true
}

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  engine               = "mysql"
  engine_version       = "8.0"
  instance_class       = "db.t3.micro"
  name                 = "exampledb"
  username             = "admin"
  password             = var.db_password
  parameter_group_name = "default.mysql8.0"
  skip_final_snapshot  = true
}

output "db_password_output" {
  value     = var.db_password
  sensitive = true
}

This Terraform file defines a sensitive variable db_password to hold the database password securely.

The aws_db_instance resource uses this password to create a MySQL database instance.

The output db_password_output is marked sensitive to prevent it from showing in the console output.

Commands

This command initializes the Terraform working directory, downloading necessary provider plugins.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!

This command shows the changes Terraform will make, passing the sensitive password variable securely without storing it in the config file.

Terminal

terraform plan -var='db_password=SuperSecret123!'

Expected OutputExpected

An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the following actions: # aws_db_instance.example will be created + resource "aws_db_instance" "example" { + allocated_storage = 20 + engine = "mysql" + engine_version = "8.0" + instance_class = "db.t3.micro" + name = "exampledb" + username = "admin" + password = (sensitive value) + parameter_group_name = "default.mysql8.0" + skip_final_snapshot = true } Plan: 1 to add, 0 to change, 0 to destroy.

→

-var - Passes variable values directly on the command line

This command applies the changes to create the database using the sensitive password, without prompting for confirmation.

Terminal

terraform apply -var='db_password=SuperSecret123!' -auto-approve

Expected OutputExpected

aws_db_instance.example: Creating... aws_db_instance.example: Still creating... [10s elapsed] aws_db_instance.example: Creation complete after 20s [id=exampledb] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skips interactive approval before applying changes

This command tries to show the sensitive output value, but Terraform hides it to keep it secret.

Terminal

terraform output db_password_output

Expected OutputExpected

(sensitive value)

Key Concept

If you remember nothing else from this pattern, remember: marking variables and outputs as sensitive keeps secrets hidden from logs and console output.

Common Mistakes

Not marking a secret variable as sensitive in the variable definition.

Terraform will show the secret value in plan and apply outputs, exposing it to anyone with access.

Always add sensitive = true to variables holding secrets.

Printing sensitive outputs without marking them sensitive.

Outputs will display secret values in the console, risking exposure.

Set sensitive = true in output blocks that contain secrets.

Hardcoding secrets directly in Terraform files.

Secrets become visible in code repositories and logs.

Pass secrets via variables at runtime or use secret management tools.

Summary

Define sensitive variables with sensitive = true to keep secrets hidden.

Pass secret values at runtime using -var flag instead of hardcoding.

Mark outputs containing secrets as sensitive to prevent console exposure.