Terraformcloud~30 mins

Sensitive variable handling in Terraform - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Sensitive variable handling

📖 Scenario: You are setting up a Terraform configuration to manage cloud infrastructure. Some variables, like passwords or API keys, must be kept secret to protect your system.

🎯 Goal: Create a Terraform variable marked as sensitive and use it in a resource without exposing its value in outputs.

📋 What You'll Learn

Define a Terraform variable named db_password with type string and mark it as sensitive = true.

Create a resource aws_db_instance named example that uses the db_password variable for its password attribute.

Do not output the db_password variable value directly.

💡 Why This Matters

🌍 Real World

Sensitive variables like passwords and API keys must be protected in infrastructure code to prevent leaks and security risks.

💼 Career

Cloud engineers and DevOps professionals must manage secrets securely in Terraform to maintain compliance and protect infrastructure.

Progress0 / 4 steps

Define the sensitive variable

Create a Terraform variable named db_password with type string and set sensitive = true.

Terraform

# Define the sensitive variable db_password
# Your code here

Need a hint?

Use the variable block with sensitive = true to keep the value secret.

Add AWS DB instance resource

Add a resource block for aws_db_instance named example and set its password attribute to var.db_password.

Terraform

variable "db_password" {
  type      = string
  sensitive = true
}

# Add aws_db_instance resource named example
# Your code here

Need a hint?

Use var.db_password to reference the sensitive variable inside the resource.

Add a non-sensitive output

Create an output named db_instance_id that outputs aws_db_instance.example.id without exposing the password.

Terraform

variable "db_password" {
  type      = string
  sensitive = true
}

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  engine               = "mysql"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "admin"
  password             = var.db_password
  parameter_group_name = "default.mysql5.7"
}

# Add output for db_instance_id
# Your code here

Need a hint?

Outputs should not reveal sensitive data. Output the instance ID instead of the password.

Add a sensitive output for password

Add an output named db_password_output that outputs var.db_password and mark it as sensitive = true.

Terraform

variable "db_password" {
  type      = string
  sensitive = true
}

resource "aws_db_instance" "example" {
  allocated_storage    = 20
  engine               = "mysql"
  instance_class       = "db.t2.micro"
  name                 = "mydb"
  username             = "admin"
  password             = var.db_password
  parameter_group_name = "default.mysql5.7"
}

output "db_instance_id" {
  value = aws_db_instance.example.id
}

# Add sensitive output for db_password
# Your code here

Need a hint?

Mark the output as sensitive to avoid showing the password in plain text.