Bird
Raised Fist0
Terraformcloud~5 mins

Sensitive variable handling in Terraform - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a sensitive variable in Terraform?
A sensitive variable is a variable that contains confidential information, such as passwords or API keys, which Terraform hides in its output to protect the data.
Click to reveal answer
beginner
How do you declare a sensitive variable in Terraform?
You declare a sensitive variable by adding the attribute sensitive = true in the variable block.
Click to reveal answer
intermediate
Why should you mark variables as sensitive in Terraform?
Marking variables as sensitive prevents Terraform from showing their values in logs and plan output, reducing the risk of exposing secrets. However, sensitive values are still stored in the state file in plain text.
Click to reveal answer
intermediate
Can sensitive variables be used in Terraform outputs?
Yes, but you must mark the output as sensitive too. Otherwise, Terraform will warn you and may expose the value.
Click to reveal answer
beginner
What happens if you do not mark a secret as sensitive in Terraform?
The secret may appear in Terraform plan, apply logs, or state files, risking accidental exposure to anyone with access to those files.
Click to reveal answer
How do you mark a variable as sensitive in Terraform?
AAdd <code>sensitive = true</code> in the variable block
BPrefix the variable name with 'secret_'
CUse <code>private = true</code> in the variable block
DEncrypt the variable value manually
What does Terraform do with sensitive variables during plan and apply?
AHides their values in output and logs
BPrints their values in plain text
CDeletes the variables after use
DSaves them in a separate file
If you output a sensitive variable without marking the output as sensitive, what happens?
ATerraform automatically hides the output
BTerraform warns and may expose the value
CTerraform blocks the deployment
DTerraform encrypts the output
Why is it important to mark variables as sensitive?
ATo enable variable reuse
BTo speed up Terraform runs
CTo reduce variable size
DTo prevent accidental exposure of secrets in logs and state files
Which of the following is NOT a best practice for handling sensitive variables in Terraform?
AMark variables as sensitive
BUse environment variables or secret managers
CStore secrets in version control in plain text
DMark outputs as sensitive when they expose secrets
Explain how to declare and use sensitive variables in Terraform and why it matters.
Think about how Terraform treats secrets differently to keep them safe.
You got /4 concepts.
    Describe the risks of not marking sensitive variables properly in Terraform.
    Consider what happens if anyone can see your Terraform logs or state files.
    You got /4 concepts.

      Practice

      (1/5)
      1. What does setting sensitive = true on a Terraform variable do?
      easy
      A. It hides the variable's value in Terraform plan and apply outputs.
      B. It encrypts the variable value in the Terraform state file.
      C. It makes the variable read-only in the configuration.
      D. It automatically rotates the variable value periodically.

      Solution

      1. Step 1: Understand the purpose of sensitive attribute

        The sensitive = true flag tells Terraform to hide the variable's value in output logs and plans to avoid accidental exposure.

      2. Step 2: Clarify what it does not do

        It does not encrypt the state file or rotate values; those are separate concerns.

      3. Final Answer:

        It hides the variable's value in Terraform plan and apply outputs. -> Option A

      4. Quick Check:

        sensitive = true hides output values [OK]
      Hint: Sensitive true hides values in output, not encryption [OK]
      Common Mistakes:
      • Thinking sensitive encrypts the state file
      • Assuming sensitive makes variables read-only
      • Believing sensitive rotates secrets automatically
      2. Which of the following is the correct syntax to declare a sensitive variable in Terraform?
      easy
      A. variable "db_password" { type = string sensitive = true }
      B. variable "db_password" { type = string sensitive = true }
      C. variable "db_password" { type = string, sensitive = true }
      D. variable "db_password" { type = string; sensitive = true }

      Solution

      1. Step 1: Recall Terraform block syntax

        Terraform uses HCL syntax where attributes inside blocks are separated by new lines without commas or semicolons.

      2. Step 2: Identify correct formatting

        variable "db_password" { type = string sensitive = true } correctly places sensitive = true on a new line without commas or semicolons.

      3. Final Answer:

        variable "db_password" { type = string sensitive = true } -> Option B

      4. Quick Check:

        HCL uses new lines, no commas or semicolons [OK]
      Hint: Use new lines, no commas or semicolons in variable blocks [OK]
      Common Mistakes:
      • Adding commas between attributes
      • Using semicolons inside blocks
      • Putting attributes on the same line without proper syntax
      3. Given this Terraform output block: 
      output "db_password" {
  value     = var.db_password
  sensitive = true
}
      What will Terraform display when you run terraform output?
      medium
      A. It will show (sensitive) instead of the password.
      B. It will cause an error because outputs cannot be sensitive.
      C. It will show the actual password value.
      D. It will show an empty string.

      Solution

      1. Step 1: Understand sensitive outputs behavior

        When an output is marked sensitive, Terraform hides its value in the output command to avoid exposing secrets.

      2. Step 2: Confirm expected output

        Terraform replaces the actual value with (sensitive) text instead of showing the secret.

      3. Final Answer:

        It will show (sensitive) instead of the password. -> Option A

      4. Quick Check:

        sensitive output hides value with (sensitive) [OK]
      Hint: Sensitive outputs show (sensitive), not actual values [OK]
      Common Mistakes:
      • Expecting actual secret to print
      • Thinking sensitive outputs cause errors
      • Assuming output is empty string
      4. You have marked a variable as sensitive = true but when running terraform plan, the secret value still appears. What is the most likely cause?
      medium
      A. You forgot to run terraform apply first.
      B. Terraform does not support sensitive variables in plans.
      C. The variable is used directly in a resource argument that prints its value.
      D. The variable type is not set to string.

      Solution

      1. Step 1: Understand sensitive variable behavior in plans

        Terraform hides sensitive variable values in outputs but if the variable is interpolated directly into resource arguments that display in plan, the value can appear.

      2. Step 2: Identify cause of exposure

        Using sensitive variables in resource arguments that Terraform shows in plan can reveal the secret despite the sensitive flag.

      3. Final Answer:

        The variable is used directly in a resource argument that prints its value. -> Option C

      4. Quick Check:

        Direct use in resource can expose sensitive values [OK]
      Hint: Sensitive hides output but not direct resource interpolation [OK]
      Common Mistakes:
      • Assuming sensitive hides all plan values
      • Thinking apply is needed to hide values
      • Believing variable type affects sensitivity
      5. You want to securely store a database password in Terraform and avoid exposing it in state files or outputs. Which combination of practices is best?
      hard
      A. Use sensitive = false and rely on Terraform's default security.
      B. Mark the variable as sensitive = true and print it in outputs for verification.
      C. Store the password in plain text variable and restrict access to the Terraform config files.
      D. Mark the variable as sensitive = true, use sensitive outputs, and encrypt the Terraform state file.

      Solution

      1. Step 1: Protect variable visibility

        Marking the variable as sensitive hides it in outputs and plans, reducing accidental exposure.

      2. Step 2: Secure outputs and state file

        Using sensitive outputs keeps secrets hidden when showing results, and encrypting the state file protects stored secrets.

      3. Final Answer:

        Mark the variable as sensitive = true, use sensitive outputs, and encrypt the Terraform state file. -> Option D

      4. Quick Check:

        Combine sensitive flag, outputs, and state encryption [OK]
      Hint: Combine sensitive flag, outputs, and state encryption [OK]
      Common Mistakes:
      • Printing sensitive variables in outputs
      • Storing secrets in plain text variables
      • Relying on defaults without encryption