0
0
Terraformcloud~10 mins

Sensitive variable handling in Terraform - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Sensitive variable handling
Define variable with sensitive=true
Terraform hides value in output
Use variable in resource config
Terraform applies config securely
Sensitive value not shown in logs or plan
Output or state file stores encrypted or masked value
Terraform marks variables as sensitive to hide their values in outputs and logs, ensuring secrets are not exposed during deployment.
Execution Sample
Terraform
variable "db_password" {
  type      = string
  sensitive = true
}

resource "aws_db_instance" "example" {
  password = var.db_password
}
Defines a sensitive variable for a database password and uses it in a resource without exposing the value.
Process Table
StepActionVariable StateOutput VisibilityResult
1Define variable db_password with sensitive=truedb_password = <sensitive>HiddenVariable marked sensitive
2Terraform plan reads variabledb_password = <sensitive>HiddenValue masked in plan output
3Apply resource using db_passworddb_password = <sensitive>HiddenPassword used securely in resource
4Terraform output or logsdb_password = <sensitive>HiddenNo sensitive value shown
5State file stores sensitive valuedb_password = <sensitive>Not visibleValue stored securely
💡 Sensitive variable remains hidden throughout plan, apply, and output phases to protect secrets.
Status Tracker
VariableStartAfter PlanAfter ApplyFinal
db_password<sensitive><sensitive><sensitive><sensitive>
Key Moments - 3 Insights
Why can't I see the value of a sensitive variable in the Terraform plan output?
Terraform masks sensitive variables in the plan output to prevent accidental exposure, as shown in execution_table step 2.
Is the sensitive variable value stored in plain text in the state file?
No, the state file stores sensitive values encrypted or masked, ensuring security as shown in execution_table step 5.
Can I output a sensitive variable value directly in Terraform outputs?
Terraform hides sensitive outputs by default to protect secrets, so sensitive variables won't show their values in outputs, as in step 4.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, at which step is the sensitive variable value first hidden from output?
AStep 2
BStep 3
CStep 1
DStep 4
💡 Hint
Check the 'Output Visibility' column in execution_table rows.
According to the variable tracker, what is the state of db_password after apply?
A<visible>
B<encrypted>
C<sensitive>
D<null>
💡 Hint
Look at the 'After Apply' column for db_password in variable_tracker.
If sensitive was set to false, how would the plan output change?
AValue would remain hidden
BValue would be visible in plan output
CTerraform would error
DValue would be encrypted in plan
💡 Hint
Refer to the behavior described in execution_table step 2 about output visibility.
Concept Snapshot
Terraform sensitive variables:
- Mark with sensitive = true
- Values hidden in plan, apply, and outputs
- Protect secrets from accidental exposure
- State file stores encrypted or masked
- Use sensitive vars for passwords, keys, tokens
Full Transcript
This visual execution shows how Terraform handles sensitive variables. First, you define a variable with sensitive=true. Terraform then hides this value in plan outputs and logs to protect secrets. When applying resources, the sensitive value is used securely but never shown. Outputs also mask sensitive values. Finally, the state file stores these values encrypted or masked to keep them safe. This prevents accidental exposure of passwords or keys during deployment.