0
0
TerraformHow-ToBeginner · 3 min read

How to Use Sensitive Output in Terraform: Simple Guide

In Terraform, you mark outputs as sensitive by adding sensitive = true in the output block. This hides the output value from the CLI and logs, helping protect secrets like passwords or keys.
📐

Syntax

The output block defines a value to show after Terraform applies changes. Adding sensitive = true hides this value from the CLI output and logs.

Parts explained:

  • output "name": Names the output.
  • value = ...: The value to output.
  • sensitive = true: Marks the output as sensitive to hide it.
terraform
output "example_secret" {
  value     = var.secret_value
  sensitive = true
}
💻

Example

This example shows how to create a sensitive output for a secret password stored in a variable. Terraform will not display the password in the CLI output after apply.

terraform
variable "db_password" {
  type      = string
  sensitive = true
}

output "database_password" {
  value     = var.db_password
  sensitive = true
}
Output
Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: database_password = <sensitive>
⚠️

Common Pitfalls

Common mistakes when using sensitive outputs include:

  • Not marking outputs as sensitive, which exposes secrets in CLI and logs.
  • Using sensitive outputs in places that require visible values, causing errors.
  • Expecting sensitive outputs to encrypt data; they only hide it in output.

Always combine sensitive = true with secure storage for secrets.

terraform
output "exposed_secret" {
  value = var.secret_value
  # Missing sensitive = true exposes the secret
}

# Correct way:
output "hidden_secret" {
  value     = var.secret_value
  sensitive = true
}
📊

Quick Reference

PropertyDescription
valueThe data to output
sensitiveSet to true to hide output value in CLI and logs
descriptionOptional text describing the output

Key Takeaways

Mark outputs with sensitive = true to hide secret values in Terraform output.
Sensitive outputs prevent accidental exposure but do not encrypt data.
Always secure secrets in variables and state files alongside sensitive outputs.
Use sensitive outputs carefully to avoid breaking dependencies expecting visible values.

Related by keyword

Terraform Cloud vs Terraform Enterprise: Key Differences and Usage GuideTerraform CloudHow to Target Specific Resource in Terraform: Simple GuideCore WorkflowHow to Use Terraform Apply: Simple Guide for BeginnersCore WorkflowHow to Use Terraform Output: Syntax, Example, and TipsCore WorkflowHow to Configure Provider in Terraform: Simple GuideProviders

Up next

What is locals in Terraform: Simple Explanation and UsageWhat Is Variable Type in Terraform: Simple Explanation and ExampleHow to Configure Backend in Terraform: Syntax and ExampleHow to Detect State Drift in Terraform: Simple Steps

More in Outputs

How to Define Output in Terraform: Syntax and ExamplesHow to Display Output After Apply in TerraformHow to Use Output Value in Terraform: Simple GuideWhat is Output in Terraform: Explanation and Example