0
0
TerraformHow-ToBeginner · 4 min read

How to Use Sensitive Variables in Terraform Securely

In Terraform, mark a variable as sensitive by adding sensitive = true in its declaration. This hides the variable's value from logs and output, helping protect secrets like passwords or API keys.
📐

Syntax

To declare a sensitive variable in Terraform, use the variable block with the sensitive = true attribute. This tells Terraform to treat the variable's value as secret and avoid showing it in output or logs.

Parts explained:

  • variable "name": Defines the variable's name.
  • type: Specifies the data type (e.g., string, map).
  • sensitive = true: Marks the variable as sensitive.
  • default: Optional default value.
terraform
variable "db_password" {
  type      = string
  sensitive = true
  description = "The database password"
}
💻

Example

This example shows how to declare a sensitive variable, assign it a value, and use it in a resource without exposing the secret in output.

terraform
variable "api_key" {
  type      = string
  sensitive = true
  description = "API key for external service"
}

resource "null_resource" "example" {
  provisioner "local-exec" {
    command = "echo Using API key"
  }
}

output "api_key_output" {
  value     = var.api_key
  sensitive = true
}
Output
Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Outputs: api_key_output = (sensitive value)
⚠️

Common Pitfalls

Common mistakes when using sensitive variables include:

  • Not marking the variable as sensitive = true, which exposes secrets in logs and outputs.
  • Outputting sensitive variables without sensitive = true in the output block, causing secrets to be shown.
  • Passing sensitive variables to resources or modules that log or display them unintentionally.

Always double-check that sensitive variables and outputs are marked properly to avoid leaks.

terraform
variable "password" {
  type = string
  # Missing sensitive = true, so password will be visible
}

output "password_output" {
  value = var.password
  # Missing sensitive = true here too
}

# Correct way:
variable "password" {
  type      = string
  sensitive = true
}

output "password_output" {
  value     = var.password
  sensitive = true
}
📊

Quick Reference

ConceptUsageEffect
Declare sensitive variablevariable "name" { sensitive = true }Hides value in logs and output
Sensitive outputoutput "name" { value = var.name sensitive = true }Prevents output from showing secret
Pass sensitive variableUse var.name in resources carefullyAvoids accidental exposure
Default valuevariable "name" { default = "secret" sensitive = true }Keeps default secret hidden

Key Takeaways

Always set sensitive = true on variables holding secrets to protect them.
Mark outputs as sensitive to prevent secret values from showing in Terraform output.
Avoid printing or logging sensitive variables in provisioners or resources.
Use sensitive variables carefully when passing to modules or external systems.
Terraform hides sensitive values but does not encrypt them; manage secrets securely.

Related by keyword

How to Use Sensitive Output in Terraform: Simple GuideOutputsHow to Pass Variables to Modules in TerraformModulesTerraform Cloud vs Terraform Enterprise: Key Differences and Usage GuideTerraform CloudHow to Use terraform fmt: Format Terraform Configuration FilesCore WorkflowHow to Handle Secrets in Terraform Securely and EffectivelyBest Practices

Up next

What Is Resource in Terraform: Definition and UsageWhen to Use Provisioner in Terraform: Simple GuideHow to Define Output in Terraform: Syntax and ExamplesHow to Display Output After Apply in Terraform

More in Variables

How to Define Variables in Terraform: Syntax and ExamplesHow to Pass Variables to Terraform: Simple GuideHow to Set Default Value for Variable in TerraformHow to Use Bool Variable in Terraform: Simple Guide