Skip to main content

New Terraform Tutorial: Sensitive Input Variables

A new tutorial on HashiCorp Learn shows how to protect sensitive data with Terraform.

Jan 06 2021Robin Norwood

HashiCorp Terraform configuration often includes sensitive inputs, such as passwords, API tokens, or Personally Identifiable Information (PII). Terraform provides several features to help avoid accidentally exposing sensitive data.

Learn to Protect Sensitive Inputs

Follow our new tutorial on HashiCorp Learn, Protect Sensitive Input Variables. In this tutorial, you will provision a web application using Terraform, and use the `sensitive` variable flag to set sensitive values. You will also learn about ways to manage sensitive values in your Terraform state.

Use the “sensitive” Flag

New in Terraform 0.14, input variables now support the `sensitive` flag. Terraform will redact the values of sensitive variables in console and log output, to reduce the risk of accidentally disclosing these values.

Code block defining variable "db_password"

When you apply this configuration, Terraform redacts the sensitive value from its console output.

Code block running `terraform apply`. Output shows warnining that attribute value will be marked as sensitive and will not display in UI output.

This feature helps prevent accidental disclosure of sensitive values, but is not sufficient to fully secure your Terraform configuration.

Secure Terraform State

Even when a variable is marked sensitive, Terraform still needs to store the value in its state file, so that it can correctly apply configuration changes.

Code block running `grep "password" terraform.tfstate`

In this tutorial, you will learn about several methods that Terraform and other HashiCorp products provide to secure your state file.

Read: Protect Sensitive Input Variables

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

Fix the developers vs. security conflict by shifting further left
November 12 2024 | Strategy and Insights
Fix the developers vs. security conflict by shifting further left

Resolve the friction between dev and security teams with platform-led workflows that make cloud security seamless and scalable.

HashiCorp at AWS re:Invent: Your blueprint to cloud success
November 07 2024 | Company
HashiCorp at AWS re:Invent: Your blueprint to cloud success

If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.

Speed up app delivery with automated cancellation of plan-only Terraform runs
November 06 2024 | Products & Technology
Speed up app delivery with automated cancellation of plan-only Terraform runs

Automatic cancellation of plan-only runs allows customers to easily cancel any unfinished runs for outdated commits to speed up application delivery.