Terraform output values let you export structured data about your resources. You can use this data to configure other parts of your infrastructure with automation tools, or as a data source for another Terraform workspace. Outputs are also how you expose data from a child module to a root module.
In this tutorial, you will use Terraform to deploy application infrastructure on AWS and use outputs to get information about the resources. Then, you will use the sensitive flag to reduce the risk of inadvertently disclosing the database administrator username and password. You will also learn how to format outputs into machine-readable JSON.
You can complete this tutorial using the same workflow with either Terraform Community Edition or HCP Terraform. HCP Terraform is a platform that you can use to manage and execute your Terraform projects. It includes features like remote state and execution, structured plan output, workspace resource summaries, and more.
Select the HCP Terraform tab to complete this tutorial using HCP Terraform.
Note
Some of the infrastructure in this tutorial may not qualify for the AWS free tier. Destroy the infrastructure at the end of the tutorial to avoid unnecessary charges. We are not responsible for any charges that you incur.
Clone the example repository for this tutorial, which contains Terraform configuration for a web application including a VPC, load balancer, EC2 instances, and a database.
$ git clone https://github.com/hashicorp-education/learn-terraform-outputs
Change to the repository directory.
$ cd learn-terraform-outputs
Initialize this configuration.
$ terraform init
Initializing the backend...
##...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
Open your terraform.tf file and uncomment the cloud block. Replace the organization name with your own HCP Terraform organization.
terraform.tf
terraform {
cloud {
organization = "organization-name"
workspaces {
name = "learn-terraform-outputs"
}
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.4.0"
}
}
required_version = "~> 1.2"
}
Initialize your configuration. Terraform will automatically create the learn-terraform-outputs workspace in your HCP Terraform organization.
$ terraform init
Initializing HCP Terraform...
Initializing provider plugins...
- Reusing previous version of hashicorp/aws from the dependency lock file
- Installing hashicorp/aws v4.4.0...
- Installed hashicorp/aws v4.4.0 (signed by HashiCorp)
HCP Terraform has been successfully initialized!
You may now begin working with HCP Terraform. Try running "terraform plan" to
see any changes that are required for your infrastructure.
If you ever set or change modules or Terraform Settings, run "terraform init"
again to reinitialize your working directory.
Note: This tutorial assumes that you are using a tutorial-specific HCP Terraform organization with a global variable set of your AWS credentials. Review the Create a Credential Variable Set for detailed guidance. If you are using a scoped variable set, assign it to your new workspace now.
Now apply the configuration. Respond yes to the prompt to confirm the operation.
$ terraform apply
##...
Plan: 46 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
##...
Apply complete! Resources: 46 added, 0 changed, 0 destroyed.
You can add output declarations anywhere in your Terraform configuration files. However, we recommend defining them in a separate file called outputs.tf to make it easier for users to understand your configuration and review its expected outputs.
Add a block to outputs.tf to show the ID of the VPC.
outputs.tf
output "vpc_id" {
description = "ID of project VPC"
value = module.vpc.vpc_id
}
While the description argument is optional, you should include it in all output declarations to document the intent and content of the output.
You can use the result of any Terraform expression as the value of an output. Add the following definitions to outputs.tf.
outputs.tf
output "lb_url" {
description = "URL of load balancer"
value = "http://${module.elb_http.elb_dns_name}/"
}
output "web_server_count" {
description = "Number of web servers provisioned"
value = length(module.ec2_instances.instance_ids)
}
The lb_url output uses string interpolation to create a URL from the load balancer's domain name. The web_server_count output uses the length() function to calculate the number of instances attached to the load balancer.
Terraform stores output values in the configuration's state file. In order to see these outputs, you need to update the state by applying this new configuration, even though the infrastructure will not change. Respond to the confirmation prompt with a yes.
$ terraform apply
random_string.lb_id: Refreshing state... [id=5YI]
module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-004c2d1ba7394b3d6]
## ...
Plan: 0 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
+ vpc_id = "vpc-004c2d1ba7394b3d6"
+ web_server_count = 4
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
vpc_id = "vpc-004c2d1ba7394b3d6"
web_server_count = 4
After creating the outputs, use the terraform output command to query all of them.
$ terraform output
lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
vpc_id = "vpc-004c2d1ba7394b3d6"
web_server_count = 4
Next, query an individual output by name.
$ terraform output lb_url
"http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
Starting with version 0.14, Terraform wraps string outputs in quotes by default. You can use the -raw flag when querying a specified output for machine-readable format.
$ terraform output -raw lb_url
http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/
Use the lb_url output value with the -raw flag to cURL the load balancer and verify the response.
$ curl $(terraform output -raw lb_url)
<html><body><div>Hello, world!</div></body></html>
If you are using HCP Terraform, you can also find a table of your configuration's outputs on your workspace's overview page.
You can designate Terraform outputs as sensitive. Terraform will redact the values of sensitive outputs to avoid accidentally printing them out to the console. Use sensitive outputs to share sensitive data from your configuration with other Terraform modules, automation tools, or HCP Terraform workspaces.
Terraform will redact sensitive outputs when planning, applying, or destroying your configuration, or when you query all of your outputs. Terraform will not redact sensitive outputs in other cases, such as when you query a specific output by name, query all of your outputs in JSON format, or when you use outputs from a child module in your root module.
Add the following output blocks to your outputs.tf file. Note that the sensitive attribute is set to true.
outputs.tf
output "db_username" {
description = "Database administrator username"
value = aws_db_instance.database.username
sensitive = true
}
output "db_password" {
description = "Database administrator password"
value = aws_db_instance.database.password
sensitive = true
}
Apply this change to add these outputs to your state file, and respond to the confirmation prompt with yes.
$ terraform apply
random_string.lb_id: Refreshing state... [id=5YI]
module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-004c2d1ba7394b3d6]
## ...
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
db_password = <sensitive>
db_username = <sensitive>
lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
vpc_id = "vpc-004c2d1ba7394b3d6"
web_server_count = 4
Notice that Terraform redacts the values of the outputs marked as sensitive.
Use terraform output to query the database password by name, and notice that Terraform will not redact the value when you specify the output by name.
$ terraform output db_password
"notasecurepassword"
Terraform stores all output values, including those marked as sensitive, as plain text in your state file.
Use the grep command to see the values of the sensitive outputs in your state file.
$ grep --after-context=10 outputs terraform.tfstate
"outputs": {
"db_password": {
"value": "notasecurepassword",
"type": "string",
"sensitive": true
},
"db_username": {
"value": "admin",
"type": "string",
"sensitive": true
},
Pull down your remote state file from HCP Terraform.
$ terraform state pull > terraform.tfstate
Use the grep command to see the values of the sensitive outputs in your state file.
$ grep --after-context=10 outputs terraform.tfstate
"outputs": {
"db_password": {
"value": "notasecurepassword",
"type": "string",
"sensitive": true
},
"db_username": {
"value": "admin",
"type": "string",
"sensitive": true
},
Tip
If you are using an operating system without the grep command, open the terraform.tfstate file in your text editor and search for outputs to review the relevant lines.
The sensitive argument for outputs can help avoid inadvertent exposure of those values. However, you must still keep your Terraform state secure to avoid exposing these values.
The Terraform CLI output is designed to be parsed by humans. To get machine-readable format for automation, use the -json flag for JSON-formatted output.
$ terraform output -json
{
"db_password": {
"sensitive": true,
"type": "string",
"value": "notasecurepassword"
},
"db_username": {
"sensitive": true,
"type": "string",
"value": "admin"
},
"lb_url": {
"sensitive": false,
"type": "string",
"value": "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
},
"vpc_id": {
"sensitive": false,
"type": "string",
"value": "vpc-004c2d1ba7394b3d6"
},
"web_server_count": {
"sensitive": false,
"type": "number",
"value": 4
}
}
Terraform does not redact sensitive output values with the -json option, because it assumes that an automation tool will use the output.
Before moving on, destroy the infrastructure you created in this tutorial to avoid incurring unnecessary costs. Be sure to respond to the confirmation prompt with yes.
$ terraform destroy
##...
Do you really want to destroy all resources?
Terraform will destroy all your managed infrastructure, as shown above.
There is no undo. Only 'yes' will be accepted to confirm.
Enter a value: yes
##...
Apply complete! Resources: 0 added, 0 changed, 46 destroyed.
If you used HCP Terraform for this tutorial, after destroying your resources, delete the learn-terraform-outputs workspace from your HCP Terraform organization.
In this tutorial you used Terraform outputs to query data about your infrastructure. Terraform outputs let you share data between Terraform configurations, and with other tools and automation. Outputs are also the only way to share data from a child module to your configuration's root module.
Now that you know how to use Terraform outputs, check out the following resources for more information.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4