New Terraform Tutorial: Sensitive Input Variables
A new tutorial on HashiCorp Learn shows how to protect sensitive data with Terraform.
HashiCorp Terraform configuration often includes sensitive inputs, such as passwords, API tokens, or Personally Identifiable Information (PII). Terraform provides several features to help avoid accidentally exposing sensitive data.
Learn to Protect Sensitive Inputs
Follow our new tutorial on HashiCorp Learn, Protect Sensitive Input Variables. In this tutorial, you will provision a web application using Terraform, and use the `sensitive` variable flag to set sensitive values. You will also learn about ways to manage sensitive values in your Terraform state.
Use the “sensitive” Flag
New in Terraform 0.14, input variables now support the `sensitive` flag. Terraform will redact the values of sensitive variables in console and log output, to reduce the risk of accidentally disclosing these values.
![Code block defining variable "db_password"](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1609960116-tf-input-1.png&w=3840&q=75)
When you apply this configuration, Terraform redacts the sensitive value from its console output.
![Code block running `terraform apply`. Output shows warnining that attribute value will be marked as sensitive and will not display in UI output.](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1609960199-tf-input-2.png&w=3840&q=75)
This feature helps prevent accidental disclosure of sensitive values, but is not sufficient to fully secure your Terraform configuration.
Secure Terraform State
Even when a variable is marked sensitive, Terraform still needs to store the value in its state file, so that it can correctly apply configuration changes.
![Code block running `grep "password" terraform.tfstate`](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1609960313-tf-inputs-3.png&w=3840&q=75)
In this tutorial, you will learn about several methods that Terraform and other HashiCorp products provide to secure your state file.
Sign up for the latest HashiCorp news
More blog posts like this one
![Terraform extension for VS Code speeds up loading of large workspaces](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1714155806-blog-library-product-terraform-dark-gradient.jpg&w=3840&q=75)
Terraform extension for VS Code speeds up loading of large workspaces
New releases of the HashiCorp Terraform extension for Visual Studio Code and Terraform language server significantly reduce memory usage and start up time for large workspaces.
![Why use Vault-backed dynamic credentials to secure HCP Terraform infrastructure?](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1572286031-vault-terraform-background.png&w=1920&q=75)
Why use Vault-backed dynamic credentials to secure HCP Terraform infrastructure?
Learn how HCP Terraform and Terraform Enterprise users can use Vault-backed dynamic credentials to secure their infrastructure during provisioning better than the base-level dynamic provider credentials.
![HCP Terraform adds granular API access for audit trails](/_next/image?url=https%3A%2F%2Fwww.datocms-assets.com%2F2885%2F1714170900-blog-library-product-hcp-terraform-dark.jpg&w=3840&q=75)
HCP Terraform adds granular API access for audit trails
HCP Terraform eliminates the need to rely on organization permissions to the audit trails endpoint, streamlining permissions workflows and reducing risk.