Terraform 14: Output values
easy⏱ 5 mincourseterraform
Declaring outputs
An output block has a value (any expression, usually a resource attribute) and an optional description. After terraform apply, outputs print to the console and are queryable with terraform output <name> — perfect for wiring pipelines together.
# outputs.tf
output "resource_group_id" {
value = azurerm_resource_group.app.id
description = "ID of the created resource group."
}
output "resource_group_name" {
value = azurerm_resource_group.app.name
}
sensitive = true hides values in output
Mark secret-bearing outputs with sensitive = true. Terraform then prints <sensitive> instead of the value in plan/apply logs (it's still stored in state, so protect state too). Any output that references a sensitive value must also be marked sensitive, or Terraform errors.
output "kv_uri" {
value = azurerm_key_vault.main.vault_uri
}
output "admin_connection_string" {
value = azurerm_key_vault_secret.conn.value
sensitive = true # printed as <sensitive> in the CLI
}
Outputs are a module's public API
When you call a child module, the only things the parent can read back are that module's outputs (accessed as module.<name>.<output>). So design outputs deliberately — they're the contract other code depends on.
Redact sensitive outputs
Given an outputs array where each item is { name, value, sensitive }, write printable(outputs) returning a new array of { name, value } where any sensitive: true entry has its value replaced with the string "<sensitive>". Log JSON.stringify(printable(outputs)) — the secret's value must be redacted, the non-secret must be intact.