Terraform requires explicit marking of outputs containing sensitive data like passwords or API keys. Add the sensitive = true attribute to any output value that contains secrets to prevent accidental exposure.
This error occurs when Terraform detects that an output value contains sensitive information (like a database password, API key, or authentication token) but the output has not been explicitly marked with the sensitive = true attribute. Terraform is designed to protect developers from accidentally exposing secrets in CLI output, state files, or logs. Starting with Terraform 0.14+, sensitive data requires explicit declaration to confirm your intent to output it.
Add the sensitive = true attribute to any output that contains sensitive data:
output "database_password" {
value = aws_db_instance.main.password
sensitive = true
}
output "api_key" {
value = aws_secretsmanager_secret_version.api_key.secret_string
sensitive = true
description = "API key for external service"
}When marked as sensitive, Terraform will redact these values from plan/apply output and prevent accidental logging.
While sensitive = true is sufficient, best practice is to include a description explaining what the output contains:
output "rds_password" {
description = "Auto-generated password for RDS instance (do not commit to version control)"
value = aws_db_instance.production.password
sensitive = true
}This helps other team members understand why the output is marked sensitive and how to use it securely.
Once marked as sensitive, Terraform will show [sensitive] instead of the actual value in CLI output. To view the actual value when needed:
# View all outputs including sensitive ones in JSON format
terraform output -json
# View a specific sensitive output
terraform output -raw database_passwordUse these commands carefully and never commit the output to version control or logs.
Remember that sensitive values are still stored in plain text in the Terraform state file. Protect state file access:
# Use remote backend with encryption (AWS S3 with encryption, Terraform Cloud, etc.)
# Restrict state file permissions to authorized users only
# Enable state locking to prevent concurrent modificationsState files must be treated as sensitive secrets regardless of output marking.
If you need to expose a sensitive value in output (not recommended), use the nonsensitive() function:
output "debug_password" {
value = nonsensitive(aws_db_instance.main.password)
}This should only be used temporarily for debugging. Remove it before deploying to production, as it exposes secrets in logs and state.
Prevent sensitive values from being displayed when passed through variables:
variable "db_password" {
type = string
sensitive = true
description = "Database password (will be redacted from output)"
}
output "connection_password" {
value = var.db_password
sensitive = true
}This ensures secrets are protected throughout the entire Terraform execution.
When working with sensitive data in Terraform, consider these advanced scenarios:
State File Encryption: Terraform state files contain all sensitive data in plain text. Use a remote backend with encryption (Terraform Cloud, AWS S3 with server-side encryption, Azure Storage with encryption, or encrypted PostgreSQL backend).
CI/CD Pipeline Secrets: When running Terraform in CI/CD systems (GitHub Actions, GitLab CI, Azure DevOps), be careful about what gets logged. Set up secret masking to prevent sensitive values from appearing in build logs even after terraform output.
Ephemeral Outputs (Terraform 1.4+): For temporary data like one-time passwords or temporary credentials, consider using the ephemeral output argument to exclude values from state:
output "temporary_credentials" {
value = module.temporary_access.password
sensitive = true
ephemeral = true
}Secrets Rotation: Sensitive outputs containing credentials should be rotated regularly. Document rotation procedures and store previous values securely.
Multi-Environment Security: In organizations with dev/staging/production environments, ensure different access levels to sensitive outputs. Use separate state files per environment and implement RBAC (role-based access control) in your backend.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform