Output data from Terraform
Terraform output values let you export structured data about your resources. You can use this data to configure other parts of your infrastructure with automation tools, or as a data source for another Terraform workspace. Outputs are also how you expose data from a child module to a root module.
In this tutorial, you will use Terraform to deploy application infrastructure
on AWS and use outputs to get information about the resources. Then, you will
use the sensitive
flag to reduce the risk of inadvertently disclosing the
database administrator username and password. You will also learn how to format outputs into machine-readable JSON.
Prerequisites
You can complete this tutorial using the same workflow with either Terraform Community Edition or HCP Terraform. HCP Terraform is a platform that you can use to manage and execute your Terraform projects. It includes features like remote state and execution, structured plan output, workspace resource summaries, and more.
Select the HCP Terraform tab to complete this tutorial using HCP Terraform.
This tutorial assumes that you are familiar with the Terraform workflow. If you are new to Terraform, complete the Get Started collection first.
In order to complete this tutorial, you will need the following:
- Terraform v1.2+ installed locally.
- An AWS account with local credentials configured for use with Terraform.
Note
Some of the infrastructure in this tutorial may not qualify for the AWS free tier. Destroy the infrastructure at the end of the tutorial to avoid unnecessary charges. We are not responsible for any charges that you incur.
Create infrastructure
Clone the example repository for this tutorial, which contains Terraform configuration for a web application including a VPC, load balancer, EC2 instances, and a database.
$ git clone https://github.com/hashicorp/learn-terraform-outputs.git
Change to the repository directory.
$ cd learn-terraform-outputs
Initialize this configuration.
$ terraform initInitializing the backend...##...Terraform has been successfully initialized!You may now begin working with Terraform. Try running "terraform plan" to seeany changes that are required for your infrastructure. All Terraform commandsshould now work.If you ever set or change modules or backend configuration for Terraform,rerun this command to reinitialize your working directory. If you forget, othercommands will detect it and remind you to do so if necessary.
Now apply the configuration. Respond yes
to the prompt to confirm the operation.
$ terraform apply##...Plan: 46 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes##... Apply complete! Resources: 46 added, 0 changed, 0 destroyed.
Output VPC and load balancer information
You can add output declarations anywhere in your Terraform configuration files.
However, we recommend defining them in a separate file called outputs.tf
to
make it easier for users to understand your configuration and review its expected outputs.
Add a block to outputs.tf
to show the ID of the VPC.
outputs.tf
output "vpc_id" { description = "ID of project VPC" value = module.vpc.vpc_id}
While the description
argument is optional, you should include it in all
output declarations to document the intent and content of the output.
You can use the result of any Terraform
expression
as the value of an output. Add the following definitions to outputs.tf
.
outputs.tf
output "lb_url" { description = "URL of load balancer" value = "http://${module.elb_http.elb_dns_name}/"} output "web_server_count" { description = "Number of web servers provisioned" value = length(module.ec2_instances.instance_ids)}
The lb_url
output uses string
interpolation
to create a URL from the load balancer's domain name. The web_server_count
output uses the length()
function to
calculate the number of instances attached to the load balancer.
Terraform stores output values in the configuration's state file. In order to see these outputs,
you need to update the state by applying this new configuration, even though the
infrastructure will not change. Respond to the confirmation prompt with a yes
.
$ terraform applyrandom_string.lb_id: Refreshing state... [id=5YI]module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-004c2d1ba7394b3d6] ## ... Plan: 0 to add, 0 to change, 0 to destroy. Changes to Outputs: + lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/" + vpc_id = "vpc-004c2d1ba7394b3d6" + web_server_count = 4 Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"vpc_id = "vpc-004c2d1ba7394b3d6"web_server_count = 4
Query outputs
After creating the outputs, use the
terraform output
command to query all of them.
$ terraform outputlb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"vpc_id = "vpc-004c2d1ba7394b3d6"web_server_count = 4
Next, query an individual output by name.
$ terraform output lb_url"http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"
Starting with version 0.14, Terraform wraps string outputs in quotes by
default. You can use the -raw
flag when querying a specified output for
machine-readable format.
$ terraform output -raw lb_urlhttp://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/
Use the lb_url
output value with the -raw
flag to cURL the load balancer
and verify the response.
$ curl $(terraform output -raw lb_url)<html><body><div>Hello, world!</div></body></html>
If you are using HCP Terraform, you can also find a table of your configuration's outputs on your workspace's overview page.
Redact sensitive outputs
You can designate Terraform outputs as sensitive. Terraform will redact the values of sensitive outputs to avoid accidentally printing them out to the console. Use sensitive outputs to share sensitive data from your configuration with other Terraform modules, automation tools, or HCP Terraform workspaces.
Terraform will redact sensitive outputs when planning, applying, or destroying your configuration, or when you query all of your outputs. Terraform will not redact sensitive outputs in other cases, such as when you query a specific output by name, query all of your outputs in JSON format, or when you use outputs from a child module in your root module.
Add the following output blocks to your outputs.tf
file. Note that the sensitive
attribute is set to true
.
outputs.tf
output "db_username" { description = "Database administrator username" value = aws_db_instance.database.username sensitive = true} output "db_password" { description = "Database administrator password" value = aws_db_instance.database.password sensitive = true}
Apply this change to add these outputs to your state file, and respond to the
confirmation prompt with yes
.
$ terraform applyrandom_string.lb_id: Refreshing state... [id=5YI]module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-004c2d1ba7394b3d6] ## ... Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: db_password = <sensitive>db_username = <sensitive>lb_url = "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/"vpc_id = "vpc-004c2d1ba7394b3d6"web_server_count = 4
Notice that Terraform redacts the values of the outputs marked as sensitive.
Use terraform output
to query the database password by name, and notice that
Terraform will not redact the value when you specify the output by name.
$ terraform output db_password"notasecurepassword"
Terraform stores all output values, including those marked as sensitive, as plain text in your state file.
Use the grep
command to see the values of the sensitive
outputs in your state file.
$ grep --after-context=10 outputs terraform.tfstate "outputs": { "db_password": { "value": "notasecurepassword", "type": "string", "sensitive": true }, "db_username": { "value": "admin", "type": "string", "sensitive": true },
The sensitive
argument for outputs can help avoid inadvertent exposure of
those values. However, you must still keep your Terraform state secure to avoid
exposing these values.
Generate machine-readable output
The Terraform CLI output is designed to be parsed by humans. To get
machine-readable format for automation, use the -json
flag for JSON-formatted
output.
$ terraform output -json{ "db_password": { "sensitive": true, "type": "string", "value": "notasecurepassword" }, "db_username": { "sensitive": true, "type": "string", "value": "admin" }, "lb_url": { "sensitive": false, "type": "string", "value": "http://lb-5YI-project-alpha-dev-2144336064.us-east-1.elb.amazonaws.com/" }, "vpc_id": { "sensitive": false, "type": "string", "value": "vpc-004c2d1ba7394b3d6" }, "web_server_count": { "sensitive": false, "type": "number", "value": 4 }}
Terraform does not redact sensitive output values with the -json
option,
because it assumes that an automation tool will use the output.
Clean up your infrastructure
Before moving on, destroy the infrastructure you created in this tutorial to
avoid incurring unnecessary costs. Be sure to respond to the confirmation
prompt with yes
.
$ terraform destroy##...Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm. Enter a value: yes##...Apply complete! Resources: 0 added, 0 changed, 46 destroyed.
If you used HCP Terraform for this tutorial, after destroying your resources, delete the learn-terraform-outputs
workspace from your HCP Terraform organization.
Next steps
In this tutorial you used Terraform outputs to query data about your infrastructure. Terraform outputs let you share data between Terraform configurations, and with other tools and automation. Outputs are also the only way to share data from a child module to your configuration's root module.
Now that you know how to use Terraform outputs, check out the following resources for more information.
- Read the Terraform Outputs documentation.
- Manage sensitive data in state.
- Use and create Terraform modules.
- Connect HCP Terraform Workspaces with run triggers, and use outputs from one workspace to configure another workspace.