2.06 - Terraform Input Variables
Overview
Input variables in Terraform allow you to parameterize your configurations, making them reusable across environments without modifying source code.
Abstract
Terraform supports multiple ways to supply values to input variables — from interactive prompts and CLI flags to environment variables and .tfvars files. Understanding how each method works and which takes precedence is essential for building flexible, production-grade infrastructure configurations.
Key Concepts
| Concept | Description |
|---|---|
variable block |
Declares an input variable; default is optional |
| Interactive mode | Terraform prompts for values at runtime if no default or value is set |
-var flag |
Pass a value inline via the CLI |
TF_VAR_<name> |
Environment variable form of variable assignment |
.tfvars / .tfvars.json |
Variable definition files for bulk assignment |
.auto.tfvars |
Auto-loaded variable definition files |
-var-file |
Explicitly load a named variable definition file |
Ways to Assign Variable Values
1. Default Values (in variables.tf)
variable "filename" {
default = "/root/pets.txt"
}
variable "content" {
default = "We love pets!"
}
variable "prefix" {
default = "Mrs"
}
variable "separator" {
default = "."
}
variable "length" {
default = 2
}
2. Interactive Mode
When no default or external value is provided, Terraform prompts at runtime:
$ terraform apply
var.content
Enter a value: We love Pets!
var.filename
Enter a value: /root/pets.txt
var.length
Enter a value: 2
3. Command Line Flags
Pass values directly using -var:
terraform apply \
-var "filename=/root/pets.txt" \
-var "content=We love Pets!" \
-var "prefix=Mrs" \
-var "separator=." \
-var "length=2"
4. Environment Variables
Prefix the variable name with TF_VAR_:
export TF_VAR_filename="/root/pets.txt"
export TF_VAR_content="We love pets!"
export TF_VAR_prefix="Mrs"
export TF_VAR_separator="."
export TF_VAR_length="2"
terraform apply
5. Variable Definition Files (.tfvars)
Create a file (e.g. terraform.tfvars) using HCL assignment syntax:
Auto-loaded files (no flag needed):
For custom-named files, pass explicitly:
Variable Definition File Loading Rules
| File Name | Auto-loaded? |
|---|---|
terraform.tfvars |
✅ Yes |
terraform.tfvars.json |
✅ Yes |
*.auto.tfvars |
✅ Yes (alphabetical order) |
*.auto.tfvars.json |
✅ Yes (alphabetical order) |
Any other .tfvars name |
❌ No — requires -var-file flag |
Variable Definition Precedence
When the same variable is assigned by multiple methods, Terraform uses this precedence order (lowest → highest):
| Order | Method | Notes |
|---|---|---|
| 1 | Environment variables (TF_VAR_*) |
Lowest priority |
| 2 | terraform.tfvars |
|
| 3 | *.auto.tfvars / *.auto.tfvars.json |
Alphabetical order |
| 4 | -var or -var-file (CLI flags) |
Highest priority |
Example: Given the following simultaneous assignments for filename:
# Environment variable
export TF_VAR_filename="/root/cats.txt" # order 1
# terraform.tfvars
filename = "/root/pets.txt" # order 2
# variable.auto.tfvars
filename = "/root/mypet.txt" # order 3
# CLI flag
terraform apply -var "filename=/root/best-pet.txt" # order 4 ← wins
Terraform will use /root/best-pet.txt.
Best Practices
Best Practices
- Always define variables in a dedicated
variables.tffile for clarity. - Use
terraform.tfvarsfor environment-specific overrides (dev, staging, prod). - Use
.auto.tfvarsfiles for team-shared defaults that apply automatically. - Avoid relying on interactive mode in automated pipelines — always supply values explicitly.
- Use
descriptionandtypefields in variable blocks to improve readability and validation.
Security Best Practices
Security
- Never commit
.tfvarsfiles containing secrets (passwords, tokens, keys) to version control. Add them to.gitignore. - Use
TF_VAR_*environment variables for secrets in CI/CD pipelines rather than flat files. - For production secrets, use a secrets manager (AWS Secrets Manager, HashiCorp Vault) and inject at runtime.
- Mark sensitive variables with
sensitive = trueto suppress output in plan/apply logs.
Do and Don't
| ✅ Do | ❌ Don't |
|---|---|
Use .tfvars files for environment-specific values |
Hardcode values directly in main.tf |
Use sensitive = true for secrets |
Log or print sensitive variable values |
Use -var-file for non-standard tfvars filenames |
Rely on interactive mode in CI/CD |
Keep variables.tf as the single source of variable declarations |
Scatter variable blocks across multiple files |
Use TF_VAR_* in pipelines for secrets |
Commit .tfvars files with credentials to Git |
Common Mistakes
Common Mistakes
- Forgetting that only
terraform.tfvarsand*.auto.tfvarsare auto-loaded — custom names require-var-file. - Assuming environment variables take higher precedence than
.tfvarsfiles — they don't. - Using string
"2"instead of number2for numeric variables in.tfvars(can cause type errors depending on variable type constraint). - Defining a variable in
variables.tfbut never assigning a value — causes interactive prompts or plan failure.
Quick Recap
- Variables are declared in
variables.tf;defaultis optional. - Without a value, Terraform enters interactive mode at
terraform apply. - Values can be passed via CLI flags, env vars,
.tfvarsfiles, or defaults. terraform.tfvarsand*.auto.tfvarsare loaded automatically.- CLI
-varand-var-fileflags have the highest precedence. - Precedence order: env vars →
terraform.tfvars→*.auto.tfvars→ CLI flags.
Interview / Revision Notes
-
Q: What happens if a variable has no default and no value is supplied?
A: Terraform prompts interactively. In non-interactive pipelines, this causes a failure. -
Q: Which takes higher precedence —
TF_VAR_*orterraform.tfvars?
A:terraform.tfvars(order 2) overrides environment variables (order 1). -
Q: How do you load a file named
custom.tfvars?
A:terraform apply -var-file custom.tfvars— it is not auto-loaded. -
Q: What is the highest-priority method to assign a variable?
A:-varor-var-fileCLI flags. -
Q: In what order are multiple
.auto.tfvarsfiles loaded?
A: Alphabetical order.