2.08 - Terraform Output Variables

Overview

Output variables expose values from your Terraform configuration after apply — making resource attributes visible in the terminal and available to external tools like Ansible or shell scripts.

Abstract

Output variables serve as a bridge between Terraform-managed infrastructure and the outside world. They print key resource attributes at the end of terraform apply and can be queried directly, fed into automation pipelines, or consumed by other tools in your stack.

Key Concepts

Concept	Description
`output` block	Declares a value to be displayed after `terraform apply`
`value`	Required — the attribute or expression to expose
`description`	Optional — documents what the output represents
`terraform output`	CLI command to query all outputs after apply
`terraform output <name>`	Returns the value of a specific named output

Output Block Syntax

output "<variable_name>" {
  value       = "<variable_value>"
  description = "<optional description>"
  # other optional arguments: sensitive, depends_on
}

Example

output "pet-name" {
  value       = random_pet.my-pet.id
  description = "Record the value of pet ID generated by the random_pet resource"
}

This captures the id attribute of the random_pet.my-pet resource and exposes it as an output named pet-name.

Full Configuration Example

main.tf

resource "local_file" "pet" {
  filename = var.filename
  content  = "My favorite pet is ${random_pet.my-pet.id}"
}

resource "random_pet" "my-pet" {
  prefix    = var.prefix
  separator = var.separator
  length    = var.length
}

output "pet-name" {
  value       = random_pet.my-pet.id
  description = "Record the value of pet ID generated by the random_pet resource"
}

variables.tf

variable "filename"  { default = "/root/pets.txt" }
variable "content"   { default = "I love pets!" }
variable "prefix"    { default = "Mrs" }
variable "separator" { default = "." }
variable "length"    { default = "1" }

Output at Apply Time

Outputs are printed automatically at the end of terraform apply:

$ terraform apply
.
.
Outputs:

pet-name = Mrs.gibbon

Querying Outputs

After apply, outputs can be queried at any time without re-running a full apply.

List all outputs:

terraform output
# pet-name = Mrs.gibbon

Query a specific output by name:

terraform output pet-name
# Mrs.gibbon

This is especially useful in CI/CD pipelines where downstream steps need a specific value.

Using Outputs with External Tools

Output variables are the primary mechanism for passing Terraform-managed values to other tools in your automation stack:

Tool	Use case
Ansible	Pass resource IDs, IPs, or hostnames into playbook inventory or vars
Shell scripts	Capture outputs with `$(terraform output -raw <name>)` for use in commands
Other Terraform modules	Reference outputs from one module as inputs to another

# Example: use output in a shell script
INSTANCE_IP=$(terraform output -raw instance_ip)
ssh ec2-user@$INSTANCE_IP

Best Practices

Always add a description to outputs — it serves as self-documenting infrastructure.
Expose only the values that downstream tools or team members actually need.
Use sensitive = true for outputs that contain secrets — this suppresses them from CLI output and logs.
Organise outputs in a dedicated outputs.tf file for larger configurations.
Use terraform output -raw <name> (no quotes around the value) when consuming outputs in scripts.

Security Best Practices

Security

Never output secrets, passwords, or private keys without marking them sensitive = true.
Sensitive outputs are still stored in Terraform state — restrict access to state files.
Avoid piping raw outputs directly into logs or CI/CD job summaries where they could be exposed.

output "db_password" {
  value     = aws_db_instance.main.password
  sensitive = true
}

Do and Don't

✅ Do	❌ Don't
Add `description` to every output	Leave outputs undocumented
Use `sensitive = true` for secret values	Print raw secrets to terminal output
Use `terraform output -raw` in shell scripts	Parse `terraform output` with regex — format can change
Keep outputs in a dedicated `outputs.tf`	Scatter output blocks across multiple resource files
Output only what external tools need	Over-expose internal resource details

Common Mistakes

Forgetting that terraform output only works after a successful terraform apply — it reads from state.
Using terraform output in scripts without -raw, which adds quotes around string values and breaks variable assignment.
Not marking sensitive outputs with sensitive = true, causing secrets to appear in CI/CD logs.
Defining outputs in main.tf instead of a dedicated outputs.tf, making large configurations hard to navigate.

Quick Recap

output blocks expose resource attribute values after terraform apply.
Required argument: value. Optional: description, sensitive, depends_on.
Outputs print automatically at the end of apply under the Outputs: section.
Use terraform output to list all, or terraform output <name> for a specific value.
Use terraform output -raw <name> in scripts to get the plain value without quotes.
Outputs feed values into Ansible, shell scripts, other Terraform modules, and CI/CD pipelines.

Interview / Revision Notes

Q: What is the purpose of an output variable in Terraform?
A: To expose resource attribute values after apply — for display, debugging, and consumption by external tools.
Q: What is the only required argument in an output block?
A: value — the expression or attribute to expose.
Q: How do you retrieve a specific output value from the CLI?
A: terraform output <output_name> — or terraform output -raw <output_name> for scripts.
Q: When are outputs printed during a Terraform workflow?
A: At the end of terraform apply, under the Outputs: section.
Q: How do you prevent a sensitive value from appearing in CLI output?
A: Set sensitive = true in the output block.
Q: Can outputs be used by tools outside of Terraform?
A: Yes — outputs are commonly consumed by Ansible, shell scripts, CI/CD pipelines, and other Terraform modules.