Back to course

Sensitive Variables

Infrastructure as Code (Terraform & OpenTofu Mastery)

Hiding Passwords from Logs

If you define a database password as a variable, OpenTofu might print it in your terminal logs. To prevent this, use the sensitive flag.

hcl variable "db_password" { type = string sensitive = true }

Now, in the terminal output, the value will show as (sensitive value) instead of password123.