How to create and manage Terraform Cloud variable sets at organization and project levels, apply scopes to workspaces, and understand precedence and Priority for overriding variables.
Welcome back to HashiCorp Certified: Terraform Associate 004. In this lesson we demonstrate how to create and apply Terraform Cloud variable sets at the organization and project levels, and how variable precedence works when sets are applied to workspaces.What you’ll learn
How to create an organization-level variable set and apply it organization-wide or to specific projects/workspaces.
How to create a project-level variable set and scope it to a project or its workspaces.
How variable precedence (including the Priority option) affects the effective value in a workspace.
Open your Terraform Cloud organization and navigate to Settings → Variable Sets.
Go to Settings → Variable Sets and click Create variable set → Organization.
Give the set a clear name and description (for example: Name: AWS Production, Description: production credentials).
Choose the scope:
Apply to all projects and workspaces (organization-wide)
Apply to specific projects and workspaces
Organization-level variable sets are useful for values shared across many projects or workspaces (for example, organization-wide configuration or shared service credentials). If you need strict isolation for secrets, prefer narrowly scoped sets or other secret management practices.When applying to specific projects, any current or future workspaces within those projects will inherit the variable set automatically.
At the bottom of the variable set creation screen there is a Priority option:
When Priority is enabled, variables in the variable set will override variables with the same name in more specific scopes (for example, workspace-level variables).
When Priority is unchecked, the usual precedence applies where more specific scopes (workspace) override less specific ones (organization/project).
Click Add variable to create entries in the set. For each entry choose if it is a Terraform variable or an environment variable.
Mark secret values as Sensitive — these are encrypted and hidden in the UI.
Example AWS credential names:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
After adding variables, click Create variable set. The new organization-level set will appear in the Variable Sets list with its scope and variables visible to users with the appropriate permissions.
You can create variable sets from within a project:
Navigate to the project (for example, HCP demo) → Settings → Variable Sets.
Click Create variable set → Project.
Name the set, choose scope (entire project or specific workspaces within the project), add variables, and mark Sensitive values as needed.
Optionally enable Priority if you want this set to override workspace-level values.
Notes:
Project-level variable sets are visible only within the project.
You cannot create an organization-wide scope from inside a project — organization-level sets must be created from the organization Settings page.
Workspaces not associated with the project will not appear in the selection list.
When applied, the project-level set is inherited by the selected workspaces or by all workspaces in the project depending on the chosen scope.When you open a workspace’s Variables page you’ll see all applied variable sets (organization, project, workspace) and which variables are inherited from each.
Use clear, descriptive names and descriptions for variable sets to make intent obvious.
Mark all secrets as Sensitive — Terraform Cloud encrypts and hides these values in the UI.
Prefer narrow scoping for secrets; only apply highly privileged credentials where necessary.
Use Priority deliberately — it changes the usual precedence behavior.
Enabling Priority on a variable set causes its values to override more specific workspace variables. Use Priority sparingly and document any cases where you rely on it to avoid accidental overrides.
