Skip to main content
Welcome to this lesson on the Terraform output block. Outputs let you expose important data produced by your Terraform runs—such as IP addresses, DNS names, resource IDs, and connection strings—so people, scripts, and other modules can consume them without digging through cloud consoles or re-running queries.

Why use outputs?

  • Capture useful attributes created by Terraform (VM IPs, DB connection strings, DNS names, etc.).
  • Display important values immediately after terraform apply for quick testing.
  • Persist outputs in state so they can be retrieved later with terraform output.
  • Pass values between modules to enable composable infrastructure.
  • Make CI/CD automation and scripts more reliable using terraform output -json.

Example: Azure resources

These resource blocks create an Azure Resource Group and a Virtual Network. After creation, surface values such as the resource group name, VNet ID, or subnet IDs with outputs so other systems or modules can use them. 
# Azure resource examples
resource "azurerm_resource_group" "prd" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "dv" {
  name                = "example-network"
  resource_group_name = azurerm_resource_group.prd.name
  location            = azurerm_resource_group.prd.location
  address_space       = ["10.0.0.0/16"]
}
Use outputs to export values that are consumed outside this configuration—root modules, CI pipelines, or manual testers.

Basic output examples (AWS resources)

Below are typical outputs you might declare for an EC2 instance and a load balancer. These show simple attribute exposure, composed values, and how to produce a ready-to-use URL. 
# Output Instance IP Address
output "instance_public_ip" {
  description = "Public IP of Server"
  value       = aws_instance.web.public_ip
}

# Output DNS Name for Load Balancer
output "website_dns" {
  description = "Website DNS Record"
  value       = aws_elb.web_app.dns_name
}

# Output Friendly URL of Website
output "website_url" {
  description = "Friendly URL for the website"
  value       = "https://${aws_alb.web.dns_name}"
}
  • instance_public_ip: exposes a single resource attribute.
  • website_dns: exports the load balancer’s DNS name.
  • website_url: composes a click-ready HTTPS URL around a resource attribute.

Dissecting an output block

Each output block typically contains a few common elements:
FieldPurposeExample
nameIdentifier used to reference the outputinstance_public_ip
descriptionOptional human-readable explanation"Public IP of Server"
valueExpression that computes the output (resource attributes, maps, lists, or expressions)aws_instance.web.public_ip
sensitiveHides the value in CLI and logs when set to truesensitive = true
Use description to document intent and sensitive to prevent accidental exposure in terminal output.

Common terraform output commands

Use these commands locally or in automation:
CommandWhat it does
terraform outputShow all outputs (non-sensitive values hidden if marked)
terraform output website_urlShow a single output by name
terraform output -jsonEmit all outputs in JSON for scripts and CI

Sensitive outputs

Mark outputs that contain secrets so Terraform hides them in interactive CLI output and most logs. 
output "db_password" {
  description = "RDS master password"
  value       = aws_db_instance.default.password
  sensitive   = true
}
Mark outputs as sensitive = true for any secret or credential. Sensitive outputs are still recorded in the Terraform state (so secure your backend accordingly). Treat your state file as sensitive data.

Best practices and important considerations

  • Remember outputs are stored in state: protect your state backend and access control.
  • Limit outputs to values that are useful externally (URLs, IPs, IDs required by other systems).
  • Prefer secret managers for long-term secret storage; do not rely solely on outputs for sensitive secrets.
  • Use outputs to pass data between modules: a child module declares outputs that the parent (or other modules) can read.
  • Avoid exposing low-value or noisy attributes that are not consumed by other systems.
Do not store highly sensitive secrets only in outputs unless your state backend is secured and access is tightly controlled. Consider using dedicated secret management solutions for production secrets.

Quick reference table

Use caseExample output
Expose a single attributeoutput "instance_public_ip" { value = aws_instance.web.public_ip }
Compose a URLoutput "website_url" { value = "https://${aws_alb.web.dns_name}" }
Return structured dataoutput "subnet_map" { value = { public = aws_subnet.pub.id, private = aws_subnet.priv.id } }
Mark sensitive valuesoutput "db_password" { value = var.db_password, sensitive = true }

Summary

  • output blocks provide a structured way to expose information from Terraform configurations.
  • Outputs appear after terraform apply, are stored in state, and can be consumed by scripts, CI pipelines, and other modules.
  • Use description and sensitive to make outputs easier and safer to use.
  • Keep outputs focused on externally useful values and secure your state backend.
Further reading and references:

Watch Video

Practice Lab