Beta

HashiCorp : Terraform Cloud

Securing Variables with Terraform Cloud

Terraform Cloud Variables

Terraform variables in HashiCorp Configuration Language (HCL) let you parameterize your infrastructure code without changing module source files. By centralizing values in Terraform Cloud workspaces, you can:

  • Keep secrets out of version control
  • Reuse the same configurations across environments
  • Simplify CI/CD with remote execution

Warning

Never commit sensitive data (API keys, credentials, or tokens) directly in your .tf files. Always mark secrets as Sensitive in Terraform Cloud.

Workspace Variables vs. Organization Variable Sets

Terraform Cloud offers two scopes for storing variable values:

Variable ScopeDefined AtSensitivity SupportApplies ToTypical Use Case
Workspace VariablesSingle workspaceYesOne workspace onlyAWS credentials, DB passwords
Organization Variable SetsOrganization levelYesMultiple workspacesShared cloud provider tokens

The image is a slide titled "Setting Workspace Variables" with bullet points explaining how variables can be set per workspace, reused, and applied across workspaces. It includes the HashiCorp Terraform Cloud logo and cartoon characters at the bottom.

Workspace Variables

  • Scoped to an individual workspace.
  • Can be flagged Sensitive to hide in UI, CLI output, and logs.
  • Ideal for per-environment secrets like aws_access_key_id.

Organization Variable Sets

  • Defined at the organization level for reuse.
  • Supports both Terraform input variables and environment variables.
  • Workspaces must opt in to inherit the set.
  • Perfect for credentials or settings shared by multiple projects.

Input Variables vs. Environment Variables

Terraform Cloud recognizes two types of variables:

Variable TypeReference in HCLCommon Examples
Terraform Input Variablevar.<name>var.subscription_id, var.db_connection
Environment Variable<NAME> env varAWS_ACCESS_KEY_ID, TF_LOG, GOOGLE_CRED

All variables can be marked Sensitive to prevent exposure in logs or the web UI. Terraform also supports HCL types like string, number, list, and map.

Setting Variables Locally

Even with remote execution, you can still supply values from your workstation:

# Single variable
terraform plan -var="name=value"

# Load from a file
terraform apply -var-file="env.prod.tfvars"

# Export as environment variable
export TF_VAR_region=us-west-2
terraform apply

Terraform 0.10.0+ automatically loads any *.auto.tfvars in your working directory:

# Rename your terraform.tfvars
mv terraform.tfvars terraform.auto.tfvars

Note

Using terraform.auto.tfvars lets you track non-sensitive defaults in Git while still overriding them via the CLI or workspace UI.

The image provides information on setting non-sensitive variables in Terraform using `auto.tfvars` files, and mentions that workspaces using Terraform v0.10.0 or later can load default values from these files. It also suggests using the Terraform Cloud Provider or variables API for adding multiple variables.

Variable Precedence

When a variable exists in multiple locations, Terraform applies values based on this hierarchy (highest → lowest):

  1. CLI flags (-var or -var-file)
  2. Workspace UI variables
  3. Organization Variable Sets
  4. Auto-loaded *.auto.tfvars files

Command-line inputs override workspace settings, which override organizational sets, which in turn override auto.tfvars defaults.

The image illustrates the order of precedence for Terraform Cloud, listing local values, files ending with *.auto.tfvars, workspace-specific values, and variable sets, with a visual hierarchy on the right.

The image illustrates the order of precedence for variable settings, showing a hierarchy from command line variables to global variables, with a visual flowchart and priority indicators.

For more details, see the Terraform Cloud Variable Precedence documentation.

Best Practices & Recommendations

  • Store non-sensitive defaults in *.auto.tfvars files and commit them to Git.
  • Keep sensitive values in Terraform Cloud—either at the workspace level or via Organization Variable Sets.
  • Regularly rotate credentials and audit workspace variable access.

The image provides recommendations for using Terraform Cloud, advising to use `.auto.tfvars` files for non-sensitive variables and to set sensitive variables in the Workspace's Variables section. It includes the Terraform Cloud logo and cartoon characters at the bottom.

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Lab Solution Approval State locking
Next
Lab Solution Terraform Cloud Variables