Terraform Output – What you should know

Written by Bits Lovers on 28 Oct 2021

Terraform outputs are how you get data out of your infrastructure. If you have ever run terraform apply and seen those printed values at the end, those are outputs. They are also the mechanism for passing data between modules and sharing information with other tools.

As your Terraform configurations grow, you will split them into modules. When you do, outputs become the only way to move data from a child module back up to the parent. You will also use them to feed information from one configuration into another through remote state.

What is Terraform Output?

An output value is basically a return value from a Terraform module. Think of input variables as function parameters and output values as the return statement.

There are a few common situations where you need outputs:

Passing resource attributes from a child module to a parent module
Printing values to the CLI after terraform apply
Sharing data with other Terraform configurations using the terraform_remote_state data source
Feeding infrastructure details into automation tools or CI/CD pipelines

To define one, you add an output block to your configuration.

Declaring a Terraform Output Value

Every output has a name and a value. The name is what you use to reference it, and the value is any valid Terraform expression.

output "instance_private_ip" {
  value = aws_instance.web.private_ip
}

The label after output is the name. It needs to be a valid identifier. The value argument takes an expression that Terraform evaluates and returns. In this case, it pulls the private IP from an EC2 instance.

You can also add a description to document what the output is for:

output "db_endpoint" {
  description = "Connection endpoint for the RDS database"
  value       = aws_db_instance.main.endpoint
}

Handling Sensitive Data

When an output contains something like a password or API key, mark it as sensitive:

output "db_password" {
  description = "Auto-generated database password"
  value       = aws_db_instance.main.password
  sensitive   = true
}

Terraform will redact sensitive outputs during terraform plan, terraform apply, and when you run terraform output without flags. It will show <sensitive> instead of the actual value.

But there is a catch. If you query a specific output by name, or use the -json or -raw flags, Terraform will show the value in plain text. This is by design, since those flags are intended for scripting and automation. Just be aware of it.

One thing to remember: outputs are only evaluated during terraform apply. Running terraform plan will not produce output values. Terraform needs to actually create or update the resources first.

Ephemeral Outputs

Starting with Terraform 1.10, you can mark outputs as ephemeral. Unlike sensitive, ephemeral outputs are not stored in the state file at all. This is useful for temporary values like short-lived tokens that should never be persisted:

output "session_token" {
  value     = some_resource.token
  ephemeral = true
}

Ephemeral values are completely omitted from state and plan files, even when queried by name.

depends_on with Outputs

Normally, Terraform figures out dependencies automatically by reading the expression in your output value. If an output references aws_instance.web.private_ip, Terraform knows it depends on that instance.

Sometimes that is not enough. If you need an output to wait for a resource that is not directly referenced in its value expression, use depends_on:

output "instance_ip" {
  value       = aws_instance.web.public_ip
  depends_on  = [aws_security_group.allow_http]
}

Use depends_on sparingly. When you do need it, add a comment explaining why. The next person reading your code will thank you.

Preconditions in Outputs

Since Terraform 1.2, you can add precondition blocks to outputs. These let you validate that a value meets certain criteria before Terraform returns it:

output "instance_ip" {
  value = aws_instance.web.public_ip

  precondition {
    condition     = aws_instance.web.public_ip != ""
    error_message = "The instance must have a public IP assigned."
  }
}

If the condition fails, Terraform will surface the error message during plan or apply. This is a clean way to catch configuration problems early.

Checking Output Values

After terraform apply, outputs print to the console automatically. But you will often want to check them without re-running apply. That is what terraform output is for.

Usage: terraform output [options] [NAME]

With no arguments, it shows all root module outputs. Pass a name to get a specific one.

The available flags:

-json - Prints outputs as a JSON object. Useful for piping into jq or feeding into scripts. If you pass a name, it returns just that output.
-raw - Prints the output as a plain string with no formatting. Handy for shell scripts, but it only works with string, number, and boolean values. Use -json for complex types like lists and maps.
-no-color - Strips color codes from the output.
-state=path - Path to a local state file. Defaults to terraform.tfstate. This is a legacy option that only works with the local backend.

A few practical examples:

# Show all outputs
$ terraform output

instance_private_ip = "10.0.1.42"
db_endpoint = "mydb.c8xmpl.us-east-1.rds.amazonaws.com"
db_password = <sensitive>

# Get a specific output in raw format (useful in scripts)
$ terraform output -raw instance_private_ip
10.0.1.42

# Get all outputs as JSON
$ terraform output -json

When you use -json, you can pipe the result into jq to extract exactly what you need:

$ terraform output -json instance_ips | jq -r '.[0]'
10.0.1.42

Note that terraform output only shows outputs from the root module. If you define outputs in a child module, you need to expose them through the root module first.

Wrapping Up

Outputs are a straightforward concept but a critical part of how Terraform configurations talk to each other. They move data between modules, feed values into automation, and give you the information you need after a deployment.

For more details, check out the official Terraform output documentation.