Table of Contents

The Error

Output refers to sensitive values which can't be displayed

What Causes This

Terraform 0.15+ prevents displaying sensitive values in outputs by default. If a resource attribute is marked as sensitive (like aws_db_instance.password), any output referencing it must also be marked sensitive.

How to Fix It

Solution 1: Mark Output as Sensitive

output "db_password" {
  value     = aws_db_instance.main.password
  sensitive = true  # Required for sensitive values
}

Solution 2: Access Sensitive Outputs

# View sensitive output value
terraform output -json db_password
terraform output -raw db_password

# In scripts
DB_PASS=$(terraform output -raw db_password)

Solution 3: Use nonsensitive() Function (Use Carefully!)

# Only if you intentionally want to expose the value
output "db_endpoint" {
  value = nonsensitive(aws_db_instance.main.endpoint)
  # WARNING: This removes the sensitive protection!
}

Solution 4: Pass Between Modules

# Module outputs
output "connection_string" {
  value     = "postgresql://${var.username}:${var.password}@${aws_db_instance.main.endpoint}/mydb"
  sensitive = true
}

# Parent module
module "database" {
  source = "./modules/rds"
}

# Reference in another resource — works fine
resource "aws_ssm_parameter" "db_url" {
  name  = "/app/db_url"
  type  = "SecureString"
  value = module.database.connection_string  # Sensitive flows through
}

Prevention Tips

  1. Pin provider versions — avoid surprise breaking changes
  2. Use CI/CD — catch errors before they hit production
  3. Test with terraform plan — always review before applying
  4. Keep Terraform updated — newer versions have better error messages
  5. Use terraform validate — catches syntax errors early

Hands-On Courses

Learn to avoid these errors with interactive, project-based courses:

Conclusion

This error is common and fixable. Follow the solutions above, and check our Terraform course for hands-on training that covers real-world troubleshooting scenarios.