Interview › Infrastructure as Code (Terraform, Ansible)
What is the sensitive flag on variables and outputs?
Infrastructure as Code (Terraform, Ansible) · Intermediate level
Answer
The sensitive flag prevents values from being displayed in Terraform CLI output and module outputs, which reduces accidental exposure in logs. It does not make the value cryptographically secret in the state file. Anyone who can read state may still access sensitive values.
Technical explanation
Use sensitive = true for variables and outputs that contain tokens, passwords, private keys, or generated secrets.
Do not rely on sensitive for compliance if state access is broad.
Combine it with backend encryption, access control, and secret-store design.
Keep Terraform's ownership boundary clear: one state should own a resource or field, and other tools should consume published outputs instead of modifying it.
Use fmt, validate, linting, policy checks, plan review, and state locking before production applies.
Design for small blast radius by splitting state around lifecycle, permissions, and recovery boundaries.
Hands-on example
1. Harden secret handling for: What is the sensitive flag on variables and outputs?
2. Bad pattern: passing plaintext database passwords as Terraform variables and outputting them.
3. Better pattern: create or reference secret metadata and let runtime fetch the value:
resource "aws_secretsmanager_secret" "db" { name = "prod/db/password" }
# Application IAM can read this secret ARN; Terraform does not need to output the value.
output "db_secret_arn" { value = aws_secretsmanager_secret.db.arn }
4. Mark any unavoidable sensitive input or output with sensitive = true, but still treat the state backend as secret storage.
5. Verify S3 state encryption, IAM read restrictions, audit logs, and CI log redaction.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Infrastructure as Code (Terraform, Ansible) interview questions
- What is Infrastructure as Code, and what problems does it solve over click-ops?
- What is the difference between declarative and imperative IaC, and where do Terraform and Ansible fall?
- What is the difference between configuration management and provisioning?
- What is Terraform, and what is the core plan/apply workflow?
- What does terraform init do?
- What is the Terraform state file, and why is it critical?
- Why should state be stored remotely, and what backend would you use on AWS?
- What is state locking, and why does it matter for teams?