Hasicorp Terraform
Terraform Overview
Syntax
Files and Directory Structure
Deployment process
Terraform Data
Datasource block
Providers Block
Move block
Import block
Dynamic block
Backend Block
Statefile
Terraform
/
Variable
/
Output Block

Output block

In Terraform, an output block is a way to share information about your infrastructure with other modules. When you create a resource, for example, a virtual machine or database, it returns a set of attributes as a result after the resource is created. These attributes contain information about the resource, such as IP address, DNS name, or other properties. To make use of such attributes in a configuration, an output block must be made use of. An output block allows you to "extract" the attributes you want from a resource and then hands it over to your configuration where it may be used elsewhere.
The output values are similar to the concept of return values that many programming languages have. A function may return some value that could be used in other parts of the program. In a similar vein, with Terraform, the Output Value provides you the ability to "return" information about your infrastructure that may be of use to other Terraform configurations or users.

Output block syntax

The syntax of an output block is: 
variable "local_name" {
    # Input Specific Arguments 
}
Here's a breakdown of the syntax:
  • output is the keyword to declare a output block.
  • local_name is the name of the output variable. This is the name that will be used to refer to the output variable inside the Terraform module.
  • The block body (between {}) contains output-specific arguments. Here you define properties and constraints for the output variable.
Suppose you want to create an AWS instance resource using the following Terraform configuration: 
resource "aws_instance" "instance" {
    ami = "ami-0123456789"
    instance_type = "t2.micro"
    tags = {
        Name = "Production Instance"
    }
}
After creating a resource, Terraform exports a set of attributes under instance local_name that describe the resource. An attribute is stored in a JSON-like object as follows: 
{ 
    "instance" = {
        "arn" = "arn:aws:ec2:ap-southeast-2:accountid:instance/i-id"
        "id" = "i-04f36f59dc445df86115ec"
        "availability_zone" = "ap-southeast-2a"
        "cpu_core_count" = 1
        "cpu_threads_per_core" = 2
        "ebs_block_device" = []
        "ami" = "ami-0123456789"
        "instance_type" = "t2.micro"
    }
}
You can then use those attributes in an Output Block to make them available in your configuration. Example: 
output "availability_zone" {
    value = aws_instance.instance.availability_zone
    description = "The availability zone where instance created"
}
Here, the Output Block fetches the availability_zone attribute from the aws_instance resource and exposes it as an output variable, with the name being availability_zone. You can use this output variable elsewhere in your Terraform configuration or share it with other users.

Accessing Outputs from Child Modules in Terraform

When working with Terraform, you may have a parent module comprising one or more child modules. You may need to access an output value of the child module in your parent module. For this, you will need to use specific syntax in your Terraform configuration file. Syntax for accessing an output value from a child module looks like the code below: 
module.<MODULE NAME>.<OUTPUT NAME>
Here,
  • Module is a keyword which denotes you are accessing a child module.
  • <MODULE NAME> is the name of the child module you would like to access.
  • <OUTPUT NAME> is the name of the output value that you want to access from the child module.
NOTE: Output Variables cannot be directly accessed with output.<local_name> within the same module.
Let me illustrate this with an example. Suppose we have a child module called policy, which creates an AWS IAM policy and is also outputting the policy ARN. In the parent (main.tf) in our root directory, we want to reference that output value, s3_policy_arn, from the policy child module and use it as an argument to create an IAM role policy attachment. 
// File: policy/main.tf
resource "aws_iam_policy" "policy" {
    name = "s3-access-policy"
    path = "/"
}
output "s3_policy_arn" {
  value = aws_iam_policy.s3.arn
  description = "The password used for db_instance creation"
}
// File: main.tf (Root Module)
module "policy-module" {
  source = "./policy"
}
resource "aws_iam_role_policy_attachment" "role-attachment" {
  policy_arn = module.policy-module.s3_policy_arn
  role = "IAM-role"
}
In this example, we use the syntax module.policy.s3_policy_arn to access the value of the s3_policy_arn output from the child policy module, and then pass that value to set the policy_arn attribute in the aws_iam_role_policy_attachment resource.

Arguments of output block

The following arguments are supported:

1. value

In an output block of a Terraform configuration, the value argument is a required attribute. It defines the value to return to the other Terraform configurations during the running of terraform plan or apply. In this way, information can be shared across Terraform modules/configurations.
The value argument expects an expression for its value. An expression in a configuration is a way to describe a computation or an operation that results in a value. In Terraform, expressions can be as simple as a literal string or number, or they can be complex constructs that refer to other resources or combine multiple values.
Let's take an example: 
output "bucket_arn" {
    value = aws_s3_bucket.bucket.arn
}
Here, the name of the output block is bucket_arn, and it takes one argument, value. The value argument here is set to aws_s3_bucket.bucket.arn, which is an complex expression. The expression aws_s3_bucket.bucket.arn refers to the ARN, Amazon Resource Name, of an AWS S3 bucket created by Terraform. If aws_s3_bucket.bucket.arn is used in a Terraform plan or apply, Terraform will evaluate this expression and replace it with the actual ARN for the created S3 bucket. This ARN returns as the value of the bucket_arn output, which could be used by the user or other Terraform configurations.

2. description

In Terraform, the description argument is an optional argument that may be used to describe briefly any output variable. This explanation is meant to help in the understanding of two major things:
  • Purpose of the Output
  • The Usage of the Output
Here is an example with the use of the description argument: 
output "policy_arn" {
    value =  aws_iam_policy.policy.arn
    description = "This output returned a policy arn and used for role creation"
}
In the above example, in the description argument, a short explanation is being made to the policy_arn Output Variable. It goes ahead to say that such a variable returns a policy ARN, Amazon Resource Name, and that it is used for creating roles. Such a type of description ensures that other users get an overview of what the variable policy_arn does and how it can be used to interact with the code.

3. sensitive

In Terraform, the sensitive argument is an optional argument that is utilized to mark an output containing sensitive material. This argument will be used to indicate that the value of the output contains confidential or sensitive information and should not appear in the Terraform CLI output when running terraform plan or terraform apply.
Here is an example using the sensitive argument: 
// File: password/main.tf
resource "random_password" "password" {
    length = 40
    special = false
}
output "db_password" {
  value = random_password.password
  description = "The password used for db_instance creation"
  sensitive = true
}
// File: main.tf (Root Module)
module "password-module" {
  source = "./password"
}
resource "aws_db_instance" "db_instance" {
  engine = "mysql"
  db_name = "database-1"
  username = "admin"
  password = module.password.db_password  
}
In the example above, the db_password output is marked as sensitive, which indicates that its value should not appear in the Terraform CLI output. If the terraform plan or the terraform apply is executed, Terraform will hide the values marked sensitive in the output messages. Instead of the real value, Terraform will indicate that this value is sensitive. 
# Terraform will perform the following actions:
# aws_db_instance.db_instance will be created
  + resource "aws_db_instance" "db_instance" {
        + engine = mysql
        + db_name = database-1
        + username = admin
        + password = (sensitive value)
  }
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
    + db_password = (sensitive value)
As you can see, the password attribute of aws_db_instance resource is marked as '(sensitive value)'. Similarly, the db_password output does have a mark of '(sensitive value)'. It means that sensitive information has been hidden from the output.
NOTE: Terraform stores sensitive information like passwords and access keys in its statefile. Anyone who has access to this file will be able to read the same types of sensitive information in clear text and unencrypted.

Related Pages

Feedback

Was this page helpful?
About
Privacy policy
Contact
DevOpsResourceHub is designed to enhance your learning experience in DevOps technologies. While we strive to make our examples clear and easy to understand, and we regularly update our content to ensure accuracy, we acknowledge that occasional mistakes may occur. We encourage continuous learning and welcome feedback to help us improve.
@Copywrites 2024 All Rights Reserved
Hasicorp Terraform
Terraform Overview
Syntax
Files and Directory Structure
Deployment process
Terraform Data
Datasource block
Providers Block
Move block
Import block
Dynamic block
Backend Block
Statefile