Terraform Variables, Locals & Outputs: Dynamic Configurations
Terraform variables, local values, and outputs work together to make configurations dynamic, reusable, and self-documenting by separating hardcoded values from the logic that uses them.
What You'll Learn
In this tutorial, you will learn how to define Terraform input variables with type constraints and defaults, use local values to simplify expressions, and create outputs to share infrastructure data.
Why It Matters
Hardcoded values make configurations brittle and unreusable. Variables let you reuse the same configuration across environments with different settings. Locals reduce duplication. Outputs expose infrastructure data for other tools and CI/CD pipelines.
Real-World Use
DodaTech uses Terraform variables to parameterize environment names, instance sizes, and CIDR blocks across dev, staging, and production. Outputs feed IP addresses and DNS names into configuration management tools that configure Durga Antivirus Pro's application servers.
Input Variables
Variables are declared with a variable block and can have type constraints, descriptions, and default values:
variable "environment" {
description = "Deployment environment name"
type = string
default = "dev"
validation {
condition = contains(["dev", "staging", "prod"], var.environment)
error_message = "Environment must be dev, staging, or prod."
}
}
variable "instance_type" {
description = "EC2 instance type"
type = string
}
variable "tags" {
description = "Resource tags"
type = map(string)
default = {
ManagedBy = "Terraform"
}
}
Expected output: Variables appear in <a href="/devops/terraform/">terraform</a> plan with prompts if no default is set. Validation catches invalid values before apply.
Using Variables
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = var.instance_type
tags = merge(var.tags, {
Name = "web-server-${var.environment}"
Environment = var.environment
})
}
Expected output: The instance type and tags come from variable values. The name tag includes the environment suffix.
Variable Definition Files
Create <a href="/devops/terraform/">terraform</a>.tfvars or *.auto.tfvars files to set variable values without command-line flags:
environment = "prod"
instance_type = "t3.large"
tags = {
Environment = "Production"
ManagedBy = "Terraform"
CostCenter = "Platform"
}
Expected output: Terraform automatically loads <a href="/devops/terraform/">terraform</a>.tfvars and any *.auto.tfvars files, applying those values to variables.
Local Values
Locals assign names to expressions you use repeatedly:
locals {
name_prefix = "dodatech-${var.environment}"
common_tags = {
Environment = var.environment
ManagedBy = "Terraform"
Project = "DurgaAntivirus"
}
}
resource "aws_s3_bucket" "logs" {
bucket = "${local.name_prefix}-logs"
tags = local.common_tags
}
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = var.instance_type
tags = merge(local.common_tags, {
Name = "${local.name_prefix}-web"
})
}
Expected output: Both resources share the same common tags and name prefix. Changing var.environment updates all resources consistently.
Outputs
Outputs expose infrastructure information for other Terraform configurations, scripts, and CI/CD pipelines:
output "web_public_ip" {
description = "Public IP of the web server"
value = aws_instance.web.public_ip
}
output "web_instance_id" {
description = "Instance ID of the web server"
value = aws_instance.web.id
}
output "s3_bucket_arn" {
description = "ARN of the logs bucket"
value = aws_s3_bucket.logs.arn
}
Expected output: After apply, outputs display in the terminal and are available via <a href="/devops/terraform/">terraform</a> output command and remote state data sources.
Sensitive Outputs
Mark outputs as sensitive to prevent them from displaying in logs:
output "db_password" {
description = "Database master password"
value = random_password.db.result
sensitive = true
}
Expected output: The output value shows as "sensitive" in the CLI output but is available programmatically to authorized consumers.
Common Mistakes
1. Using Variables Without Defaults in CI/CD
CI/CD pipelines may not prompt for required variables. Always provide default values or set them in .auto.tfvars.
2. Storing Secrets in tfvars Files
Committing <a href="/devops/terraform/">terraform</a>.tfvars with passwords or API keys exposes secrets in version control. Use environment variables or a secrets manager.
3. Missing Variable Descriptions
Variables without descriptions confuse team members. Always add description for every variable.
4. Overusing Locals for Simple Values
If a value is used only once, a local adds unnecessary indirection. Use locals for values referenced three or more times.
5. Forgetting to Use Sensitive Attribute
Database passwords and API keys should always use sensitive = true in outputs.
Practice Questions
1. What is the difference between a variable and a local value? Variables accept user input with optional defaults and validation. Locals are computed expressions visible only within the module.
2. How do you set variable values without command-line flags?
Create <a href="/devops/terraform/">terraform</a>.tfvars or *.auto.tfvars files. Terraform loads them automatically.
3. Why use the sensitive attribute on outputs?
It prevents the value from displaying in CLI output and logs while remaining available programmatically.
4. How do you validate variable values at plan time?
Use the validation block inside variable with a condition and error_message.
5. Challenge: Write a configuration with four variables (string, number, list, map), three locals that combine them, and five outputs with one marked sensitive.
Mini Project: Parametrized Web Stack
Convert the web stack from the previous tutorial to use variables for environment, instance type, and tags. Add a <a href="/devops/terraform/">terraform</a>.tfvars file for production values, and create outputs for public IP, instance ID, and bucket ARN.
Related Concepts
What's Next
Parameterize your configurations with Terraform variables and locals, then learn State Management to understand how Terraform tracks your infrastructure.
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro