lesson ── terraform-beginner ── ~8 мин ── 3 шагов
An output is a value that Terraform shows after apply and saves in state. You
use it to hand something to the outside: to the user in the terminal, to a
script through terraform output -raw, or to another Terraform project
through remote state.
In this lesson you will create a bucket, return its ARN through an output, and
read it from the shell with terraform output -raw. See tf-output.
интерактивный sandbox
Поднимется пара контейнеров: terraform 1.9 и localstack 3.8 в одной сети. В браузере откроется терминал, можно сразу terraform init. Каждый шаг проверяется автоматически. TTL 45 минут, без регистрации.
stack ── terraform · localstack · 1 GB RAM · самоуничтожается через 45 мин простоя
~/tf-out already has a provider.tf. Create a main.tf file:
resource "aws_s3_bucket" "demo" { bucket = "linuxlab-out-${random_id.suffix.hex}" tags = {Owner = "student"
}
}
resource "random_id" "suffix" {byte_length = 4
}
After init and apply the bucket is created in LocalStack.
Run everything in one chain:
cd /home/student/tf-out
terraform init -input=false
terraform apply -auto-approve -input=false
If something breaks: run `terraform apply` without auto-approve and read the output.
✓ The bucket is created. Now add an output.
Add an outputs.tf file to the directory:
output "bucket_arn" {value = aws_s3_bucket.demo.arn
description = "ARN of the created S3 bucket: needed for cross-account IAM."
}
output "bucket_name" {value = aws_s3_bucket.demo.bucket
}
aws_s3_bucket.demo.arn is a reference to the arn attribute of the
aws_s3_bucket resource named demo. This attribute is computed on the
cloud side and appears in state after apply. See tf-references.
After adding the outputs you need to run apply once more, it updates state and prints the values:
terraform apply -auto-approve
At the end of the output an Outputs: section should appear with two
values.
The file can be named anything, the convention is `outputs.tf`.
✓ The output is written to state, visible through `terraform output`.
OpenTofu keeps its CLI and state compatible with Terraform for the
commands in this step: migration usually goes through mv .terraform .terraform.bak; tofu init -upgrade. But on the first switch, make a
state backup and run it on a feature branch, the differences cluster in
the newer features (variables in the backend, state encryption, OCI
registry-backed modules). See tf-opentofu-parity for the full
matrix.
In scripts you often need to pull an output value into a shell variable.
For that there is terraform output -raw output_name:
BUCKET_ARN=$(terraform output -raw bucket_arn)
echo "ARN: $BUCKET_ARN"
BUCKET_NAME=$(terraform output -raw bucket_name)
echo "Name: $BUCKET_NAME"
The -raw flag strips the JSON wrapper and the quotes, which is handy for
substitution. Without -raw the output would be "arn:aws:s3:::..." with
quotes.
This command is how scripts get values out of deployed infrastructure. No reaching into the AWS API through the CLI. Terraform already knows everything.
If `terraform output bucket_arn` complains "no outputs found", apply did not go through, redo the previous step.
✓ The output reads from the CLI. Ready to integrate with other scripts.
If an output is marked sensitive = true, in the terraform apply
output it is masked as (sensitive value). But terraform output name
prints it as is, which is correct for scripts that need the real value.
Keep in mind: in the state file sensitive values sit in plain text, the
protection is only against logs.
You added output "bucket_arn", saw it in the apply output, and read it
with terraform output -raw. This is the same mechanism a CI/CD pipeline
uses to pull values from deployed infrastructure.
команды
terraform outputall outputs in human-readable formterraform output -raw bucket_arnone value without quotes, for bashterraform output -jsonall outputs in JSON, for parsingконцепции