InfraDots logo
Documentation

Variables and Secrets in InfraDots

Terraform and OpenTofu use variables for inputs and environment variables for things like provider credentials. InfraDots lets you set both in the UI or API so they’re never stored in your repo.

Two kinds of “variables” in InfraDots

1. Terraform variables

These map to variable "name" {} in your .tf files.

  • Key = variable name (e.g. region, environment, instance_type)
  • Value = string (or HCL if you enable HCL)
  • Sensitive = hide value in UI and logs (use for secrets)

Example in code:

variable "region" {
  type    = string
  default = "us-east-1"
}

variable "db_password" {
  type      = string
  sensitive = true
}

In InfraDots: create variables with keys region and db_password, set values, and mark db_password as Sensitive.

2. Environment variables

These are set in the run environment (e.g. AWS_ACCESS_KEY_ID, TF_VAR_foo).

  • Use for provider credentials (e.g. AWS, GCP, Azure)
  • Use TFVAR prefix to set Terraform variables via env (e.g. TF_VAR_region=eu-west-1)
  • Mark Sensitive so they never appear in logs or plan/apply output

Example: add an environment variable with key AWS_ACCESS_KEY_ID and value (sensitive) your key.

Where to set them

  • Organization variables — Apply to all workspaces in the org (good for shared defaults like region or environment)
  • Workspace variables — Override org variables or define workspace-specific values (e.g. per-environment secrets)

Workspace values override organization values for the same key.

Best practices

  • Never commit secrets — Don’t put passwords, API keys, or tokens in .tf files or in Git. Use InfraDots variables (sensitive) or a vault and reference them.
  • Use sensitive flag — For any credential or secret value, mark it Sensitive in InfraDots so it’s never shown in UI or logs.
  • Prefer env vars for provider auth — Use environment variables for AWS_ACCESS_KEY_ID, GOOGLE_CREDENTIALS, etc., and keep them sensitive.
  • Use Terraform variables for non-secrets — Things like region, instance_type, environment are fine as Terraform variables and can be visible in plan output for debugging.

HCL values

For Terraform variables that are not plain strings (e.g. lists, maps), enable HCL when adding the variable and paste the value as HCL:

["a", "b", "c"]

or

{ dev = "vpc-111", prod = "vpc-222" }
  • Workspaces — Variables and execution settings per workspace
  • Organizations — Organization-wide variables and settings
WorkspacesSubscriptions