What are input variables, and how does Terraform resolve variable precedence?
Quick Answer
Input variables (`variable "name" { type = string }`) parameterize a configuration so the same code can be reused with different values. Terraform resolves a value for each variable using a defined precedence (highest wins): `-var`/`-var-file` CLI flags, `*.auto.tfvars` files (alphabetical), explicit `-var-file` files, `terraform.tfvars`, `TF_VAR_name` environment variables, then the variable's `default` in configuration. This lets you keep sane defaults in code while overriding per-environment values via tfvars files or CI secrets.
Detailed Answer
Input variables are how a Terraform configuration accepts external parameters instead of hardcoding values, making the same code reusable across environments, regions, and teams.
Declaring a variable
variable "instance_type" {
type = string
description = "EC2 instance type for the web tier"
default = "t3.micro"
}
Referenced elsewhere as var.instance_type.
The precedence order
Terraform must decide which value "wins" when a variable could be set in multiple places. From highest to lowest precedence:
-varor-var-fileflags passed on theterraform plan/applycommand line.*.auto.tfvars(or.auto.tfvars.json) files in the working directory, processed in alphabetical order.terraform.tfvars(orterraform.tfvars.json), if present.TF_VAR_<name>environment variables (e.g.,TF_VAR_instance_type=t3.large).- The variable's
defaultvalue in configuration, if no other source provides one.
(Within a given precedence level, later definitions on the command line override earlier ones.)
Why this matters in practice
- CI/CD pipelines typically inject environment-specific and sensitive values via
TF_VAR_*environment variables (pulled from a secrets store), whileterraform.tfvarsholds non-sensitive, checked-in defaults for local development. - Layering
*.auto.tfvarsfiles (e.g.,common.auto.tfvars,prod.auto.tfvars) lets teams share baseline values while still allowing an explicit-varoverride for a one-offplanduring debugging. - If a variable has no default and no value supplied from any source, Terraform will interactively prompt for it (or fail in non-interactive/CI contexts) — which is a useful safety net for variables that must always be explicitly set (like an account ID), but a nuisance if forgotten in automation.
Getting this precedence order right is what lets teams keep sane defaults in version-controlled code while still safely overriding per-environment or per-run values without editing the configuration itself.