tofu-output

With no additional arguments, output will display all outputs for the root module

$ tofu output

$ tofu output [name]

$ tofu output -raw

$ tofu output -json

tofu-output [options] [NAME]

[NAME]
    (Optional) The name of a specific output value to retrieve. If omitted, all output values will be displayed.

-json
    Output the result in JSON format, suitable for programmatic parsing.

-state=PATH
    Path to the state file. Defaults to "tofu.tfstate" in the current working directory if not specified.

-no-color
    Disable colored output.

-compact
    Display output in a compact form, typically used with single output values.

-raw
    Display raw output, without any formatting or quotes, useful for pipes.

The tofu-output command is designed to extract and display the output values defined within a tofu configuration's state file. In the context of Infrastructure as Code (IaC) using tofu (an open-source project similar to Terraform), "outputs" are named values that are exposed by a root module. These outputs can represent anything from public IP addresses of deployed instances, database connection strings, S3 bucket names, or any other piece of information generated by the infrastructure deployment that needs to be consumed by other systems, modules, or users.

This command is crucial for interacting with deployed infrastructure, enabling scripting, automation, or simply providing a summary of important deployment artifacts. It reads the current state (either locally or from a remote backend) and presents the values in a user-friendly format, or in a machine-readable JSON format for programmatic use.

Sensitive Data: Output values can sometimes contain sensitive information (e.g., passwords, API keys). While tofu attempts to redact sensitive outputs in logs, direct retrieval via tofu-output will expose the raw values. Always handle outputs containing sensitive data with extreme care.
State File Dependency: The command relies entirely on the integrity and accessibility of the tofu state file. If the state file is corrupted, inaccessible, or out of sync with the actual infrastructure, the displayed outputs may be inaccurate or unavailable.
Uninitialized Backend: If a remote backend is configured but not initialized, tofu-output may fail to retrieve the state, requiring an initial `tofu init` command.
No Output Defined: If no output values are defined in the configuration, or if the specified `NAME` does not correspond to an existing output, the command will return an empty result or an error.

Retrieve all outputs:
`tofu-output`

Retrieve a specific output named "web_app_url":
`tofu-output web_app_url`

Retrieve a specific output in JSON format:
`tofu-output -json database_connection_string`

Pipe raw output to another command:
`tofu-output -raw instance_ip | ssh -i mykey.pem ec2-user@$(cat)`

While `sensitive = true` can be set for an output in the tofu configuration to prevent its display in plan/apply logs, it does not prevent `tofu-output` from displaying the value directly. Users must be aware of this and ensure appropriate access controls are in place for systems that can execute `tofu-output` or store its results.

The concept of explicitly defined outputs emerged early in the development of Infrastructure as Code (IaC) tools like Terraform, which tofu is a direct successor or alternative to. As IaC matured, the need to programmatically access information about deployed resources became paramount for integration with CI/CD pipelines, monitoring systems, and other automation tools. The `output` command, therefore, became a core utility, allowing users to extract key deployment artifacts without directly querying the cloud provider APIs. Its design evolved to support various formats (e.g., human-readable, JSON) to cater to both manual inspection and automated consumption. The "tofu-output" command represents this fundamental utility within the tofu ecosystem, emphasizing the importance of discoverable and reusable infrastructure data.

tofu(1), tofu-init(1), tofu-apply(1), tofu-plan(1)