Secrets & variables

Flowright is built so that secret values never enter your design. A secret is only ever a reference — ${var.database_password} — and the actual value is supplied at terraform apply, from a source you control.

The rule

Flowright stores the reference, never the value. There is no field anywhere that persists a plaintext secret. This is by design — not a setting you can turn off.

How it works

When a value looks like a secret (a password, token, key, connection string), Flowright detects it at input time and turns it into a variable reference instead of storing the literal. The graph, the generated Terraform, and anything you copy from the canvas carry only ${var.x}.

The generated project declares the variable and leaves it unset:

variable "database_password" {
  type      = string
  sensitive = true
}

resource "aws_db_instance" "main" {
  password = var.database_password
}

Supplying the value at apply

You provide the real value the same way you would in any Terraform workflow — Flowright never needs to see it:

• TF_VAR_database_password environment variable
• a *.tfvars file kept out of version control
• a data source that reads from AWS Secrets Manager or SSM Parameter Store at apply time
• your own vault / CI secret store

Typed variables, not just strings

Variables are first-class and typed (string, number, bool, list, map), with per-environment values. The non-secret ones (region, instance sizes, counts) lift into terraform.tfvars; the secret ones stay as unset sensitive variables.

Why it matters

Because values never touch the design, the canvas is safe to share, screenshot, and store, and the output is aligned with ISO 27001 / LGPD / GDPR expectations out of the box — privacy by construction, not by policy.