Inputs & Outputs

Every package in Bluebricks has an interface defined by inputs and outputs. Inputs are the values a package needs to run: a region, a CIDR block, a cluster name, a database password. Outputs are the values a package produces after execution: a VPC ID, an endpoint URL, a connection string.

This interface makes packages composable. One package's output can feed into another package's input, and Bluebricks handles the wiring, ordering, and execution automatically.

This page explains how inputs and outputs work across all layers of Bluebricks, from native IaC code to runtime environments.

The data flow model

Inputs and outputs flow through four layers:

Layer 1: Native IaC code is the infrastructure code you write: Terraform variables, Helm values, CloudFormation parameters, or scripts. This is where inputs and outputs originate.

Layer 2: Artifact is the bricks.json manifest. Its props and outs fields define the package's external interface. Bluebricks auto-discovers these from your native code when you publish.

Layer 3: Blueprint wires packages together. It connects outputs from one package to inputs of another, passes blueprint-level properties down to packages, and references secrets.

Layer 4: Environment + Collection is where Bluebricks resolves values at runtime. Collection properties, secrets, context references, output references, and deployer overrides supply the concrete values.

Inputs

An input is any value a package needs to execute. In bricks.json, inputs are declared in the props object.

How native code maps to inputs

Each IaC tool defines inputs differently at the native level. Bluebricks maps them all to the same props interface:

When you publish an artifact, Bluebricks reads your native code and auto-populates the props section in bricks.json.

How inputs get their values

Inside a blueprint, each package input can receive its value from five sources:

1. Hardcoded value

A fixed value set directly in the blueprint definition:

2. Blueprint-level input

A value passed down from the blueprint's own inputs:

3. Another package's output

A value produced by a sibling package. This creates a dependency in the execution graph:

4. Secret

A sensitive value stored in the target collection's secret store:

5. Collection property or context reference

Values that come from the collection or environment at runtime:

• Collection properties: matched by key name. When a blueprint input key matches a collection property name, Bluebricks injects the collection's value automatically

• Context references: dynamic placeholders like ${{bricks.collection.slug}} or ${{bricks.environment.slug}} that resolve at runtime

See Properties, Secrets, and Using Context References.

How inputs are delivered at runtime

Each IaC tool receives inputs through a different mechanism:

Outputs

An output is a value that a package produces after execution. In bricks.json, outputs are declared in the outs object.

How native code maps to outputs

Referencing outputs downstream

Once a package produces outputs, other packages in the same blueprint can reference them using Data references:

The reference format is:

During planning, output values appear as "known after apply" placeholders. After apply, Bluebricks captures and stores the real values.

Cross-environment output references

You can also reference outputs across environments. If a foundational environment (e.g., a shared VPC) produces outputs, dependent environments can consume them. See Using Output References.

Secrets

Secrets are inputs that carry sensitive data: API keys, passwords, tokens. They behave like regular inputs but with additional protections:

• Stored in the collection's secret store, encrypted at rest

• Never shown in logs, diffs, or UI fields

• Injected only at runtime within the secure execution context

• Wiped from the runner after execution completes

In a blueprint, you reference secrets using the Secrets keyword:

Each IaC tool delivers secrets through a different mechanism:

See Secrets for how to create and manage secrets at the collection level.

Package-to-package wiring

When one package's input references another package's output via a Data reference, Bluebricks creates an implicit dependency between them. These dependencies form a directed acyclic graph (DAG) that determines execution order.

In this example:

• Subnet depends on VPC because its vpc_id input references Data.vpc.vpc_id

• App Server depends on Subnet because it references Data.subnet.subnet_id

Bluebricks resolves this graph at plan time and executes packages in the correct order: parallel where there are no dependencies, sequential where one package needs another's output.

The Data reference is an expr expression, so you can manipulate values. For example, select the first subnet from a list with data.vpc.private_subnets[0], or use a fallback with data.vpc.vpc_id ?? inputs.fallback_vpc_id.

Syntax quick reference

Bluebricks uses two equivalent syntaxes depending on context:

Both syntaxes are expr expressions. The capitalized form (Props, Data, Secrets) appears in bricks.json. The lowercase form (inputs, data, secrets) appears in the UI and YAML configurations.

End-to-end example

This example shows a blueprint with two packages: a Terraform VPC and a Helm application. The VPC output flows into the Helm chart input, and secrets are pulled from the collection.

Blueprint YAML (UI-generated):

What happens at runtime:

1. Bluebricks resolves the DAG: vpc has no dependencies, webapp depends on vpc

2. The vpc package runs first. Inputs region and cidr_block are delivered via 0_bbx_props.auto.tfvars.

3. After vpc completes, Bluebricks captures its outputs (vpc_id, private_subnet_ids) via terraform output -json.

4. The webapp package runs next. Its inputs include the VPC outputs (resolved from Data.vpc.*) and the secret db_password (resolved from the collection's secret store).

5. The blueprint's outputs are populated and available to dependent environments.