diff --git a/api/v1alpha1/workspace_types.go b/api/v1alpha1/workspace_types.go
index 6fbc6aad..5734605b 100644
--- a/api/v1alpha1/workspace_types.go
+++ b/api/v1alpha1/workspace_types.go
@@ -144,6 +144,9 @@ type WorkspaceSpec struct {
 	// Specifies the agent pool name we wish to use.
 	// +optional
 	AgentPoolName string `json:"agentPoolName,omitempty"`
+	// Annotations for the output secret.
+	// +optional
+	OutputAnnotations map[string]string `json:"outputAnnotations,omitempty"`
 }
 
 // WorkspaceStatus defines the observed state of Workspace
diff --git a/config/crd/bases/app.terraform.io_workspaces.yaml b/config/crd/bases/app.terraform.io_workspaces.yaml
index 67e2c741..d72a0d26 100644
--- a/config/crd/bases/app.terraform.io_workspaces.yaml
+++ b/config/crd/bases/app.terraform.io_workspaces.yaml
@@ -114,6 +114,11 @@ spec:
               organization:
                 description: Terraform Cloud organization
                 type: string
+              outputAnnotations:
+                additionalProperties:
+                  type: string
+                description: Annotations for the output secret.
+                type: object
               outputs:
                 description: Outputs denote outputs wanted
                 items:
diff --git a/workspacehelper/k8s_configmap.go b/workspacehelper/k8s_configmap.go
index 049faccc..728c95d0 100644
--- a/workspacehelper/k8s_configmap.go
+++ b/workspacehelper/k8s_configmap.go
@@ -26,12 +26,13 @@ func configMapForTerraform(name string, namespace string, template []byte) *core
 	}
 }
 
-func secretForOutputs(name string, namespace string, outputs []*v1alpha1.OutputStatus) *corev1.Secret {
+func secretForOutputs(name string, namespace string, outputs []*v1alpha1.OutputStatus, annotations map[string]string) *corev1.Secret {
 	data := outputsToMap(outputs)
 	return &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
-			Namespace: namespace,
+			Name:        name,
+			Namespace:   namespace,
+			Annotations: annotations,
 		},
 		Data: data,
 	}
@@ -122,7 +123,7 @@ func (r *WorkspaceHelper) UpsertSecretOutputs(w *v1alpha1.Workspace, outputs []*
 	outputName := fmt.Sprintf("%s-outputs", w.Name)
 	err := r.client.Get(context.TODO(), types.NamespacedName{Name: outputName, Namespace: w.Namespace}, found)
 	if err != nil && k8serrors.IsNotFound(err) {
-		secret := secretForOutputs(outputName, w.Namespace, outputs)
+		secret := secretForOutputs(outputName, w.Namespace, outputs, w.Spec.OutputAnnotations)
 		err = controllerutil.SetControllerReference(w, secret, r.scheme)
 		if err != nil {
 			return err