🏗️

Terraform

Terraform CLI commands and HCL patterns for infrastructure as code

Core Workflow

The essential init → plan → apply → destroy lifecycle

bash·Initialize working directory

terraform init

bash·Re-init and upgrade providers

terraform init -upgrade

bash·Validate configuration

terraform validate

bash·Format all .tf files

terraform fmt -recursive

bash·Plan changes

terraform plan

bash·Plan and save to file

terraform plan -out=tfplan

bash·Apply saved plan

terraform apply tfplan

bash·Apply without confirmation prompt

terraform apply -auto-approve

bash·Destroy all resources

terraform destroy

bash·Destroy without confirmation prompt

terraform destroy -auto-approve

Targeting & Partial Changes

Apply or destroy specific resources without touching everything

bash·Plan only a specific resource

terraform plan -target=aws_instance.web

bash·Apply only a specific resource

terraform apply -target=aws_instance.web

bash·Destroy only a specific resource

terraform destroy -target=aws_instance.web

bash·Target a module

terraform apply -target=module.vpc

bash·Replace (taint) a resource

terraform apply -replace=aws_instance.web

State Management

Inspect, move, import and manipulate Terraform state

bash·List all resources in state

terraform state list

bash·Show a specific resource in state

terraform state show aws_instance.web

bash·Move resource in state (rename)

terraform state mv aws_instance.old aws_instance.new

bash·Remove resource from state (keep real infra)

terraform state rm aws_instance.web

bash·Pull remote state to stdout

terraform state pull

bash·Push local state to remote

terraform state push terraform.tfstate

bash·Import existing resource into state

terraform import aws_instance.web i-1234567890abcdef0

bash·Show full state as JSON

terraform show -json | jq .

bash·Unlock stuck state

terraform force-unlock <lock-id>

Variables & Outputs

Pass variables in and read outputs out

bash·Pass variable on CLI

terraform apply -var='instance_type=t3.medium'

bash·Pass variables from file

terraform apply -var-file=prod.tfvars

bash·Show all outputs

terraform output

bash·Get a specific output value

terraform output instance_ip

bash·Get output as raw string (no quotes)

terraform output -raw instance_ip

bash·Get output as JSON

terraform output -json

hcl·Variable with validation (HCL)

variable "environment" {
  type        = string
  description = "Deployment environment"
  default     = "dev"

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Must be dev, staging, or prod."
  }
}

hcl·Sensitive output (HCL)

output "db_password" {
  value     = aws_db_instance.main.password
  sensitive = true
}

Workspaces

Manage multiple state environments with workspaces

bash·List workspaces

terraform workspace list

bash·Show current workspace

terraform workspace show

bash·Create workspace

terraform workspace new staging

bash·Switch workspace

terraform workspace select prod

bash·Delete workspace

terraform workspace delete staging

hcl·Use workspace name in config (HCL)

resource "aws_s3_bucket" "data" {
  bucket = "my-app-${terraform.workspace}-data"
}

Providers & Modules

Lock, install and manage providers and modules

bash·List installed providers

terraform providers

bash·Lock provider versions

terraform providers lock -platform=linux_amd64 -platform=darwin_arm64

bash·Download modules and providers

terraform get

bash·Update modules to latest matching version

terraform get -update

hcl·Provider version constraints (HCL)

terraform {
  required_version = ">= 1.6.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

hcl·Call a child module (HCL)

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-east-1a", "us-east-1b"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
}

Remote Backends

Configure S3 and Terraform Cloud backends for shared state

hcl·S3 backend with DynamoDB locking (HCL)

terraform {
  backend "s3" {
    bucket         = "my-tf-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-lock"
  }
}

hcl·Terraform Cloud backend (HCL)

terraform {
  cloud {
    organization = "my-org"

    workspaces {
      name = "my-app-prod"
    }
  }
}

bash·Migrate state to new backend

terraform init -migrate-state

bash·Reconfigure backend (skip state migration)

terraform init -reconfigure

Common HCL Patterns

Loops, conditionals, locals and dynamic blocks

hcl·for_each over a map

variable "buckets" {
  default = {
    logs    = "us-east-1"
    backups = "us-west-2"
  }
}

resource "aws_s3_bucket" "this" {
  for_each = var.buckets
  bucket   = "my-app-${each.key}"
  region   = each.value
}

hcl·count with conditional

resource "aws_eip" "nat" {
  count  = var.environment == "prod" ? 1 : 0
  domain = "vpc"
}

hcl·locals block

locals {
  common_tags = {
    Project     = var.project_name
    Environment = var.environment
    ManagedBy   = "terraform"
  }

  is_prod = var.environment == "prod"
}

resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = local.is_prod ? "t3.large" : "t3.micro"
  tags          = local.common_tags
}

hcl·dynamic block

variable "ingress_rules" {
  default = [
    { port = 80,  cidr = "0.0.0.0/0" },
    { port = 443, cidr = "0.0.0.0/0" },
  ]
}

resource "aws_security_group" "web" {
  name = "web-sg"

  dynamic "ingress" {
    for_each = var.ingress_rules
    content {
      from_port   = ingress.value.port
      to_port     = ingress.value.port
      protocol    = "tcp"
      cidr_blocks = [ingress.value.cidr]
    }
  }
}

hcl·depends_on and lifecycle

resource "aws_instance" "app" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"

  depends_on = [aws_iam_role_policy.app]

  lifecycle {
    create_before_destroy = true
    ignore_changes        = [ami]
    prevent_destroy       = true
  }
}

hcl·Data source lookup

data "aws_ami" "ubuntu" {
  most_recent = true
  owners      = ["099720109477"] # Canonical

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"]
  }
}

resource "aws_instance" "web" {
  ami           = data.aws_ami.ubuntu.id
  instance_type = "t3.micro"
}

Debugging & Inspection

Inspect expressions, enable logging and troubleshoot plans

bash·Interactive console (evaluate expressions)

terraform console

bash·Show planned changes as JSON

terraform plan -out=tfplan && terraform show -json tfplan | jq .

bash·Enable detailed logging

TF_LOG=DEBUG terraform apply

bash·Log to file

TF_LOG=INFO TF_LOG_PATH=./tf.log terraform plan

bash·Graph resource dependencies

terraform graph | dot -Tsvg > graph.svg

hcl·Print value during plan with check (HCL)

check "bucket_name_valid" {
  assert {
    condition     = length(var.bucket_name) <= 63
    error_message = "S3 bucket name must be 63 characters or fewer."
  }
}