Cloud  /  Terraform

IaC Terraform 50 guides · updated 2026

Infrastructure as code done right — providers, state, reusable modules, and the workflow patterns that keep multi-cloud deployments sane in 2026.

Terraform CLI Commands

The Terraform CLI is the primary interface for working with infrastructure code. Understanding each command’s purpose, key flags, and when to use them is essential for both day-to-day work and DevOps interviews.


Core Workflow Commands

terraform init

Initializes the working directory — downloads providers, sets up the backend, and prepares modules.

Terminal window
terraform init # Standard initialization
terraform init -upgrade # Upgrade providers within constraints
terraform init -backend=false # Skip backend configuration (local testing)
terraform init -reconfigure # Force backend reconfiguration
terraform init -backend-config="bucket=my-state-bucket" # Override backend settings

Run init whenever:


terraform validate

Checks syntax and internal consistency without accessing any remote APIs.

Terminal window
terraform validate # Validate current directory
terraform validate -json # Machine-readable JSON output (for CI)

validate catches: missing required arguments, type mismatches, invalid references. It does NOT catch: API-side errors (wrong AMI ID, insufficient permissions).


terraform fmt

Automatically formats .tf files to canonical HCL style.

Terminal window
terraform fmt # Format current directory
terraform fmt -recursive # Format all subdirectories too
terraform fmt -check # Exit 1 if files need formatting (use in CI)
terraform fmt -diff # Show diff of changes

Add terraform fmt -check -recursive to your CI pipeline to enforce consistent formatting.


terraform plan

Creates an execution plan showing what changes will be made.

Terminal window
terraform plan # Basic plan
terraform plan -out=tfplan # Save plan to file (use with apply)
terraform plan -var="environment=prod" # Override a variable
terraform plan -var-file="prod.tfvars" # Use a specific vars file
terraform plan -target=aws_instance.web # Plan only specific resource
terraform plan -destroy # Show what destroy would remove
terraform plan -refresh=false # Skip state refresh (faster, less safe)
terraform plan -compact-warnings # Summarize warnings

The output symbols:


terraform apply

Applies changes to reach the desired state.

Terminal window
terraform apply # Show plan, prompt for confirmation
terraform apply -auto-approve # Skip confirmation (use in CI/CD only)
terraform apply tfplan # Apply a saved plan file (no re-plan)
terraform apply -var="env=prod" # Override variable
terraform apply -target=aws_s3_bucket.logs # Apply only one resource
terraform apply -parallelism=20 # Concurrent operations (default: 10)

Best practice for production: terraform plan -out=tfplan && terraform apply tfplan. This guarantees what you reviewed is exactly what gets applied.


terraform destroy

Destroys all resources managed by the configuration.

Terminal window
terraform destroy # Prompt for confirmation
terraform destroy -auto-approve # No confirmation (use with extreme care)
terraform destroy -target=aws_instance.old # Destroy a specific resource only

State Management Commands

terraform show

Displays current state or a saved plan.

Terminal window
terraform show # Show current state
terraform show tfplan # Show saved plan contents
terraform show -json | jq '.values' # Parse state as JSON

terraform state

Directly inspect and manipulate the state file.

Terminal window
terraform state list # List all managed resources
terraform state show aws_instance.web # Details of one resource
terraform state mv aws_instance.old aws_instance.new # Rename resource in state
terraform state rm aws_instance.web # Remove from state (doesn't delete real resource)
terraform state pull # Download remote state to stdout
terraform state push terraform.tfstate # Upload local state to backend

terraform import

Import existing infrastructure into Terraform state.

Terminal window
terraform import aws_s3_bucket.existing my-existing-bucket
terraform import aws_instance.server i-1234567890abcdef0

Utility Commands

terraform output

Read outputs after apply.

Terminal window
terraform output # All outputs
terraform output vpc_id # Specific output
terraform output -json # JSON format (for scripting)
terraform output -raw load_balancer_dns # Raw string (no quotes)

terraform console

Interactive REPL for evaluating expressions.

Terminal window
terraform console
> cidrsubnet("10.0.0.0/16", 8, 1)
"10.0.1.0/24"
> length(["a", "b", "c"])
3
> var.environment
"production"

terraform workspace

Manage named workspaces for state isolation.

Terminal window
terraform workspace list # List workspaces
terraform workspace new staging # Create and switch to staging
terraform workspace select production # Switch workspace
terraform workspace show # Current workspace name
terraform workspace delete staging # Delete a workspace

terraform graph

Outputs the dependency graph in DOT format.

Terminal window
terraform graph | dot -Tsvg > graph.svg # Visualize with Graphviz

Frequently Used Flags Cheat Sheet

FlagCommandsPurpose
-auto-approveapply, destroySkip interactive confirmation
-var="key=val"plan, applyOverride a single variable
-var-file=fileplan, applyLoad variables from file
-target=resourceplan, apply, destroyLimit to specific resource
-out=fileplanSave plan for later apply
-refresh=falseplan, applySkip state refresh
-lock=falseplan, applyDisable state locking (caution)
-compact-warningsplan, applySuppress verbose warnings
-jsonplan, apply, showJSON output for tooling

CI/CD-Friendly Workflow

Terminal window
# In CI pipelines — non-interactive, explicit, auditable
terraform init -input=false
terraform validate
terraform fmt -check -recursive
terraform plan -out=tfplan -input=false
terraform apply -input=false tfplan

The -input=false flag causes Terraform to fail rather than prompt for user input, which is the correct behavior in automated pipelines.