# Terraform — Declarative Infrastructure as Code

> Practical guide to Terraform: Infrastructure as Code with HCL, the provider ecosystem, state management and the plan/apply workflow for cloud resources.

Source: https://www.jpkc.com/db/en/cheatsheets/cloud-iac/terraform/

<!-- PROSE:intro -->
Terraform by HashiCorp is the de facto standard tool for Infrastructure as Code: instead of clicking resources into existence, you describe them declaratively in the HCL configuration language and let Terraform reconcile them against the real world. A vast provider ecosystem lets you drive AWS, Azure, Google Cloud and hundreds of other platforms with the same set of commands. At its heart sits the `plan`/`apply` workflow – Terraform first shows you what would change, then makes it so – while the state file records which real resource maps to which block of code. This guide walks you through the commands you reach for most, from init to workspace handling.
<!-- PROSE:intro:end -->

## Initialize & Plan

`terraform init` — Initialize a working directory (download providers and modules).

```bash
terraform init
```

`terraform init -upgrade` — Reinitialize and upgrade provider plugins.

```bash
terraform init -upgrade
```

`terraform plan` — Show what changes will be made without applying.

```bash
terraform plan
```

`terraform plan -out=<file>` — Save the plan to a file for later apply.

```bash
terraform plan -out=tfplan
```

`terraform plan -var '<key>=<value>'` — Plan with a variable override.

```bash
terraform plan -var 'region=eu-west-1'
```

`terraform plan -var-file=<file>` — Plan with variables from a file.

```bash
terraform plan -var-file=prod.tfvars
```

`terraform plan -target=<resource>` — Plan changes for a specific resource only.

```bash
terraform plan -target=aws_instance.web
```

## Apply & Destroy

`terraform apply` — Apply changes to reach desired state.

```bash
terraform apply
```

`terraform apply <planfile>` — Apply a saved plan file.

```bash
terraform apply tfplan
```

`terraform apply -auto-approve` — Apply without interactive confirmation.

```bash
terraform apply -auto-approve
```

`terraform destroy` — Destroy all managed infrastructure.

```bash
terraform destroy
```

`terraform destroy -target=<resource>` — Destroy a specific resource only.

```bash
terraform destroy -target=aws_instance.web
```

## State Management

`terraform state list` — List all resources in the state.

```bash
terraform state list
```

`terraform state show <resource>` — Show details of a specific resource.

```bash
terraform state show aws_instance.web
```

`terraform state mv <src> <dest>` — Move/rename a resource in state.

```bash
terraform state mv aws_instance.old aws_instance.new
```

`terraform state rm <resource>` — Remove a resource from state (without destroying it).

```bash
terraform state rm aws_instance.imported
```

`terraform state pull` — Download and output the current remote state.

```bash
terraform state pull > state-backup.json
```

`terraform import <resource> <id>` — Import existing infrastructure into state.

```bash
terraform import aws_instance.web i-1234567890abcdef0
```

## Workspaces

`terraform workspace list` — List all workspaces.

```bash
terraform workspace list
```

`terraform workspace new <name>` — Create a new workspace.

```bash
terraform workspace new staging
```

`terraform workspace select <name>` — Switch to a workspace.

```bash
terraform workspace select production
```

`terraform workspace show` — Show the current workspace name.

```bash
terraform workspace show
```

`terraform workspace delete <name>` — Delete an empty workspace.

```bash
terraform workspace delete staging
```

## Format & Validate

`terraform fmt` — Format configuration files to canonical style.

```bash
terraform fmt
```

`terraform fmt -check` — Check if files are formatted (for CI).

```bash
terraform fmt -check -recursive
```

`terraform validate` — Validate configuration syntax and consistency.

```bash
terraform validate
```

`terraform output` — Show all output values from state.

```bash
terraform output
```

`terraform output <name>` — Show a specific output value.

```bash
terraform output instance_ip
```

`terraform output -json` — Show outputs in JSON format.

```bash
terraform output -json
```

## Providers & Modules

`terraform providers` — Show providers required by the configuration.

```bash
terraform providers
```

`terraform providers lock` — Update the dependency lock file.

```bash
terraform providers lock -platform=linux_amd64
```

`terraform get` — Download and update modules.

```bash
terraform get -update
```

`terraform graph` — Generate a dependency graph in DOT format.

```bash
terraform graph | dot -Tpng > graph.png
```

`terraform version` — Show Terraform and provider versions.

```bash
terraform version
```

<!-- PROSE:outro -->
## Conclusion

Terraform rewards disciplined habits: always run `terraform plan` and read the output before you `apply`, especially with `terraform destroy` or `apply -auto-approve`, which rebuild or tear down your infrastructure with no further prompt. Treat the state file as a secret: it often contains plaintext credentials (passwords, tokens), so it should never land in Git and belongs in an encrypted remote backend. `-target` is an emergency tool, not an everyday flag – reach for it only when you know exactly why you need it.

## Further Reading

- [Terraform documentation (HashiCorp Developer)](https://developer.hashicorp.com/terraform) – official reference for the CLI, language and providers
- [Terraform Registry](https://registry.terraform.io/) – central catalog of providers and modules
<!-- PROSE:outro:end -->

## Related Commands

- [ansible](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/ansible/) – agentless configuration management and provisioning
- [aws](https://www.jpkc.com/db/en/cheatsheets/cloud-iac/aws/) – official CLI for Amazon Web Services resources