Terraform — Declarative Infrastructure as Code

Terraform by HashiCorp is the de facto standard tool for Infrastructure as Code: instead of clicking resources into existence, you describe them declaratively in the HCL configuration language and let Terraform reconcile them against the real world. A vast provider ecosystem lets you drive AWS, Azure, Google Cloud and hundreds of other platforms with the same set of commands. At its heart sits the plan/apply workflow – Terraform first shows you what would change, then makes it so – while the state file records which real resource maps to which block of code. This guide walks you through the commands you reach for most, from init to workspace handling.

Initialize & Plan

terraform init — Initialize a working directory (download providers and modules).

terraform init

terraform init -upgrade — Reinitialize and upgrade provider plugins.

terraform init -upgrade

terraform plan — Show what changes will be made without applying.

terraform plan

terraform plan -out=<file> — Save the plan to a file for later apply.

terraform plan -out=tfplan

terraform plan -var '<key>=<value>' — Plan with a variable override.

terraform plan -var 'region=eu-west-1'

terraform plan -var-file=<file> — Plan with variables from a file.

terraform plan -var-file=prod.tfvars

terraform plan -target=<resource> — Plan changes for a specific resource only.

terraform plan -target=aws_instance.web

Apply & Destroy

terraform apply — Apply changes to reach desired state.

terraform apply

terraform apply <planfile> — Apply a saved plan file.

terraform apply tfplan

terraform apply -auto-approve — Apply without interactive confirmation.

terraform apply -auto-approve

terraform destroy — Destroy all managed infrastructure.

terraform destroy

terraform destroy -target=<resource> — Destroy a specific resource only.

terraform destroy -target=aws_instance.web

State Management

terraform state list — List all resources in the state.

terraform state list

terraform state show <resource> — Show details of a specific resource.

terraform state show aws_instance.web

terraform state mv <src> <dest> — Move/rename a resource in state.

terraform state mv aws_instance.old aws_instance.new

terraform state rm <resource> — Remove a resource from state (without destroying it).

terraform state rm aws_instance.imported

terraform state pull — Download and output the current remote state.

terraform state pull > state-backup.json

terraform import <resource> <id> — Import existing infrastructure into state.

terraform import aws_instance.web i-1234567890abcdef0

Workspaces

terraform workspace list — List all workspaces.

terraform workspace list

terraform workspace new <name> — Create a new workspace.

terraform workspace new staging

terraform workspace select <name> — Switch to a workspace.

terraform workspace select production

terraform workspace show — Show the current workspace name.

terraform workspace show

terraform workspace delete <name> — Delete an empty workspace.

terraform workspace delete staging

Format & Validate

terraform fmt — Format configuration files to canonical style.

terraform fmt

terraform fmt -check — Check if files are formatted (for CI).

terraform fmt -check -recursive

terraform validate — Validate configuration syntax and consistency.

terraform validate

terraform output — Show all output values from state.

terraform output

terraform output <name> — Show a specific output value.

terraform output instance_ip

terraform output -json — Show outputs in JSON format.

terraform output -json

Providers & Modules

terraform providers — Show providers required by the configuration.

terraform providers

terraform providers lock — Update the dependency lock file.

terraform providers lock -platform=linux_amd64

terraform get — Download and update modules.

terraform get -update

terraform graph — Generate a dependency graph in DOT format.

terraform graph | dot -Tpng > graph.png

terraform version — Show Terraform and provider versions.

terraform version

Conclusion

Terraform rewards disciplined habits: always run terraform plan and read the output before you apply, especially with terraform destroy or apply -auto-approve, which rebuild or tear down your infrastructure with no further prompt. Treat the state file as a secret: it often contains plaintext credentials (passwords, tokens), so it should never land in Git and belongs in an encrypted remote backend. -target is an emergency tool, not an everyday flag – reach for it only when you know exactly why you need it.