Terraform CLI Cheat Sheet
· 6 min read
A quick reference for the Terraform CLI. Skim the quick-reference table if you just need a reminder, scroll down for full examples.
Quick Reference
| Command | What it does |
|---|---|
terraform init | Initialize project, download providers |
terraform plan | Preview what will change |
terraform apply | Create or update infrastructure |
terraform destroy | Tear down infrastructure |
terraform fmt | Format .tf files |
terraform validate | Check config for errors |
terraform output | Print output values |
terraform show | Inspect current state or a plan file |
terraform state list | List all resources in state |
terraform state show <resource> | Show details of one resource |
terraform state mv <src> <dst> | Rename or move a resource in state |
terraform state rm <resource> | Remove a resource from state |
terraform import <resource> <id> | Import existing infra into state |
terraform workspace list | List workspaces |
terraform workspace select <name> | Switch workspace |
terraform console | Open interactive expression evaluator |
terraform graph | Generate dependency graph (DOT format) |
terraform providers | List required providers |
terraform force-unlock <id> | Release a stuck state lock |
terraform login | Authenticate with Terraform Cloud |
terraform test | Run .tftest.hcl tests |
Common Workflows
Copy-paste recipes for everyday scenarios.
# Standard deploy flow
terraform init
terraform plan -out=tfplan
terraform apply tfplan
# Destroy and rebuild a single resource
terraform apply -replace=aws_instance.web
# Move state when refactoring modules
terraform state mv aws_instance.web module.compute.aws_instance.web
# Check formatting + validate in CI
terraform fmt -check -recursive && terraform validate
# Import a resource, then verify
terraform import aws_s3_bucket.data my-bucket
terraform plan # should show no changes if config matches
Handy Flags (work with most commands)
| Flag | Description |
|---|---|
-auto-approve | Skip interactive approval |
-var="key=val" | Set a variable inline |
-var-file="f.tfvars" | Load variables from file |
-target=resource | Limit operation to one resource |
-parallelism=N | Number of concurrent operations (default 10) |
-compact-warnings | Show warnings in compact form |
-no-color | Disable colored output (for CI logs) |
-json | Machine-readable JSON output |
-input=false | Disable interactive prompts |
-lock=false | Disable state locking (use with caution) |
Core Commands (init, plan, apply, destroy)
init
# Download providers and set up backend
terraform init
# Reinitialize and upgrade provider versions
terraform init -upgrade
# Migrate state to a new backend
terraform init -migrate-state
# Point to a specific backend config file
terraform init -backend-config=backend.hcl
plan
# See what Terraform will do
terraform plan
# Save plan to a file (for review / CI)
terraform plan -out=tfplan
# Plan to destroy everything
terraform plan -destroy
# Plan for a single resource
terraform plan -target=aws_instance.web
# Pass a variable inline
terraform plan -var="region=us-west-2"
# Pass a variable file
terraform plan -var-file="prod.tfvars"
apply
# Apply with interactive approval
terraform apply
# Apply a saved plan (skips approval prompt)
terraform apply tfplan
# Auto-approve (CI/CD pipelines)
terraform apply -auto-approve
# Apply a single resource
terraform apply -target=aws_s3_bucket.data
# Apply with variables
terraform apply -var="instance_type=t3.micro"
terraform apply -var-file="staging.tfvars"
# Apply and increase parallelism (default is 10)
terraform apply -parallelism=20
destroy
# Destroy everything (with prompt)
terraform destroy
# Auto-approve destroy (CI/CD)
terraform destroy -auto-approve
# Destroy a single resource
terraform destroy -target=aws_instance.web
# Destroy with a variable file
terraform destroy -var-file="dev.tfvars"
Code Quality (fmt, validate, output)
fmt
# Format all .tf files in current directory
terraform fmt
# Recursively format all .tf files
terraform fmt -recursive
# Check formatting without changing files (useful in CI)
terraform fmt -check
# Show diffs of formatting changes
terraform fmt -diff
validate
# Validate syntax and internal consistency
terraform validate
# Output as JSON (for CI tooling)
terraform validate -json
output
# Show all outputs
terraform output
# Show a specific output
terraform output instance_ip
# Get raw value (no quotes, useful in scripts)
terraform output -raw instance_ip
# Output as JSON
terraform output -json
State Management (show, state, import)
show
# Show the current state in human-readable form
terraform show
# Show a saved plan file
terraform show tfplan
# Output state as JSON
terraform show -json
state
# List all resources in state
terraform state list
# Show details of a specific resource
terraform state show aws_instance.web
# Rename / move a resource in state
terraform state mv aws_instance.old aws_instance.new
# Move a resource into a module
terraform state mv aws_instance.web module.compute.aws_instance.web
# Remove a resource from state (without destroying it)
terraform state rm aws_instance.legacy
# Pull remote state to stdout
terraform state pull
# Push local state to remote backend
terraform state push terraform.tfstate
# Replace a provider in state
terraform state replace-provider hashicorp/aws registry.example.com/aws
import
# Import an existing resource into state
terraform import aws_instance.web i-0abc123def456
# Import into a module
terraform import module.vpc.aws_vpc.main vpc-abc123
# Import with variables
terraform import -var-file="prod.tfvars" aws_s3_bucket.data my-bucket
Workspaces
Manage multiple environments (dev, staging, prod) with the same config.
# List workspaces (* marks current)
terraform workspace list
# Create a new workspace
terraform workspace new staging
# Switch to an existing workspace
terraform workspace select prod
# Show current workspace
terraform workspace show
# Delete a workspace
terraform workspace delete staging
Debugging and Inspection
console
# Open an interactive console
terraform console
# Inside the console:
# > var.region
# "us-west-2"
# > length(var.subnets)
# 3
# > cidrsubnet("10.0.0.0/16", 8, 1)
# "10.0.1.0/24"
graph
# Generate a DOT graph of resource dependencies
terraform graph
# Render to PNG (requires Graphviz)
terraform graph | dot -Tpng > graph.png
# Graph for the destroy plan
terraform graph -type=destroy
providers
# List providers required by the configuration
terraform providers
# Lock provider versions (generate .terraform.lock.hcl)
terraform providers lock
# Show provider schema
terraform providers schema -json
Resource Recreation
# Mark a resource for recreation on next apply (deprecated)
terraform taint aws_instance.web
# Undo the taint
terraform untaint aws_instance.web
Note:
taintis deprecated. Use-replaceinstead.
# Preferred: replace a resource on next apply
terraform apply -replace=aws_instance.web
Operations and Auth
force-unlock
# Release a stuck state lock (use the lock ID from the error message)
terraform force-unlock LOCK_ID
login / logout
# Authenticate with Terraform Cloud
terraform login
# Log out
terraform logout
test
# Run .tftest.hcl tests
terraform test
# Run tests in verbose mode
terraform test -verbose
Environment Variables
# Skip interactive approval
export TF_CLI_ARGS_apply="-auto-approve"
# Set log level (TRACE, DEBUG, INFO, WARN, ERROR)
export TF_LOG=DEBUG
# Write logs to a file
export TF_LOG_PATH="terraform.log"
# Set a variable via env var (TF_VAR_ prefix)
export TF_VAR_region="us-west-2"
# Point to a custom plugin directory
export TF_PLUGIN_CACHE_DIR="$HOME/.terraform.d/plugin-cache"
# Auto-load a variable file
export TF_CLI_ARGS_plan="-var-file=common.tfvars"
# Disable checkpoint version checks
export CHECKPOINT_DISABLE=1