Terraform Cheatsheet

Top commands.

Initialisation

terraform init is the first command in any project. Get the providers and backend right and everything that follows is easier; get them wrong and every subsequent command produces confusing errors.

• terraform init Downloads providers and modules, sets up the backend. Run once per project, again after backend or provider-version changes.
• terraform init -upgrade Refreshes providers to the latest version matching constraints; use intentionally and pin versions to avoid surprise upgrades.
• terraform init -reconfigure Reinitialise the backend; the right command when migrating state from one backend to another.
• terraform init -backend-config=path Override backend config per environment; supports clean per-env state separation without duplicating Terraform code.

Plan and apply

The plan-then-apply discipline keeps Terraform changes safe. Save the plan, apply that exact plan; do not run plan and apply separately and assume nothing changed in between.

• terraform plan -out=plan.tfplan Save the plan to a file; apply that exact plan to guarantee no drift between what was reviewed and what was applied.
• terraform apply plan.tfplan Apply the saved plan; the only safe way to apply when reviewing the plan in a PR or change ticket.
• terraform plan -destroy Preview a destroy operation; sanity-check before terraform destroy to confirm scope.
• terraform apply -target=resource Targeted apply for surgical incident fixes; not for routine use, since it bypasses the dependency graph.

State management

State management is its own discipline. list, rm, import, and mv cover most refactor and recovery patterns; reach for them before reaching for a destructive workaround.

• terraform state list List all tracked resources; the first command when investigating "what does Terraform think it owns."
• terraform state rm aws_instance.foo Remove a resource from state without destroying it; common when refactoring or migrating between Terraform projects.
• terraform import aws_instance.foo i-1234 Import existing infrastructure into state; useful for adopting hand-created resources without recreating them.
• terraform state mv Rename a resource in state without destroying; supports module refactors that would otherwise destroy and recreate.

Workspaces

Workspaces are the lightweight environment primitive. Useful for transient and ephemeral environments; directories beat workspaces for serious production separation.

• terraform workspace list Show all workspaces in the project; each has its own state file but shares the configuration.
• terraform workspace new staging Create and switch to a new workspace; one command for both operations.
• Workspaces versus directories. Directories isolate configuration as well as state and are the preferred pattern for production; workspaces share configuration and shine for transient testing.
• Per-workspace tfvars. Environment-specific variable files (terraform.tfvars, staging.tfvars) keep per-env values out of the configuration itself.

Debugging

Debugging Terraform is its own discipline. Verbose logs, refresh, validate, and fmt cover most of what you reach for during a confused plan output.

• TF_LOG=DEBUG terraform plan Verbose output including provider API calls; the right tool when the plan output makes no sense.
• terraform refresh Reconcile state against actual cloud state; catches drift introduced by manual changes outside Terraform.
• terraform validate Syntax and configuration sanity check; cheap CI gate to run before plan.
• terraform fmt -recursive Format pass across the entire project; supports clean review diffs.