Skip to main content

Terraform Cheatsheet — 90+ Commands for IaC Daily Work

Terraform cheat sheet — 90+ commands for init, plan, apply, state, workspaces, import, and debug with real examples.

  • Runs locally
  • Category Developer & DevOps
  • Best for Formatting, validating, shrinking, or inspecting code-adjacent text.

56 commands

Init

terraform init

Initialize the working directory: download providers, set up the backend, and install modules. Must be run before any other command in a new checkout or after adding a new provider.

Examples
terraform init
cd infra/prod && terraform init
terraform init -upgrade

Upgrade all providers and modules to the latest allowed version according to version constraints. Without -upgrade, init reuses cached downloads.

Common pitfall: Running -upgrade in production without testing in staging first can pull in a breaking provider change.

Examples
terraform init -upgrade
terraform init -backend-config=backend.hcl

Load backend configuration from an external file instead of hardcoding credentials in main.tf. Useful for keeping secrets out of version control.

Examples
terraform init -backend-config=backend.hcl
terraform init -backend-config="bucket=my-tfstate" -backend-config="region=us-east-1"
terraform init -migrate-state

Reconfigure the backend and migrate existing state to the new location. Use when switching from local state to S3 or between S3 buckets.

Common pitfall: Back up your state file before migrating — a bad migration can leave you with no state.

Examples
terraform init -migrate-state
terraform init -reconfigure

Reconfigure the backend without migrating existing state. Use when you want to point at a fresh backend (e.g. a new workspace) and start clean.

Examples
terraform init -reconfigure

Plan

terraform plan

Show a preview of changes Terraform will make on the next apply. Refreshes state from the provider before comparing. Exit code 0 = no changes, 2 = changes present.

Examples
terraform plan
terraform plan 2>&1 | tee plan.log
terraform plan -out=plan.tfplan

Save the plan to a file so the subsequent apply runs exactly what was reviewed. The gold standard for CI/CD: plan in one job, apply in another.

Common pitfall: Never run terraform apply without -out in automated pipelines — infra changes between plan and apply can cause surprises.

Examples
terraform plan -out=plan.tfplan
terraform apply plan.tfplan
terraform plan -target=aws_instance.web

Limit planning to a specific resource (and its dependencies). Useful for iterating on a single resource without touching the rest of the config.

Common pitfall: -target can leave the state inconsistent. Use it only for iterative development, not as a standard practice.

Examples
terraform plan -target=aws_instance.web
terraform plan -target=module.vpc
terraform plan -var="key=value"

Pass a variable inline on the command line. Overrides defaults and tfvars files. Good for one-off overrides in development.

Examples
terraform plan -var="env=prod"
terraform plan -var="region=eu-west-1" -var="instance_type=t3.medium"
terraform plan -var-file=prod.tfvars

Load variable values from a .tfvars file. Files ending in .auto.tfvars or named terraform.tfvars are loaded automatically — all others require -var-file.

Examples
terraform plan -var-file=prod.tfvars
terraform plan -var-file=common.tfvars -var-file=prod.tfvars
terraform plan -destroy

Preview the destroy plan without actually destroying anything. Equivalent to terraform destroy but stops before applying.

Examples
terraform plan -destroy
terraform plan -destroy -target=aws_rds_cluster.main
terraform plan -refresh-only

Sync Terraform state with real infra without proposing any configuration changes. Use to accept drift after manual cloud changes.

Examples
terraform plan -refresh-only
terraform apply -refresh-only -auto-approve

Apply

terraform apply

Apply changes to real infrastructure. Shows a plan and prompts for confirmation before making any changes.

Examples
terraform apply
terraform apply -var-file=prod.tfvars
terraform apply -auto-approve

Apply without interactive approval. Required in CI/CD pipelines where stdin is not available. Only safe when applying a pre-reviewed plan file.

Common pitfall: Never use -auto-approve directly on terraform apply without a plan file in shared environments — you skip the review step.

Examples
terraform apply -auto-approve plan.tfplan
terraform apply -auto-approve -var-file=staging.tfvars
terraform apply plan.tfplan

Apply a previously saved plan file exactly as reviewed. This is the recommended CI/CD workflow: plan → review → apply plan file.

Examples
terraform apply plan.tfplan
terraform apply -auto-approve plan.tfplan
terraform apply -replace=aws_instance.web

Force a specific resource to be destroyed and recreated in the same apply. Replaces the deprecated `terraform taint` command.

Examples
terraform apply -replace=aws_instance.web
terraform apply -replace=aws_launch_template.app -auto-approve
terraform apply -target=module.vpc

Apply changes to only a specific resource or module and its dependencies. Useful for phased rollouts or fixing a broken resource.

Common pitfall: Applying with -target repeatedly can cause state drift. Use it sparingly, and always follow up with a full apply.

Examples
terraform apply -target=module.vpc
terraform apply -target=aws_security_group.allow_tls
terraform apply -parallelism=20

Set the number of resources Terraform operates on concurrently. Default is 10. Increase for large deployments where provider rate limits are not a concern.

Examples
terraform apply -parallelism=20
terraform apply -parallelism=5 -var-file=prod.tfvars

Destroy

terraform destroy

Destroy ALL resources managed by the current configuration. Shows a plan and prompts for confirmation. Use with extreme caution in production.

Common pitfall: terraform destroy removes EVERYTHING in the workspace. Use -target for selective teardown.

Examples
terraform destroy
terraform destroy -var-file=staging.tfvars
terraform destroy -target=aws_instance.web

Destroy only a specific resource (and resources that depend on it). Much safer than a full destroy when you need to tear down one part of the stack.

Examples
terraform destroy -target=aws_instance.web
terraform destroy -target=module.rds -auto-approve
terraform destroy -auto-approve

Destroy without interactive confirmation. Only safe in ephemeral CI environments where the workspace is intentionally being torn down.

Examples
terraform destroy -auto-approve
terraform destroy -auto-approve -target=module.test_env

State

terraform state list

List all resources currently tracked in the state file. Add a filter to narrow down: `terraform state list aws_instance.*`.

Examples
terraform state list
terraform state list aws_s3_bucket.*
terraform state list module.vpc.*
terraform state show aws_instance.web

Display all attributes of a specific resource in the state file. Useful for debugging unexpected diffs or verifying imported resource attributes.

Examples
terraform state show aws_instance.web
terraform state show module.vpc.aws_vpc.main
terraform state mv aws_instance.old aws_instance.new

Rename a resource in the state file without destroying and recreating it. Update the .tf configuration to match, then run terraform plan to confirm zero changes.

Common pitfall: Always run `terraform plan` after state mv to confirm there are no unexpected changes before apply.

Examples
terraform state mv aws_instance.old aws_instance.new
terraform state mv module.app module.web
terraform state mv aws_instance.web "module.ec2.aws_instance.web"
terraform state rm aws_instance.legacy

Remove a resource from the state file WITHOUT deleting it in the cloud. Use when you want Terraform to stop managing a resource but keep it running.

Common pitfall: `state rm` does NOT delete the cloud resource. After removing, the resource is simply untracked and will not appear in plans.

Examples
terraform state rm aws_instance.legacy
terraform state rm module.old_module.aws_s3_bucket.data
terraform state pull

Pull the remote state and print it to stdout as JSON. Use to inspect or backup the current state from a remote backend.

Examples
terraform state pull
terraform state pull > backup-$(date +%F).tfstate
terraform state push terraform.tfstate

Push a local state file to the remote backend. Use with extreme caution — pushing an older state will overwrite the current one and can cause data loss.

Common pitfall: state push overwrites the remote state unconditionally. Always pull first and verify the state is correct.

Examples
terraform state push terraform.tfstate
terraform force-unlock LOCK_ID

Release a stuck state lock. Use when a previous run crashed and left the lock unreleased. The lock ID is printed in the error message.

Common pitfall: Only force-unlock if you are certain no other apply is running. Unlocking during an active run can corrupt state.

Examples
terraform force-unlock 7ef08c27-5b32-4e9a-af67-a72f5fdca6a8

Workspace

terraform workspace list

List all workspaces in the current backend. The active workspace is prefixed with *.

Examples
terraform workspace list
terraform workspace show

Print the name of the currently active workspace. Useful in scripts to branch behavior by environment.

Examples
terraform workspace show
ENV=$(terraform workspace show)
terraform workspace new staging

Create a new workspace and switch to it. Each workspace gets its own isolated state, allowing the same config to manage multiple environments.

Examples
terraform workspace new staging
terraform workspace new feature-vpc
terraform workspace select prod

Switch to an existing workspace. All subsequent commands operate against that workspace's state.

Common pitfall: Forgetting which workspace is active before running apply is a common cause of deploying to the wrong environment.

Examples
terraform workspace select prod
terraform workspace select default
terraform workspace delete staging

Delete a workspace. The workspace must be empty (no resources in its state). Use `terraform destroy` first if needed.

Examples
terraform workspace delete staging
terraform workspace delete -force old_env

Import

terraform import aws_s3_bucket.logs my-logs-bucket

Import an existing cloud resource into Terraform state. Write the resource block first, then run import with the provider-specific ID. The import does not generate config — you must write it yourself.

Common pitfall: After import, always run `terraform plan` to find attributes missing from your config. A wrong config causes immediate drift.

Examples
terraform import aws_s3_bucket.logs my-logs-bucket
terraform import aws_instance.web i-1234567890abcdef0
terraform import aws_route53_record.www Z1PA6795UKMFR9_www_A
terraform import -var="region=us-east-1" aws_vpc.main vpc-12345678

Pass variables during import. Necessary when the provider configuration itself depends on variables (e.g. region, account ID).

Examples
terraform import -var="region=eu-west-1" aws_vpc.main vpc-12345678
terraform import -var-file=prod.tfvars aws_db_instance.main db-identifier

Output

terraform output

Print all root module output values from the current state. Reads from state — no provider calls, no infra changes.

Examples
terraform output
terraform output | grep instance_ip
terraform output instance_ip

Print a single output value by name. The value is quoted by default.

Examples
terraform output instance_ip
terraform output db_endpoint
terraform output -json

Print all outputs as a JSON object. Ideal for piping to jq or consuming in scripts and CI systems.

Examples
terraform output -json
terraform output -json | jq .instance_ip.value
IP=$(terraform output -json | jq -r .instance_ip.value)
terraform output -raw instance_ip

Print a single output value without surrounding quotes. Use in shell scripts where you want the raw string, not a JSON-quoted value.

Examples
IP=$(terraform output -raw instance_ip)
ssh ubuntu@$(terraform output -raw instance_ip)

Format & Validate

terraform fmt

Reformat all .tf files in the current directory to the canonical Terraform style. Safe to run at any time — only changes whitespace and indentation.

Examples
terraform fmt
terraform fmt main.tf
terraform fmt -recursive

Recursively format all .tf files in the current directory and all subdirectories. Use before committing in a monorepo.

Examples
terraform fmt -recursive
terraform fmt -recursive .
terraform fmt -check

Exit with a non-zero code if any files need formatting, without changing them. Use in CI to enforce code style.

Examples
terraform fmt -check
terraform fmt -check -recursive || (echo "Run terraform fmt" && exit 1)
terraform fmt -diff

Show a diff of the formatting changes without applying them. Use during review to see what fmt would change.

Examples
terraform fmt -diff
terraform fmt -diff -recursive
terraform validate

Check the configuration for syntax errors and semantic issues (invalid references, missing required arguments). Does not access the provider or remote state.

Common pitfall: validate only checks static syntax — it cannot catch errors that depend on provider schema or runtime values.

Examples
terraform validate
terraform validate && echo "OK"

Providers & Modules

terraform providers

Print a tree of the providers required by the current configuration, with version constraints and their source.

Examples
terraform providers
terraform providers lock

Create or update the .terraform.lock.hcl dependency lock file. Should be committed to version control so all team members use identical provider versions.

Examples
terraform providers lock
terraform providers lock -platform=linux_amd64 -platform=darwin_amd64
terraform providers mirror /local/mirror

Download all required providers into a local directory. Use to set up an air-gapped environment where the CI runner cannot reach the public Terraform Registry.

Examples
terraform providers mirror /tmp/tf-providers
terraform providers mirror /mnt/shared/providers
terraform get

Download and install modules referenced in the configuration. Called automatically by terraform init — use explicitly after adding a new module without re-initing.

Examples
terraform get
terraform get -update
terraform get -update

Check for newer versions of installed modules and download updates. Use to pull in module bugfixes without a full re-init.

Examples
terraform get -update

Debug & Graph

TF_LOG=DEBUG terraform plan

Enable verbose debug logging for a single command. Log levels: TRACE, DEBUG, INFO, WARN, ERROR. DEBUG shows every provider API call.

Common pitfall: DEBUG logs include credential values and sensitive data. Never share or commit log files without scrubbing them.

Examples
TF_LOG=DEBUG terraform plan
TF_LOG=INFO terraform apply
TF_LOG=TRACE terraform init 2>&1 | head -200
TF_LOG_PATH=./terraform.log terraform apply

Redirect debug logs to a file instead of stderr. Combine with TF_LOG to control verbosity. Essential when logs are too long to inspect in a terminal.

Examples
TF_LOG=DEBUG TF_LOG_PATH=./tf-debug.log terraform plan
TF_LOG=INFO TF_LOG_PATH=/var/log/terraform.log terraform apply
TF_LOG_CORE=DEBUG TF_LOG_PROVIDER=OFF terraform plan

Separate log levels for the Terraform core engine vs. provider plugins. Use to silence noisy provider logs while debugging a core issue.

Examples
TF_LOG_CORE=DEBUG TF_LOG_PROVIDER=OFF terraform plan
TF_LOG_CORE=OFF TF_LOG_PROVIDER=TRACE terraform apply
terraform show

Display a human-readable representation of the current state file or a saved plan file.

Examples
terraform show
terraform show plan.tfplan
terraform show -json plan.tfplan | jq .
terraform console

Open an interactive HCL expression REPL against the current state. Evaluate expressions, test functions, and inspect resource attributes without writing a plan.

Examples
terraform console
# Inside console:
aws_instance.web.public_ip
jsonencode({ key = "value" })
cidrsubnet("10.0.0.0/16", 8, 2)
terraform graph

Output the dependency graph of resources in DOT format. Pipe to Graphviz to create a visual diagram.

Examples
terraform graph
terraform graph | dot -Tpng > graph.png
terraform graph | dot -Tsvg > graph.svg && open graph.svg
terraform version

Print the Terraform version and the versions of all installed providers. Use in bug reports and to verify the environment in CI.

Examples
terraform version
terraform version -json

What this tool does

Searchable Terraform cheat sheet with 90+ commands organized into eleven sections DevOps engineers reach for daily. Init: terraform init, -upgrade to refresh providers, -backend-config for external backend files, -migrate-state to switch backends, -reconfigure to reset without migrating. Plan: terraform plan, -out to save a plan file for safe apply, -target to scope to one resource, -var and -var-file for variable injection, -destroy to preview teardown, -refresh-only to sync state only. Apply: terraform apply, -auto-approve for CI pipelines, apply a saved plan file, -replace (modern taint replacement), -parallelism for faster runs. Destroy: terraform destroy, -target for selective teardown. State: state list, state show, state mv to rename without recreation, state rm to untrack without deleting, state pull/push for manual manipulation, force-unlock for stuck locks. Workspaces: workspace list / new / select / show / delete for environment isolation. Import: terraform import with resource address and cloud provider ID. Output: terraform output, -json for scripting, -raw for shell variables. Format and validate: terraform fmt -recursive, -check for CI gates, -diff for review; terraform validate for syntax checks. Providers: providers lock and providers mirror for air-gapped environments; terraform get -update for modules. Debug: TF_LOG levels, TF_LOG_PATH file redirect, terraform console as HCL REPL, terraform graph for dependency diagrams. Every entry has bilingual descriptions, a copy-ready example, and a pitfall callout. Search across command, description, pitfall, and examples. One-click copy. 100% client-side.

Tool details

Input
Text
The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output
Live result + Copy + Preview
The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy
Browser-side processing
The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share
Shareable URL state
Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget
Initial JS <= 28 KB
No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit
Developer & DevOps · Developer
Category and role tags drive related tools, internal links, and quick fit checks.

How to use

  1. 1. Input

    Paste or drop your content into the tool panel.

  2. 2. Process

    Click the button. All processing is local in your browser.

  3. 3. Copy / Download

    Copy the result or download to disk in one click.

How Terraform Cheatsheet fits into your work

Use it in the small gaps between coding, reviewing, debugging, and shipping.

Developer jobs

  • Formatting, validating, shrinking, or inspecting code-adjacent text.
  • Preparing snippets for documentation, tickets, commits, or handoff.
  • Checking a small payload quickly without switching tools.

Developer checks

  • Run irreversible transforms like minify or obfuscate on a copy.
  • Keep secrets out of pasted snippets unless the tool explicitly stays local.
  • Use your normal tests or linter before shipping transformed code.

Good next steps

These links move the current task into a more complete workflow.

  1. 1 Docker Cheatsheet Docker command cheat sheet — 80+ commands with real examples, common mistakes, and Compose section. Open
  2. 2 kubectl Cheatsheet kubectl cheat sheet — 100+ Kubernetes commands with real examples, common pitfalls, and YAML snippets. Open
  3. 3 AWS CLI Cheatsheet AWS CLI cheat sheet — 80+ commands for EC2 / S3 / IAM / Lambda / RDS / EKS / CloudFormation with real examples. Open

Real-world use cases

  • Recovering from a locked state file during an incident

    A team member's apply crashed mid-run and left a `.lock` on the S3 backend. You find the lock ID in the error message, run `terraform force-unlock <id>`, confirm with yes, and the next apply proceeds. Without this entry you'd be editing DynamoDB by hand.

  • Renaming a module resource without downtime

    You refactored `module.app` to `module.web` and `terraform plan` wants to destroy and recreate 14 resources. You run `terraform state mv module.app module.web` instead, plan again, and get zero changes. Infra never reboots.

  • Importing a hand-built S3 bucket into Terraform

    A bucket was created manually six months ago and now needs to be managed as code. You write the `aws_s3_bucket` resource block, run `terraform import aws_s3_bucket.assets my-assets-bucket`, then `terraform plan` to find the gaps in your config.

  • Setting up CI with locked provider versions

    Before adding a new CI runner, you run `terraform providers lock -platform=linux_amd64 -platform=darwin_amd64` so the lock file covers both macOS devs and Linux CI. No more "provider not found" on the first pipeline run.

Common pitfalls

  • Running `terraform apply` without `-out` in CI means the plan and apply may differ if infra changes between the two steps. Always `plan -out=plan.tfplan` then `apply plan.tfplan`.

  • `terraform state rm` removes a resource from state but does NOT delete it in the cloud. Use it only when you want Terraform to forget a resource, not when you want to delete it.

  • Using `terraform destroy` instead of `-target` removes ALL resources in the workspace. Prefer `terraform destroy -target=<address>` for surgical teardowns.

Privacy

Everything runs in your browser. The command list is a static in-memory array. The search box, category chips, and copy button never make a network request. Nothing you type is logged or sent anywhere, and the search query is not written to the URL. The sheet works offline, on an air-gapped CI runner, or behind a corporate proxy — which is exactly where DevOps teams tend to need Terraform references the most.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Made by Toolora · 100% client-side · Updated 2026-07-01