Link Search Menu Expand Document

Terraform Cheat Sheet

CLI Commands

terraform plan         # dry run
terraform apply
terraform apply -input=false -auto-approve tfplan           # applying previously create plan

terraform refresh      # sync state with remote resources
terraform show
terraform destroy

terraform validate     # validate .tf file

terraform taint        # mark resource for recreation
terraform untaint

terraform state push   # e.g. force push state to S3 bucket
terraform state pull > terraform.tfstate  # create a local state copy

terraform force-unlock <lock-id-guid>     # Clean up leftover locks from hard-cancelled run

Change verbosity by setting environment variable TF_LOG

export TF_LOG=INFO

For linting

 terraform fmt <file>           # reformat .tf file
 terraform fmt --check <file>   # check for correct formatting

Configuration via Environment

While most of the configuration should reside in .tfvars files you might want to inject some config values from environment like this:

 export TF_VAR_<my variable>=<my value>

Workspace Management

Terraform workspaces allow for the management of two or more different environments i.e. Dev or Prod separately without affecting the state of either environment.

terraform workspace new dev   
terraform workspace new test
terraform workspace new prod
terraform workspace select dev
terraform workspace select default  
terraform workspace select prod

More on using terraform workspaces as environments:

Managing Multi-Region Deployments

Recovering Lost State

One of the worst things that you happen is loosing the terraform state. In such a case you can

terraform import <address> <id>

# for example
terraform import aws_instance.myec2instance i-075c8d21cc91308dc

to let terraform reconstruct the resource state. Finally perform a

terraform state push

as import only imports into a local state file, even if you have an S3 bucket defined for keeping state!

To avoid this use S3 bucket with versioning enabled for keeping state.

Drift Management

Terraform doesn’t really do much drift management. Only some resource attributes are checked. All detected drift is fixed by “apply”.

Manually dump drift

terraform show >before
terraform refresh
terraform show >after
diff -u before after

Prevent auto-destroy:

 lifecycle {
    prevent_destroy = true

Remote Exec

provisioner "remote-exec" {
    inline = [
         "apt-get -y install wget",


resource "aws_iam_policy" "mypolicy" {
   name = "mypolicy"
   policy = <<EOF
    "Version": "2020-07-01",
    "Statement": ...


To create multiple resources use this construct

locals {
  settings = {
    "key1"  = { prop1 = "xxx", prop2 = false },
    "key2"   = { prop1 = "yyy", prop2 = true },

resource "myresourcetype" "map" {
  for_each      = local.settings

  name          = each.key
  prop1         = each.value.prop1
  prop2         = each.value.prop2
  prop3         = "some constant"

Bulk Imports

Check out