Terraform CLI
The Terraform CLI is a command-line tool that enables you to define, manage, and interact with your infrastructure.
It works by reading all the HCL files in your project and synthesizing them to create a predicted state based on the configuration given.
When you choose to apply the changes, Terraform builds a dependency graph from your configuration to determine the correct order of operations.
Installing the Terraform CLI
Section titled “Installing the Terraform CLI”Before we can use the Terraform CLI, we need to install it. The easiest way to do this is to download the appropriate package for your operating system from the official Terraform website, and then extract it to a location in your PATH environment variable. Once installed, you can verify that the Terraform CLI is available by running the following command:
terraform versionIf the command is successful, you should see the version number of the Terraform CLI printed to the console.
Initializing a project
Section titled “Initializing a project”Once you have installed the Terraform CLI, the next step is to initialize a Terraform project. This is done by running the terraform init command in the root directory of your Terraform project. This command downloads any necessary plugins and sets up the backend for storing the Terraform state.
terraform initCreating and Managing Infrastructure Resources
Section titled “Creating and Managing Infrastructure Resources”With the Terraform CLI initialized, we can start creating and managing infrastructure resources. To create a new resource, we use a Terraform configuration file in HashiCorp Configuration Language (HCL) format. Here’s an example configuration file that creates an Amazon S3 bucket:
resource "aws_s3_bucket" "example" { # S3 buckets are private by default bucket = "my-bucket"}To create the resource, we use the terraform apply command:
terraform applyThis command shows the changes that Terraform will make to the infrastructure and prompts us to confirm the changes before they are made.
To update a resource, modify its attributes in the configuration file and re-run terraform apply. To delete a resource, remove it from the configuration and run terraform apply — Terraform will detect the removal and destroy the resource. Alternatively, use terraform destroy to tear down all managed resources.
Common Terraform CLI Commands and Options
Section titled “Common Terraform CLI Commands and Options”Here are some of the most commonly used Terraform CLI commands and options:
| Command | Description |
|---|---|
terraform plan | Shows the changes that Terraform will make to the infrastructure without actually making any changes. |
terraform apply | Applies the changes to the infrastructure. |
terraform destroy | Destroys all resources managed by Terraform. |
terraform state | Allows you to view and manage the Terraform state. |
terraform workspace | Allows you to create and manage Terraform workspaces. |
Some common options that can be used with these commands include -var to specify input variables, -target to apply changes to a specific resource, and -parallelism to set the number of parallel resource creations and updates.
You can see more details on the available commands here.
Saved Plan Files
Section titled “Saved Plan Files”When you run terraform plan, Terraform calculates the changes and displays them in the terminal. By default, this plan only exists in memory — if you then run terraform apply, Terraform recalculates the plan from scratch. In most cases this produces the same result, but the configuration, state, or cloud environment could change between the two commands.
The -out flag on terraform plan writes the plan to a binary file so you can apply that exact set of changes later:
terraform plan -out=tfplanThis creates a file called tfplan in the current directory. To apply it, pass the file path to terraform apply instead of letting Terraform generate a new plan:
terraform apply tfplanWhen you apply a saved plan file, Terraform skips the confirmation prompt because the plan has already been reviewed.
Why This Matters for CI/CD
Section titled “Why This Matters for CI/CD”In a CI/CD pipeline, the plan and apply steps typically run at different times. A common workflow looks like this:
- A pipeline step runs
terraform plan -out=tfplanand stores the plan file as an artifact. - A team member reviews the plan output.
- After approval, a separate pipeline step runs
terraform apply tfplan.
Without a saved plan file, the apply step would generate a new plan that might differ from what was reviewed — for example, if someone merged another change or a cloud resource was modified between steps. Using a saved plan file guarantees that the exact changes shown during review are the changes that get applied.
Plan File Security
Section titled “Plan File Security”Saved plan files are binary files that contain a full snapshot of the configuration, variables, and state at the time the plan was created. This means they can include sensitive values such as database passwords, API keys, and other secrets that appear in your variables or state.
Treat plan files the same way you would treat state files: do not commit them to version control, restrict access to the storage location where they are kept, and delete them after they have been applied. Add *.tfplan and tfplan to your .gitignore to avoid accidental commits.
Conclusion
Section titled “Conclusion”In this section we have discussed the setup required to use the Terraform CLI and introduced the typical workflow used by developers with Terraform: init, plan and apply.