Terraform CLI quick reference — init, plan, apply, state management, workspaces, import, and troubleshooting commands for daily IaC work.
Set up a working directory before anything else.
terraform init ## download providers, set up backend
terraform init -upgrade ## upgrade providers to latest allowed version
terraform init -reconfigure ## reinitialize backend without migrating state
terraform version ## Terraform + provider versions
terraform providers ## list providers required by this configParameter Breakdown:
-upgrade: Pulls newer provider versions within your version constraints-reconfigure: Use when switching backends without wanting to migrate existing stateinit after pulling changes that touch required_providersPreview and execute infrastructure changes.
terraform plan ## preview changes
terraform plan -out=tfplan ## save plan to apply later, exact match
terraform apply tfplan ## apply a saved plan, no prompt
terraform apply ## plan + prompt + apply in one step
terraform apply -auto-approve ## skip the confirmation prompt
terraform plan -var="environment=staging"
terraform plan -var-file="staging.tfvars"Parameter Breakdown:
-out=tfplan: Guarantees the exact reviewed plan is what gets applied — preferred for CI/CD-auto-approve: Only use in automated pipelines with proper review gates upstream-var-file: Loads multiple variables from a file instead of individual -var flagsInspect and manipulate the state file directly.
terraform state list ## list every resource in state
terraform state show aws_instance.orders_api
terraform state mv aws_instance.old aws_instance.new
terraform state rm aws_instance.orphaned ## remove from state, not from cloud
terraform state pull > backup.tfstate ## download remote state locally
terraform state push backup.tfstate ## upload local state to remote backendParameter Breakdown:
state rm: Only removes Terraform's tracking — the real resource keeps runningstate mv: Renames a resource in state without destroying and recreating itstate pull / push: Use for manual recovery — always back up before pushManage multiple environments from one configuration.
terraform workspace list
terraform workspace new staging
terraform workspace select staging
terraform workspace show ## current active workspace
terraform workspace delete stagingParameter Breakdown:
.tf files but keep separate state per environmentworkspace delete: Fails if the workspace still has resources tracked in its stateBring existing infrastructure under Terraform management.
terraform import aws_instance.orders_api i-0a1b2c3d4e5f67890
terraform import 'aws_s3_bucket.backups' razorpay-prod-backups
terraform plan ## verify config now matches imported stateParameter Breakdown:
.tf resource block yourselfplan immediately after import to confirm config and real infrastructure matchRead computed values and pass inputs in.
terraform output ## all outputs
terraform output vpc_id ## one specific output
terraform output -json ## machine-readable for scripting
terraform output -raw db_endpoint ## raw string, no quotes, for piping
export TF_VAR_environment=staging ## env var picked up automatically
terraform apply -var="instance_count=3"Parameter Breakdown:
TF_VAR_<name>: Environment variable prefix Terraform reads automatically — useful in CI/CD-json: Required if piping output into jq or another tool-raw: Strips quotes, ideal for shell variable assignmentCatch errors before you ever run plan.
terraform validate ## syntax and internal consistency check
terraform fmt ## auto-format files in current dir
terraform fmt -recursive ## format every .tf file in subdirectories
terraform fmt -check ## fail if formatting is needed, no changes made
terraform -version ## quick sanity check before running anythingParameter Breakdown:
validate: Does not check against the actual cloud provider — purely local consistencyfmt -check: The version to run in CI — fails the build instead of silently rewriting filesvalidate and fmt -check as pre-commit hooks to catch issues before a PRRemove infrastructure, fully or selectively.
terraform destroy ## destroy everything in this state
terraform destroy -target=aws_instance.orders_api
terraform plan -destroy ## preview what destroy would remove
terraform apply -target=aws_instance.orders_api ## apply changes to one resource onlyParameter Breakdown:
-target: Scopes the operation to one resource — useful for emergencies, not routine workflow-target use is a sign your configuration should be split into smaller modulesplan -destroy: Always preview before running a real destroy on shared infrastructureWhat to check when Terraform behaves unexpectedly.
## State lock stuck after a crashed run
terraform force-unlock LOCK_ID
## Provider version conflict
terraform init -upgrade
## Drift between state and real infrastructure
terraform plan -refresh-only
terraform apply -refresh-only
## Debug verbose provider/API calls
TF_LOG=DEBUG terraform plan 2> debug.logParameter Breakdown:
force-unlock: Only run this if you've confirmed no other apply is actually in progress-refresh-only: Updates state to match real infrastructure without proposing other changesTF_LOG=DEBUG: Floods output with provider API calls — redirect to a file, don't read it rawShortcuts worth knowing for daily use.
terraform plan -compact-warnings ## hide repetitive warning noise
terraform apply -parallelism=5 ## limit concurrent resource operations
terraform show -json tfplan | jq '.resource_changes[].address'
## List resources that would be destroyed in the next apply
terraform plan -out=tfplan && \
terraform show -json tfplan | \
jq -r '.resource_changes[] | select(.change.actions[]=="delete") | .address'