As part of or Complete Terraform Tutorial, this is Part -3 explaining about Terraform CLI. Terraform platform can be easily accessible from the Command Line Interface. Terraform CLI is the most powerful and efficient way to access the Terraform. Terraform CLI can be vastly used for automating with operating system native scripts (Shell, PowerShell, etc). In this article, we will see the detailed commands of Terraform CLI as 3rd part of Complete Terraform Tutorial.
Table of Contents
So Far!
This is Part – 3 of the Complete Terraform Tutorial Series. Before taking this, We recommend you to take a look at the Part -2 and Part -1
Complete Terraform Tutorial Part – 2 – Terraform Configuration File.
Detailed explanation on How the Terraform Configuration File is written with example.
Terraform CLI Configuration File.
Terraform CLI Configuration file is different from the Infrastructure Configuration which we are going to make after this. This basically stores the following Parameter.
These are the parameters that needs to be mentioned in the Terraform CLI Configuration File.
the Location of the file will be placed in the relevant user who installed the Terraform. For example, If the user ‘foo
’ installed the Terraform and operating the CLI, then the Terraform CLI Configuration file will be stored as .terraformrc
file in the home of ‘foo
’ user (/home/foo
).
If you are using a windows machine, the Terraform CLI Configuration file will be stored as terraform.rc
file in the relevant user’s %APPDATA%
folder (C:\Users\foo\APPDATA
).
Terraform Environment Variables
Just like the Terraform CLI Configuration files, we need to set some environment variables (default available). Some Important Environement variables are:
We can either set all the environment variables by one script or just run one by on in the current session of command line.
Terraform Commands
Now, Let see what are the commands that we are going to use in the Terraform CLI operation. Let’s start with the Basic commands.
Terraform Init
As the first command to run after Writing the Terraform Configuration File. We have some arguments for the terraform init
command. Run the Terraform Command with -help
, you will see the following output
$ terraform init -help Usage: terraform init [options] [DIR] Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. This is the first command that should be run for any new or existing Terraform configuration per machine. This sets up all the local data necessary to run Terraform that is typically not committed to version control. This command is always safe to run multiple times. Though subsequent runs may give errors, this command will never delete your configuration or state. Even so, if you have important information, please back it up prior to running this command, just in case. If no arguments are given, the configuration in this working directory is initialized. Options: -backend=true Configure the backend for this configuration. -backend-config=path This can be either a path to an HCL file with key/value assignments (same format as terraform.tfvars) or a 'key=value' format. This is merged with what is in the configuration file. This can be specified multiple times. The backend type must be in the configuration itself. -force-copy Suppress prompts about copying state data. This is equivalent to providing a "yes" to all confirmation prompts. -from-module=SOURCE Copy the contents of the given module into the target directory before initialization. -get=true Download any modules for this configuration. -get-plugins=true Download any missing plugins for this configuration. -input=true Ask for input if necessary. If false, will error if input was required. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -no-color If specified, output won't contain any color. -plugin-dir Directory containing plugin binaries. This overrides all default search paths for plugins, and prevents the automatic installation of plugins. This flag can be used multiple times. -reconfigure Reconfigure the backend, ignoring any saved configuration. -upgrade=false If installing modules (-get) or plugins (-get-plugins), ignore previously-downloaded objects and install the latest version allowed within configured constraints. -verify-plugins=true Verify the authenticity and integrity of automatically downloaded plugins.
Terraform Plan
As we are creating the Infrastructure as Code, we need to make sure of our action before we execute anything. So, terraform CLI provides an option to check out plan of execution. To see the plan of execution, just run terraform plan
followed by some arguments. This will show the plan of action like bellow.
$ terraform plan ... + aws_instance.digitalvarys ami: "ami-5a1f6d6c6w752" ... Plan: 1 to add, 0 to change, 0 to destroy.
This command is having some arguments, you can see those by passing -help
after the command and it will show the following output.
$ terraform plan -help Usage: terraform plan [options] [DIR] Generates an execution plan for Terraform. This execution plan can be reviewed prior to running apply to get a sense for what Terraform will do. Optionally, the plan can be saved to a Terraform plan file, and apply can take this plan file to execute this plan exactly. Options: -compact-warnings If Terraform produces any warnings that are not accompanied by errors, show them in a more compact form that includes only the summary messages. -destroy If set, a plan will be generated to destroy all resources managed by the given configuration and state. -detailed-exitcode Return detailed exit codes when the command exits. This will change the meaning of exit codes to: 0 - Succeeded, diff is empty (no changes) 1 - Errored 2 - Succeeded, there is a diff -input=true Ask for input for variables if not directly set. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -no-color If specified, output won't contain any color. -out=path Write a plan file to the given path. This can be used as input to the "apply" command. -parallelism=n Limit the number of concurrent operations. Defaults to 10. -refresh=true Update state prior to checking for differences. -state=statefile Path to a Terraform state file to use to look up Terraform-managed resources. By default it will use the state "terraform.tfstate" if it exists. -target=resource Resource to target. Operation will be limited to this resource and its dependencies. This flag can be used multiple times. -var 'foo=bar' Set a variable in the Terraform configuration. This flag can be set multiple times. -var-file=foo Set variables in the Terraform configuration from a file. If "terraform.tfvars" or any ".auto.tfvars" files are present, they will be automatically loaded.
Terraform apply
The terraform apply
command is to apply the state of configuration made in the configuration file (.tf
) or actions created by the previous command (terraform plan
) to the respective providers. All you need to do is pass the command terraform apply
.
Run the command with -help
argument, you will get the detailed list of available arguments for the terraform apply. That will look like:
$ terraform apply -help Usage: terraform apply [options] [DIR-OR-PLAN] Builds or changes infrastructure according to Terraform configuration files in DIR. By default, apply scans the current directory for the configuration and applies the changes appropriately. However, a path to another configuration or an execution plan can be provided. Execution plans can be used to only execute a pre-determined set of actions. Options: -auto-approve Skip interactive approval of plan before applying. -backup=path Path to backup the existing state file before modifying. Defaults to the "-state-out" path with ".backup" extension. Set to "-" to disable backup. -compact-warnings If Terraform produces any warnings that are not accompanied by errors, show them in a more compact form that includes only the summary messages. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -input=true Ask for input for variables if not directly set. -no-color If specified, output won't contain any color. -parallelism=n Limit the number of parallel resource operations. Defaults to 10. -refresh=true Update state prior to checking for differences. This has no effect if a plan file is given to apply. -state=path Path to read and save state (unless state-out is specified). Defaults to "terraform.tfstate". -state-out=path Path to write state to that is different than "-state". This can be used to preserve the old state. -target=resource Resource to target. Operation will be limited to this resource and its dependencies. This flag can be used multiple times. -var 'foo=bar' Set a variable in the Terraform configuration. This flag can be set multiple times. -var-file=foo Set variables in the Terraform configuration from a file. If "terraform.tfvars" or any ".auto.tfvars" files are present, they will be automatically loaded.
Terraform Destroy
If you want to delete the infrastructure you created by the terraform, you can pass the Terraform CLI command terraform destroy
. For more arguments with the terraform destroy, run -help
argument.
$ terraform destroy -help Usage: terraform destroy [options] [DIR] Destroy Terraform-managed infrastructure. Options: -backup=path Path to backup the existing state file before modifying. Defaults to the "-state-out" path with ".backup" extension. Set to "-" to disable backup. -auto-approve Skip interactive approval before destroying. -force Deprecated: same as auto-approve. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -no-color If specified, output won't contain any color. -parallelism=n Limit the number of concurrent operations. Defaults to 10. -refresh=true Update state prior to checking for differences. This has no effect if a plan file is given to apply. -state=path Path to read and save state (unless state-out is specified). Defaults to "terraform.tfstate". -state-out=path Path to write state to that is different than "-state". This can be used to preserve the old state. -target=resource Resource to target. Operation will be limited to this resource and its dependencies. This flag can be used multiple times. -var 'foo=bar' Set a variable in the Terraform configuration. This flag can be set multiple times. -var-file=foo Set variables in the Terraform configuration from a file. If "terraform.tfvars" or any ".auto.tfvars" files are present, they will be automatically loaded.
Just like how the terraform plan will show the preview of terraform apply
, if you pass terraform plan -destroy
, you can see the preview of terraform destroy
.
Terraform Import
As we know Terraform is so modular and we can reuse modules and components to make our Infrastructure as code easier. So, we can use terraform import
to use the existing resources from the respective terraform platform.
Terraform validate
The terraform validate
command is to validate the configuration file (.tf
) created in the present directory. This is just the validation process of syntax and consistency of the configuration file.
Terraform Login
To get the API token from the Terraform Enterprise or from Terraform Cloud or from the machine where the Terraform services are hosted, use terraform login command. By default, Terraform will store the API token fetched by this command in the credentials.tfrc.json file in the users home directory (/home/user/.terraform.d/credentials.tfrc.json
). you need to pass terraform login [hostname]
to get the API token from the respective host. If you are not passing the respective hostname, then it will fetch API token from app.terraform.io
Terraform Logout
To remove or purge the API token created by the terraform login
, we can use terraform logout
. Here also, you can specify the hostname to delete the API token of the respective host. If not, it will delete the token fetched from app.terraform.io
as it is default.
Terraform get
To download and update the modules used in the root module, we can use terraform get [options]
to do the same. In order to update the downloaded modules, we can use terraform get -update
. Also, we can pass the directory path to the root directory if it is not in the current Terraform CLI execution path.
Terraform Providers
The terraform providers
are a command in Terraform CLI which will print the list of providers mentioned in the terraform configuration file (.tf
).
Terraform graph
To view the configurations or plan of execution in the graphical view, we can use terraform graph
command in the terraform CLI. More options of this command can be seen by running the -help
argument with this command. i.e, terraform graph -help
and it will show the following output.
$ terraform graph -help Usage: terraform graph [options] [DIR] Outputs the visual execution graph of Terraform resources according to configuration files in DIR (or the current directory if omitted). The graph is outputted in DOT format. The typical program that can read this format is GraphViz, but many web services are also available to read this format. The -type flag can be used to control the type of graph shown. Terraform creates different graphs for different operations. See the options below for the list of types supported. The default type is "plan" if a configuration is given, and "apply" if a plan file is passed as an argument. Options: -draw-cycles Highlight any cycles in the graph with colored edges. This helps when diagnosing cycle errors. -type=plan Type of graph to output. Can be: plan, plan-destroy, apply, validate, input, refresh. -module-depth=n (deprecated) In prior versions of Terraform, specified the depth of modules to show in the output.
Terraform Console
Just like python or Mysql Interactive consoles, Terraform CLI is having the facility to experiment with the expressions of the Terraform configuration file. To use it, enter terraform console [option]
to activate the terraform Console
. To know more options of terraform console, pass the -help
argument to know more options of the command.
$ terraform console -help Usage: terraform console [options] [DIR] Starts an interactive console for experimenting with Terraform interpolations. This will open an interactive console that you can use to type interpolations into and inspect their values. This command loads the current state. This lets you explore and test interpolations before using them in future configurations. This command will never modify your state. DIR can be set to a directory with a Terraform state to load. By default, this will default to the current working directory. Options: -state=path Path to read state. Defaults to "terraform.tfstate" -var 'foo=bar' Set a variable in the Terraform configuration. This flag can be set multiple times. -var-file=foo Set variables in the Terraform configuration from a file. If "terraform.tfvars" or any ".auto.tfvars" files are present, they will be automatically loaded.
Terraform State
Terraform will store the record of the infrastructure created right after the terraform apply command. This will be stored in the file called terraform.tfstate
. This will have the present state of the infrastructure created by terraform apply
. So, we have special and advanced command in terraform CLI called terraform state
. We will discuss more in detail about Terraform State in our upcoming article. To know more options of this command, pass -help
argument which will show the following output
$ terraform state -help Usage: terraform state <subcommand> [options] [args] This command has subcommands for advanced state management. These subcommands can be used to slice and dice the Terraform state. This is sometimes necessary in advanced cases. For your safety, all state management commands that modify the state create a timestamped backup of the state prior to making modifications. The structure and output of the commands is specifically tailored to work well with the common Unix utilities such as grep, awk, etc. We recommend using those tools to perform more advanced state tasks. Subcommands: list List resources in the state mv Move an item in the state pull Pull current state and output to stdout push Update remote state from a local state file rm Remove instances from the state show Show a resource in the state
Terraform Show
We can see the human-readable information of the state file or the plan file of the terraform by passing terraform show
command. We have more useful options with this command. To know those, pass -help
argument with this command and you will get the following output.
$ terraform show -help Usage: terraform show [options] [path] Reads and outputs a Terraform state or plan file in a human-readable form. If no path is specified, the current state will be shown. Options: -no-color If specified, output won't contain any color. -json If specified, output the Terraform plan or state in a machine-readable form.
Terraform Output
To see the exact variable in the terraform state file, run the command terraform output with the name of the variable. Like, terraform output [name]
. Along with this, we have many options. To know that, pass -help
argument along with this command and you will get the following output.
$ terraform output -help Usage: terraform output [options] [NAME] Reads an output variable from a Terraform state file and prints the value. With no additional arguments, output will display all the outputs for the root module. If NAME is not specified, all outputs are printed. Options: -state=path Path to the state file to read. Defaults to "terraform.tfstate". -no-color If specified, output won't contain any color. -json If specified, machine readable output will be printed in JSON format
Terraform Refresh
Once after the terraform state file created, The Infrastructure can be changed or modified. But the State file of the Terraform will not know about the change of the infrastructure. So, we have an option called terraform refresh
which will get the current information of the Real infrastructure and store it in the terraform state file. This command considered one of the useful command. So, it has many useful options. To know those, pass -help
argument with the command and you will get the following output.
$ terraform refresh -help Usage: terraform refresh [options] [dir] Update the state file of your infrastructure with metadata that matches the physical resources they are tracking. This will not modify your infrastructure, but it can modify your state file to update metadata. This metadata might cause new changes to occur when you generate a plan or call apply next. Options: -backup=path Path to backup the existing state file before modifying. Defaults to the "-state-out" path with ".backup" extension. Set to "-" to disable backup. -compact-warnings If Terraform produces any warnings that are not accompanied by errors, show them in a more compact form that includes only the summary messages. -input=true Ask for input for variables if not directly set. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -no-color If specified, output won't contain any color. -state=path Path to read and save state (unless state-out is specified). Defaults to "terraform.tfstate". -state-out=path Path to write updated state file. By default, the "-state" path will be used. -target=resource Resource to target. Operation will be limited to this resource and its dependencies. This flag can be used multiple times. -var 'foo=bar' Set a variable in the Terraform configuration. This flag can be set multiple times. -var-file=foo Set variables in the Terraform configuration from a file. If "terraform.tfvars" or any ".auto.tfvars" files are present, they will be automatically loaded.
Terraform workspace.
The terraform workspace will have persistent data such as state file, plan file, environment variables, and more. So, we have terraform wokspace
command to manage the workspace. Just like the terraform state
, the workspace has many options like, creating new item, delete, show and more. To know the options, pass -help
argument with the command and it will show the following output.
$ terraform workspace -help Usage: terraform workspace new, list, show, select and delete Terraform workspaces. Subcommands: delete Delete a workspace list List Workspaces new Create a new workspace select Select a workspace show Show the name of the current workspace
Terraform Taint
Terraform Taint command will mark the particular resource as tainted so that it will be destroyed when we run the next terraform apply. This will only modify the state file but not the actual infrastructure. This command is used as terraform taint [address-of-resource]
. Along with this command, we have many options available. To see those, pass -help
argument with the command and you will get the following output
$ terraform taint -help Usage: terraform taint [options] <address> Manually mark a resource as tainted, forcing a destroy and recreate on the next plan/apply. This will not modify your infrastructure. This command changes your state to mark a resource as tainted so that during the next plan or apply that resource will be destroyed and recreated. This command on its own will not modify infrastructure. This command can be undone using the "terraform untaint" command with the same address. The address is in the usual resource address syntax, as shown in the output from other commands, such as: aws_instance.foo aws_instance.bar[1] module.foo.module.bar.aws_instance.baz Options: -allow-missing If specified, the command will succeed (exit code 0) even if the resource is missing. -backup=path Path to backup the existing state file before modifying. Defaults to the "-state-out" path with ".backup" extension. Set to "-" to disable backup. -lock=true Lock the state file when locking is supported. -lock-timeout=0s Duration to retry a state lock. -state=path Path to read and save state (unless state-out is specified). Defaults to "terraform.tfstate". -state-out=path Path to write updated state file. By default, the "-state" path will be used.
Terraform untaint
To undo the terraform taint command, we have a command called terraform untaint [address-of-resource].
So, the additional options of this command are exactly the same as the terraform taint
command.
Conclusion
In this article, we discussed Terraform CLI and the options of it. This is the third part of the Complete Terraform Tutorial series of DigitalVarys. In our upcoming article, we will discuss more on Terraform State, Modules, and more features as parts of our complete terraform tutorial. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
Pingback: Terraform Modules - Complete Terraform Tutorial - Part- 5 - Digital Varys