Complete Terraform Tutorial Part – 3 – Terraform CLI

Complete Terraform Tutorial Part – 3 – Terraform CLI

Leave a Comment / Cloud, DevOps, Release and Operation / By

As part of or Complete Terraform Tutorial, this is Part -3 explaining about Terraform CLI. Terraform platform can be easily accessible from the Command Line Interface. Terraform CLI is the most powerful and efficient way to access the Terraform. Terraform CLI can be vastly used for automating with operating system native scripts (Shell, PowerShell, etc). In this article, we will see the detailed commands of Terraform CLI as 3rd part of Complete Terraform Tutorial.

So Far!

This is Part – 3 of the Complete Terraform Tutorial Series. Before taking this, We recommend you to take a look at the Part -2 and Part -1

Complete Terraform Tutorial Part – 2 – Terraform Configuration File.

Detailed explanation on How the Terraform Configuration File is written with example.

Link to Part – 2

Terraform CLI Configuration File.

Terraform CLI Configuration file is different from the Infrastructure Configuration which we are going to make after this. This basically stores the following Parameter.

  • credentials If you are using Terraform Cloud or Terraform Enterprise, Your Terraform CLI should be authorized to manipulate the Terraform Platform. Hence, we have Credentials that will store the user or team token which will identify and authorize.
  • credentials_helper If your credentials are stored in another platform, the Credential helper will run some external program and retrieve the token.
  • disable_checkpoint Setting ‘true’ or ‘false’ will enable/disable the terraform CLI to check updates from Hashicorp server
  • disable_checkpoint_signature– By setting‘true’ or ‘false’ will enable/disable the terraform CLI to check updates Hashicorp server and, it will disable duplicate warning messages.
  • plugin_cache_dir If plugin used for Terraform CLI, then this will store the cache of the plugin in the mentioned directory

These are the parameters that needs to be mentioned in the Terraform CLI Configuration File.

the Location of the file will be placed in the relevant user who installed the Terraform. For example, If the user ‘foo’ installed the Terraform and operating the CLI, then the Terraform CLI Configuration file will be stored as .terraformrc file in the home of ‘foo’ user (/home/foo).

If you are using a windows machine, the Terraform CLI Configuration file will be stored as terraform.rc file in the relevant user’s %APPDATA% folder (C:\Users\foo\APPDATA).

Terraform Environment Variables

Just like the Terraform CLI Configuration files, we need to set some environment variables (default available). Some Important Environement variables are:

  • TF_CLI_CONFIG_FILE – We can override and define the path of Terraform CLI Configuration File. export TF_CLI_CONFIG_FILE="path/to/new /.terraformrc
  • TF_LOG – Enable Terraform Log y mentioning the path. export TF_LOG= TRACE. To disable, Leave empty
  • TF_LOG_PATH – This environment variable sets the path of Log file export TF_LOG_PATH=path/to/terraform.log
  • TF_INPUT – This is to enable/disable the user input while running the Terraform CLI. export TF_INPUT=false
  • TF_VAR_name – We can set the input variable of Terraform by adding the variable name in the last part of this. Eg, export TF_VAR_vm_ports=8080
  • TF_CLI_ARGS – We can set some default arguments with this. export TF_CLI_ARGS="-input=false" terraform apply -force will indirectly set all the time -input=false and -force argument in Terraform CLI.
  • TF_DATA_DIR – As we discussed in our previous part, data directory of Terraform Activity will be stored in default (.terraform) location. This will override the location export TF_DATA_DIR=path/to/TF/working/dir
  • TF_IN_AUTOMATION – we can disable the Terraform Automation (We will discuss it in our upcoming article) by not setting this value.
  • TF_REGISTRY_DISCOVERY_RETRY – This is to set the number of maximum retry for connecting the Terraform Registry. Eg, export TF_REGISTRY_DISCOVERY_RETRY=5.
  • TF_REGISTRY_CLIENT_TIMEOUT – Setting Timeout limit for Terraform connection to Platforms or Registry. Eg, export TF_REGISTRY_CLIENT_TIMEOUT=300

We can either set all the environment variables by one script or just run one by on in the current session of command line.

Terraform Commands

Now, Let see what are the commands that we are going to use in the Terraform CLI operation. Let’s start with the Basic commands.

Terraform Init

As the first command to run after Writing the Terraform Configuration File. We have some arguments for the terraform init command. Run the Terraform Command with -help, you will see the following output

$ terraform init -help
Usage: terraform init [options] [DIR]

  Initialize a new or existing Terraform working directory by creating
  initial files, loading any remote state, downloading modules, etc.

  This is the first command that should be run for any new or existing
  Terraform configuration per machine. This sets up all the local data
  necessary to run Terraform that is typically not committed to version
  control.

  This command is always safe to run multiple times. Though subsequent runs
  may give errors, this command will never delete your configuration or
  state. Even so, if you have important information, please back it up prior
  to running this command, just in case.

  If no arguments are given, the configuration in this working directory
  is initialized.

Options:

  -backend=true        Configure the backend for this configuration.

  -backend-config=path This can be either a path to an HCL file with key/value
                       assignments (same format as terraform.tfvars) or a
                       'key=value' format. This is merged with what is in the
                       configuration file. This can be specified multiple
                       times. The backend type must be in the configuration
                       itself.

  -force-copy          Suppress prompts about copying state data. This is
                       equivalent to providing a "yes" to all confirmation
                       prompts.

  -from-module=SOURCE  Copy the contents of the given module into the target
                       directory before initialization.

  -get=true            Download any modules for this configuration.

  -get-plugins=true    Download any missing plugins for this configuration.

  -input=true          Ask for input if necessary. If false, will error if
                       input was required.

  -lock=true           Lock the state file when locking is supported.

  -lock-timeout=0s     Duration to retry a state lock.

  -no-color            If specified, output won't contain any color.

  -plugin-dir          Directory containing plugin binaries. This overrides all
                       default search paths for plugins, and prevents the
                       automatic installation of plugins. This flag can be used
                       multiple times.

  -reconfigure         Reconfigure the backend, ignoring any saved
                       configuration.

  -upgrade=false       If installing modules (-get) or plugins (-get-plugins),
                       ignore previously-downloaded objects and install the
                       latest version allowed within configured constraints.

  -verify-plugins=true Verify the authenticity and integrity of automatically
                       downloaded plugins.

Terraform Plan

As we are creating the Infrastructure as Code, we need to make sure of our action before we execute anything. So, terraform CLI provides an option to check out plan of execution. To see the plan of execution, just run terraform plan followed by some arguments. This will show the plan of action like bellow.

$ terraform plan
...
+ aws_instance.digitalvarys
    ami:                         "ami-5a1f6d6c6w752"
    ...

Plan: 1 to add, 0 to change, 0 to destroy.

This command is having some arguments, you can see those by passing -help after the command and it will show the following output.

$ terraform plan -help
Usage: terraform plan [options] [DIR]

  Generates an execution plan for Terraform.

  This execution plan can be reviewed prior to running apply to get a
  sense for what Terraform will do. Optionally, the plan can be saved to
  a Terraform plan file, and apply can take this plan file to execute
  this plan exactly.

Options:

  -compact-warnings   If Terraform produces any warnings that are not
                      accompanied by errors, show them in a more compact form
                      that includes only the summary messages.

  -destroy            If set, a plan will be generated to destroy all resources
                      managed by the given configuration and state.

  -detailed-exitcode  Return detailed exit codes when the command exits. This
                      will change the meaning of exit codes to:
                      0 - Succeeded, diff is empty (no changes)
                      1 - Errored
                      2 - Succeeded, there is a diff

  -input=true         Ask for input for variables if not directly set.

  -lock=true          Lock the state file when locking is supported.

  -lock-timeout=0s    Duration to retry a state lock.

  -no-color           If specified, output won't contain any color.

  -out=path           Write a plan file to the given path. This can be used as
                      input to the "apply" command.

  -parallelism=n      Limit the number of concurrent operations. Defaults to 10.

  -refresh=true       Update state prior to checking for differences.

  -state=statefile    Path to a Terraform state file to use to look
                      up Terraform-managed resources. By default it will
                      use the state "terraform.tfstate" if it exists.

  -target=resource    Resource to target. Operation will be limited to this
                      resource and its dependencies. This flag can be used
                      multiple times.

  -var 'foo=bar'      Set a variable in the Terraform configuration. This
                      flag can be set multiple times.

  -var-file=foo       Set variables in the Terraform configuration from
                      a file. If "terraform.tfvars" or any ".auto.tfvars"
                      files are present, they will be automatically loaded.

Terraform apply

The terraform apply command is to apply the state of configuration made in the configuration file (.tf) or actions created by the previous command (terraform plan) to the respective providers. All you need to do is pass the command terraform apply.

Run the command with -help argument, you will get the detailed list of available arguments for the terraform apply. That will look like:

$ terraform apply -help
Usage: terraform apply [options] [DIR-OR-PLAN]

  Builds or changes infrastructure according to Terraform configuration
  files in DIR.

  By default, apply scans the current directory for the configuration
  and applies the changes appropriately. However, a path to another
  configuration or an execution plan can be provided. Execution plans can be
  used to only execute a pre-determined set of actions.

Options:

  -auto-approve          Skip interactive approval of plan before applying.

  -backup=path           Path to backup the existing state file before
                         modifying. Defaults to the "-state-out" path with
                         ".backup" extension. Set to "-" to disable backup.

  -compact-warnings      If Terraform produces any warnings that are not
                         accompanied by errors, show them in a more compact
                         form that includes only the summary messages.

  -lock=true             Lock the state file when locking is supported.

  -lock-timeout=0s       Duration to retry a state lock.

  -input=true            Ask for input for variables if not directly set.

  -no-color              If specified, output won't contain any color.

  -parallelism=n         Limit the number of parallel resource operations.
                         Defaults to 10.

  -refresh=true          Update state prior to checking for differences. This
                         has no effect if a plan file is given to apply.

  -state=path            Path to read and save state (unless state-out
                         is specified). Defaults to "terraform.tfstate".

  -state-out=path        Path to write state to that is different than
                         "-state". This can be used to preserve the old
                         state.

  -target=resource       Resource to target. Operation will be limited to this
                         resource and its dependencies. This flag can be used
                         multiple times.

  -var 'foo=bar'         Set a variable in the Terraform configuration. This
                         flag can be set multiple times.

  -var-file=foo          Set variables in the Terraform configuration from
                         a file. If "terraform.tfvars" or any ".auto.tfvars"
                         files are present, they will be automatically loaded.

Terraform Destroy

If you want to delete the infrastructure you created by the terraform, you can pass the Terraform CLI command terraform destroy. For more arguments with the terraform destroy, run -help argument.

$ terraform destroy -help
Usage: terraform destroy [options] [DIR]

  Destroy Terraform-managed infrastructure.

Options:

  -backup=path           Path to backup the existing state file before
                         modifying. Defaults to the "-state-out" path with
                         ".backup" extension. Set to "-" to disable backup.

  -auto-approve          Skip interactive approval before destroying.

  -force                 Deprecated: same as auto-approve.

  -lock=true             Lock the state file when locking is supported.

  -lock-timeout=0s       Duration to retry a state lock.

  -no-color              If specified, output won't contain any color.

  -parallelism=n         Limit the number of concurrent operations.
                         Defaults to 10.

  -refresh=true          Update state prior to checking for differences. This
                         has no effect if a plan file is given to apply.

  -state=path            Path to read and save state (unless state-out
                         is specified). Defaults to "terraform.tfstate".

  -state-out=path        Path to write state to that is different than
                         "-state". This can be used to preserve the old
                         state.

  -target=resource       Resource to target. Operation will be limited to this
                         resource and its dependencies. This flag can be used
                         multiple times.

  -var 'foo=bar'         Set a variable in the Terraform configuration. This
                         flag can be set multiple times.

  -var-file=foo          Set variables in the Terraform configuration from
                         a file. If "terraform.tfvars" or any ".auto.tfvars"
                         files are present, they will be automatically loaded.

Just like how the terraform plan will show the preview of terraform apply, if you pass terraform plan -destroy, you can see the preview of terraform destroy.

Terraform Import

As we know Terraform is so modular and we can reuse modules and components to make our Infrastructure as code easier. So, we can use terraform import to use the existing resources from the respective terraform platform.

Terraform validate

The terraform validate command is to validate the configuration file (.tf) created in the present directory. This is just the validation process of syntax and consistency of the configuration file.

Terraform Login

To get the API token from the Terraform Enterprise or from Terraform Cloud or from the machine where the Terraform services are hosted, use terraform login command. By default, Terraform will store the API token fetched by this command in the credentials.tfrc.json file in the users home directory (/home/user/.terraform.d/credentials.tfrc.json). you need to pass terraform login [hostname] to get the API token from the respective host. If you are not passing the respective hostname, then it will fetch API token from app.terraform.io

Terraform Logout

To remove or purge the API token created by the terraform login, we can use terraform logout. Here also, you can specify the hostname to delete the API token of the respective host. If not, it will delete the token fetched from app.terraform.io as it is default.

Terraform get

To download and update the modules used in the root module, we can use terraform get [options] to do the same. In order to update the downloaded modules, we can use terraform get -update. Also, we can pass the directory path to the root directory if it is not in the current Terraform CLI execution path.

Terraform Providers

The terraform providers are a command in Terraform CLI which will print the list of providers mentioned in the terraform configuration file (.tf).

Terraform graph

To view the configurations or plan of execution in the graphical view, we can use terraform graph command in the terraform CLI. More options of this command can be seen by running the -help argument with this command. i.e, terraform graph -help and it will show the following output.

$ terraform graph -help
Usage: terraform graph [options] [DIR]

  Outputs the visual execution graph of Terraform resources according to
  configuration files in DIR (or the current directory if omitted).

  The graph is outputted in DOT format. The typical program that can
  read this format is GraphViz, but many web services are also available
  to read this format.

  The -type flag can be used to control the type of graph shown. Terraform
  creates different graphs for different operations. See the options below
  for the list of types supported. The default type is "plan" if a
  configuration is given, and "apply" if a plan file is passed as an
  argument.

Options:

  -draw-cycles     Highlight any cycles in the graph with colored edges.
                   This helps when diagnosing cycle errors.

  -type=plan       Type of graph to output. Can be: plan, plan-destroy, apply,
                   validate, input, refresh.

  -module-depth=n  (deprecated) In prior versions of Terraform, specified the
                                   depth of modules to show in the output.

Terraform Console

Just like python or Mysql Interactive consoles, Terraform CLI is having the facility to experiment with the expressions of the Terraform configuration file. To use it, enter terraform console [option] to activate the terraform Console. To know more options of terraform console, pass the -help argument to know more options of the command.

$ terraform console -help
Usage: terraform console [options] [DIR]

  Starts an interactive console for experimenting with Terraform
  interpolations.

  This will open an interactive console that you can use to type
  interpolations into and inspect their values. This command loads the
  current state. This lets you explore and test interpolations before
  using them in future configurations.

  This command will never modify your state.

  DIR can be set to a directory with a Terraform state to load. By
  default, this will default to the current working directory.

Options:

  -state=path            Path to read state. Defaults to "terraform.tfstate"

  -var 'foo=bar'         Set a variable in the Terraform configuration. This
                         flag can be set multiple times.

  -var-file=foo          Set variables in the Terraform configuration from
                         a file. If "terraform.tfvars" or any ".auto.tfvars"
                         files are present, they will be automatically loaded.

Terraform State

Terraform will store the record of the infrastructure created right after the terraform apply command. This will be stored in the file called terraform.tfstate. This will have the present state of the infrastructure created by terraform apply. So, we have special and advanced command in terraform CLI called terraform state. We will discuss more in detail about Terraform State in our upcoming article. To know more options of this command, pass -help argument which will show the following output

$ terraform state -help
Usage: terraform state <subcommand> [options] [args]

  This command has subcommands for advanced state management.

  These subcommands can be used to slice and dice the Terraform state.
  This is sometimes necessary in advanced cases. For your safety, all
  state management commands that modify the state create a timestamped
  backup of the state prior to making modifications.

  The structure and output of the commands is specifically tailored to work
  well with the common Unix utilities such as grep, awk, etc. We recommend
  using those tools to perform more advanced state tasks.

Subcommands:
    list    List resources in the state
    mv      Move an item in the state
    pull    Pull current state and output to stdout
    push    Update remote state from a local state file
    rm      Remove instances from the state
    show    Show a resource in the state

Terraform Show

We can see the human-readable information of the state file or the plan file of the terraform by passing terraform show command. We have more useful options with this command. To know those, pass -help argument with this command and you will get the following output.

$ terraform show -help
Usage: terraform show [options] [path]

  Reads and outputs a Terraform state or plan file in a human-readable
  form. If no path is specified, the current state will be shown.

Options:

  -no-color           If specified, output won't contain any color.
  -json               If specified, output the Terraform plan or state in
                      a machine-readable form.

Terraform Output

To see the exact variable in the terraform state file, run the command terraform output with the name of the variable. Like, terraform output [name]. Along with this, we have many options. To know that, pass -help argument along with this command and you will get the following output.

$ terraform output -help
Usage: terraform output [options] [NAME]

  Reads an output variable from a Terraform state file and prints
  the value. With no additional arguments, output will display all
  the outputs for the root module.  If NAME is not specified, all
  outputs are printed.

Options:

  -state=path      Path to the state file to read. Defaults to
                   "terraform.tfstate".

  -no-color        If specified, output won't contain any color.

  -json            If specified, machine readable output will be
                   printed in JSON format

Terraform Refresh

Once after the terraform state file created, The Infrastructure can be changed or modified. But the State file of the Terraform will not know about the change of the infrastructure. So, we have an option called terraform refresh which will get the current information of the Real infrastructure and store it in the terraform state file. This command considered one of the useful command. So, it has many useful options. To know those, pass -help argument with the command and you will get the following output.

$ terraform refresh -help
Usage: terraform refresh [options] [dir]

  Update the state file of your infrastructure with metadata that matches
  the physical resources they are tracking.

  This will not modify your infrastructure, but it can modify your
  state file to update metadata. This metadata might cause new changes
  to occur when you generate a plan or call apply next.

Options:

  -backup=path        Path to backup the existing state file before
                      modifying. Defaults to the "-state-out" path with
                      ".backup" extension. Set to "-" to disable backup.

  -compact-warnings   If Terraform produces any warnings that are not
                      accompanied by errors, show them in a more compact form
                      that includes only the summary messages.

  -input=true         Ask for input for variables if not directly set.

  -lock=true          Lock the state file when locking is supported.

  -lock-timeout=0s    Duration to retry a state lock.

  -no-color           If specified, output won't contain any color.

  -state=path         Path to read and save state (unless state-out
                      is specified). Defaults to "terraform.tfstate".

  -state-out=path     Path to write updated state file. By default, the
                      "-state" path will be used.

  -target=resource    Resource to target. Operation will be limited to this
                      resource and its dependencies. This flag can be used
                      multiple times.

  -var 'foo=bar'      Set a variable in the Terraform configuration. This
                      flag can be set multiple times.

  -var-file=foo       Set variables in the Terraform configuration from
                      a file. If "terraform.tfvars" or any ".auto.tfvars"
                      files are present, they will be automatically loaded.

Terraform workspace.

The terraform workspace will have persistent data such as state file, plan file, environment variables, and more. So, we have terraform wokspace command to manage the workspace. Just like the terraform state, the workspace has many options like, creating new item, delete, show and more. To know the options, pass -help argument with the command and it will show the following output.

$ terraform workspace -help
Usage: terraform workspace

  new, list, show, select and delete Terraform workspaces.

Subcommands:
    delete    Delete a workspace
    list      List Workspaces
    new       Create a new workspace
    select    Select a workspace
    show      Show the name of the current workspace

Terraform Taint

Terraform Taint command will mark the particular resource as tainted so that it will be destroyed when we run the next terraform apply. This will only modify the state file but not the actual infrastructure. This command is used as terraform taint [address-of-resource]. Along with this command, we have many options available. To see those, pass -help argument with the command and you will get the following output

$ terraform taint -help
Usage: terraform taint [options] <address>

  Manually mark a resource as tainted, forcing a destroy and recreate
  on the next plan/apply.

  This will not modify your infrastructure. This command changes your
  state to mark a resource as tainted so that during the next plan or
  apply that resource will be destroyed and recreated. This command on
  its own will not modify infrastructure. This command can be undone
  using the "terraform untaint" command with the same address.

  The address is in the usual resource address syntax, as shown in
  the output from other commands, such as:
    aws_instance.foo
    aws_instance.bar[1]
    module.foo.module.bar.aws_instance.baz

Options:

  -allow-missing      If specified, the command will succeed (exit code 0)
                      even if the resource is missing.

  -backup=path        Path to backup the existing state file before
                      modifying. Defaults to the "-state-out" path with
                      ".backup" extension. Set to "-" to disable backup.

  -lock=true          Lock the state file when locking is supported.

  -lock-timeout=0s    Duration to retry a state lock.

  -state=path         Path to read and save state (unless state-out
                      is specified). Defaults to "terraform.tfstate".

  -state-out=path     Path to write updated state file. By default, the
                      "-state" path will be used.

Terraform untaint

To undo the terraform taint command, we have a command called terraform untaint [address-of-resource]. So, the additional options of this command are exactly the same as the terraform taint command.

Conclusion

In this article, we discussed Terraform CLI and the options of it. This is the third part of the Complete Terraform Tutorial series of DigitalVarys. In our upcoming article, we will discuss more on Terraform State, Modules, and more features as parts of our complete terraform tutorial. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOpsAgileDevSecOps and App Development.

Leave a Reply