As part of or Complete Terraform Tutorial, this is Part -3 explaining about Terraform CLI. Terraform platform can be easily accessible from the Command Line Interface. Terraform CLI is the most powerful and efficient way to access the Terraform. Terraform CLI can be vastly used for automating with operating system native scripts (Shell, PowerShell, etc). In this article, we will see the detailed commands of Terraform CLI as 3rd part of Complete Terraform Tutorial.
Table of Contents
So Far!
This is Part – 3 of the Complete Terraform Tutorial Series. Before taking this, We recommend you to take a look at the Part -2 and Part -1
Complete Terraform Tutorial Part – 2 – Terraform Configuration File.
Detailed explanation on How the Terraform Configuration File is written with example.
Terraform CLI Configuration File.
Terraform CLI Configuration file is different from the Infrastructure Configuration which we are going to make after this. This basically stores the following Parameter.
These are the parameters that needs to be mentioned in the Terraform CLI Configuration File.
the Location of the file will be placed in the relevant user who installed the Terraform. For example, If the user ‘foo’ installed the Terraform and operating the CLI, then the Terraform CLI Configuration file will be stored as .terraformrc file in the home of ‘foo’ user (/home/foo).
If you are using a windows machine, the Terraform CLI Configuration file will be stored as terraform.rc file in the relevant user’s %APPDATA% folder (C:\Users\foo\APPDATA).
Terraform Environment Variables
Just like the Terraform CLI Configuration files, we need to set some environment variables (default available). Some Important Environement variables are:
We can either set all the environment variables by one script or just run one by on in the current session of command line.
Terraform Commands
Now, Let see what are the commands that we are going to use in the Terraform CLI operation. Let’s start with the Basic commands.
Terraform Init
As the first command to run after Writing the Terraform Configuration File. We have some arguments for the terraform init command. Run the Terraform Command with -help, you will see the following output
$ terraform init -help
Usage: terraform init [options] [DIR]
Initialize a new or existing Terraform working directory by creating
initial files, loading any remote state, downloading modules, etc.
This is the first command that should be run for any new or existing
Terraform configuration per machine. This sets up all the local data
necessary to run Terraform that is typically not committed to version
control.
This command is always safe to run multiple times. Though subsequent runs
may give errors, this command will never delete your configuration or
state. Even so, if you have important information, please back it up prior
to running this command, just in case.
If no arguments are given, the configuration in this working directory
is initialized.
Options:
-backend=true Configure the backend for this configuration.
-backend-config=path This can be either a path to an HCL file with key/value
assignments (same format as terraform.tfvars) or a
'key=value' format. This is merged with what is in the
configuration file. This can be specified multiple
times. The backend type must be in the configuration
itself.
-force-copy Suppress prompts about copying state data. This is
equivalent to providing a "yes" to all confirmation
prompts.
-from-module=SOURCE Copy the contents of the given module into the target
directory before initialization.
-get=true Download any modules for this configuration.
-get-plugins=true Download any missing plugins for this configuration.
-input=true Ask for input if necessary. If false, will error if
input was required.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-no-color If specified, output won't contain any color.
-plugin-dir Directory containing plugin binaries. This overrides all
default search paths for plugins, and prevents the
automatic installation of plugins. This flag can be used
multiple times.
-reconfigure Reconfigure the backend, ignoring any saved
configuration.
-upgrade=false If installing modules (-get) or plugins (-get-plugins),
ignore previously-downloaded objects and install the
latest version allowed within configured constraints.
-verify-plugins=true Verify the authenticity and integrity of automatically
downloaded plugins.Terraform Plan
As we are creating the Infrastructure as Code, we need to make sure of our action before we execute anything. So, terraform CLI provides an option to check out plan of execution. To see the plan of execution, just run terraform plan followed by some arguments. This will show the plan of action like bellow.
$ terraform plan
...
+ aws_instance.digitalvarys
ami: "ami-5a1f6d6c6w752"
...
Plan: 1 to add, 0 to change, 0 to destroy.This command is having some arguments, you can see those by passing -help after the command and it will show the following output.
$ terraform plan -help
Usage: terraform plan [options] [DIR]
Generates an execution plan for Terraform.
This execution plan can be reviewed prior to running apply to get a
sense for what Terraform will do. Optionally, the plan can be saved to
a Terraform plan file, and apply can take this plan file to execute
this plan exactly.
Options:
-compact-warnings If Terraform produces any warnings that are not
accompanied by errors, show them in a more compact form
that includes only the summary messages.
-destroy If set, a plan will be generated to destroy all resources
managed by the given configuration and state.
-detailed-exitcode Return detailed exit codes when the command exits. This
will change the meaning of exit codes to:
0 - Succeeded, diff is empty (no changes)
1 - Errored
2 - Succeeded, there is a diff
-input=true Ask for input for variables if not directly set.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-no-color If specified, output won't contain any color.
-out=path Write a plan file to the given path. This can be used as
input to the "apply" command.
-parallelism=n Limit the number of concurrent operations. Defaults to 10.
-refresh=true Update state prior to checking for differences.
-state=statefile Path to a Terraform state file to use to look
up Terraform-managed resources. By default it will
use the state "terraform.tfstate" if it exists.
-target=resource Resource to target. Operation will be limited to this
resource and its dependencies. This flag can be used
multiple times.
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.Terraform apply
The terraform apply command is to apply the state of configuration made in the configuration file (.tf) or actions created by the previous command (terraform plan) to the respective providers. All you need to do is pass the command terraform apply.
Run the command with -help argument, you will get the detailed list of available arguments for the terraform apply. That will look like:
$ terraform apply -help
Usage: terraform apply [options] [DIR-OR-PLAN]
Builds or changes infrastructure according to Terraform configuration
files in DIR.
By default, apply scans the current directory for the configuration
and applies the changes appropriately. However, a path to another
configuration or an execution plan can be provided. Execution plans can be
used to only execute a pre-determined set of actions.
Options:
-auto-approve Skip interactive approval of plan before applying.
-backup=path Path to backup the existing state file before
modifying. Defaults to the "-state-out" path with
".backup" extension. Set to "-" to disable backup.
-compact-warnings If Terraform produces any warnings that are not
accompanied by errors, show them in a more compact
form that includes only the summary messages.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-input=true Ask for input for variables if not directly set.
-no-color If specified, output won't contain any color.
-parallelism=n Limit the number of parallel resource operations.
Defaults to 10.
-refresh=true Update state prior to checking for differences. This
has no effect if a plan file is given to apply.
-state=path Path to read and save state (unless state-out
is specified). Defaults to "terraform.tfstate".
-state-out=path Path to write state to that is different than
"-state". This can be used to preserve the old
state.
-target=resource Resource to target. Operation will be limited to this
resource and its dependencies. This flag can be used
multiple times.
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.
Terraform Destroy
If you want to delete the infrastructure you created by the terraform, you can pass the Terraform CLI command terraform destroy. For more arguments with the terraform destroy, run -help argument.
$ terraform destroy -help
Usage: terraform destroy [options] [DIR]
Destroy Terraform-managed infrastructure.
Options:
-backup=path Path to backup the existing state file before
modifying. Defaults to the "-state-out" path with
".backup" extension. Set to "-" to disable backup.
-auto-approve Skip interactive approval before destroying.
-force Deprecated: same as auto-approve.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-no-color If specified, output won't contain any color.
-parallelism=n Limit the number of concurrent operations.
Defaults to 10.
-refresh=true Update state prior to checking for differences. This
has no effect if a plan file is given to apply.
-state=path Path to read and save state (unless state-out
is specified). Defaults to "terraform.tfstate".
-state-out=path Path to write state to that is different than
"-state". This can be used to preserve the old
state.
-target=resource Resource to target. Operation will be limited to this
resource and its dependencies. This flag can be used
multiple times.
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.Just like how the terraform plan will show the preview of terraform apply, if you pass terraform plan -destroy, you can see the preview of terraform destroy.
Terraform Import
As we know Terraform is so modular and we can reuse modules and components to make our Infrastructure as code easier. So, we can use terraform import to use the existing resources from the respective terraform platform.
Terraform validate
The terraform validate command is to validate the configuration file (.tf) created in the present directory. This is just the validation process of syntax and consistency of the configuration file.
Terraform Login
To get the API token from the Terraform Enterprise or from Terraform Cloud or from the machine where the Terraform services are hosted, use terraform login command. By default, Terraform will store the API token fetched by this command in the credentials.tfrc.json file in the users home directory (/home/user/.terraform.d/credentials.tfrc.json). you need to pass terraform login [hostname] to get the API token from the respective host. If you are not passing the respective hostname, then it will fetch API token from app.terraform.io
Terraform Logout
To remove or purge the API token created by the terraform login, we can use terraform logout. Here also, you can specify the hostname to delete the API token of the respective host. If not, it will delete the token fetched from app.terraform.io as it is default.
Terraform get
To download and update the modules used in the root module, we can use terraform get [options] to do the same. In order to update the downloaded modules, we can use terraform get -update. Also, we can pass the directory path to the root directory if it is not in the current Terraform CLI execution path.
Terraform Providers
The terraform providers are a command in Terraform CLI which will print the list of providers mentioned in the terraform configuration file (.tf).
Terraform graph
To view the configurations or plan of execution in the graphical view, we can use terraform graph command in the terraform CLI. More options of this command can be seen by running the -help argument with this command. i.e, terraform graph -help and it will show the following output.
$ terraform graph -help
Usage: terraform graph [options] [DIR]
Outputs the visual execution graph of Terraform resources according to
configuration files in DIR (or the current directory if omitted).
The graph is outputted in DOT format. The typical program that can
read this format is GraphViz, but many web services are also available
to read this format.
The -type flag can be used to control the type of graph shown. Terraform
creates different graphs for different operations. See the options below
for the list of types supported. The default type is "plan" if a
configuration is given, and "apply" if a plan file is passed as an
argument.
Options:
-draw-cycles Highlight any cycles in the graph with colored edges.
This helps when diagnosing cycle errors.
-type=plan Type of graph to output. Can be: plan, plan-destroy, apply,
validate, input, refresh.
-module-depth=n (deprecated) In prior versions of Terraform, specified the
depth of modules to show in the output.Terraform Console
Just like python or Mysql Interactive consoles, Terraform CLI is having the facility to experiment with the expressions of the Terraform configuration file. To use it, enter terraform console [option] to activate the terraform Console. To know more options of terraform console, pass the -help argument to know more options of the command.
$ terraform console -help
Usage: terraform console [options] [DIR]
Starts an interactive console for experimenting with Terraform
interpolations.
This will open an interactive console that you can use to type
interpolations into and inspect their values. This command loads the
current state. This lets you explore and test interpolations before
using them in future configurations.
This command will never modify your state.
DIR can be set to a directory with a Terraform state to load. By
default, this will default to the current working directory.
Options:
-state=path Path to read state. Defaults to "terraform.tfstate"
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.Terraform State
Terraform will store the record of the infrastructure created right after the terraform apply command. This will be stored in the file called terraform.tfstate. This will have the present state of the infrastructure created by terraform apply. So, we have special and advanced command in terraform CLI called terraform state. We will discuss more in detail about Terraform State in our upcoming article. To know more options of this command, pass -help argument which will show the following output
$ terraform state -help
Usage: terraform state <subcommand> [options] [args]
This command has subcommands for advanced state management.
These subcommands can be used to slice and dice the Terraform state.
This is sometimes necessary in advanced cases. For your safety, all
state management commands that modify the state create a timestamped
backup of the state prior to making modifications.
The structure and output of the commands is specifically tailored to work
well with the common Unix utilities such as grep, awk, etc. We recommend
using those tools to perform more advanced state tasks.
Subcommands:
list List resources in the state
mv Move an item in the state
pull Pull current state and output to stdout
push Update remote state from a local state file
rm Remove instances from the state
show Show a resource in the stateTerraform Show
We can see the human-readable information of the state file or the plan file of the terraform by passing terraform show command. We have more useful options with this command. To know those, pass -help argument with this command and you will get the following output.
$ terraform show -help
Usage: terraform show [options] [path]
Reads and outputs a Terraform state or plan file in a human-readable
form. If no path is specified, the current state will be shown.
Options:
-no-color If specified, output won't contain any color.
-json If specified, output the Terraform plan or state in
a machine-readable form.Terraform Output
To see the exact variable in the terraform state file, run the command terraform output with the name of the variable. Like, terraform output [name]. Along with this, we have many options. To know that, pass -help argument along with this command and you will get the following output.
$ terraform output -help
Usage: terraform output [options] [NAME]
Reads an output variable from a Terraform state file and prints
the value. With no additional arguments, output will display all
the outputs for the root module. If NAME is not specified, all
outputs are printed.
Options:
-state=path Path to the state file to read. Defaults to
"terraform.tfstate".
-no-color If specified, output won't contain any color.
-json If specified, machine readable output will be
printed in JSON formatTerraform Refresh
Once after the terraform state file created, The Infrastructure can be changed or modified. But the State file of the Terraform will not know about the change of the infrastructure. So, we have an option called terraform refresh which will get the current information of the Real infrastructure and store it in the terraform state file. This command considered one of the useful command. So, it has many useful options. To know those, pass -help argument with the command and you will get the following output.
$ terraform refresh -help
Usage: terraform refresh [options] [dir]
Update the state file of your infrastructure with metadata that matches
the physical resources they are tracking.
This will not modify your infrastructure, but it can modify your
state file to update metadata. This metadata might cause new changes
to occur when you generate a plan or call apply next.
Options:
-backup=path Path to backup the existing state file before
modifying. Defaults to the "-state-out" path with
".backup" extension. Set to "-" to disable backup.
-compact-warnings If Terraform produces any warnings that are not
accompanied by errors, show them in a more compact form
that includes only the summary messages.
-input=true Ask for input for variables if not directly set.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-no-color If specified, output won't contain any color.
-state=path Path to read and save state (unless state-out
is specified). Defaults to "terraform.tfstate".
-state-out=path Path to write updated state file. By default, the
"-state" path will be used.
-target=resource Resource to target. Operation will be limited to this
resource and its dependencies. This flag can be used
multiple times.
-var 'foo=bar' Set a variable in the Terraform configuration. This
flag can be set multiple times.
-var-file=foo Set variables in the Terraform configuration from
a file. If "terraform.tfvars" or any ".auto.tfvars"
files are present, they will be automatically loaded.Terraform workspace.
The terraform workspace will have persistent data such as state file, plan file, environment variables, and more. So, we have terraform wokspace command to manage the workspace. Just like the terraform state, the workspace has many options like, creating new item, delete, show and more. To know the options, pass -help argument with the command and it will show the following output.
$ terraform workspace -help
Usage: terraform workspace
new, list, show, select and delete Terraform workspaces.
Subcommands:
delete Delete a workspace
list List Workspaces
new Create a new workspace
select Select a workspace
show Show the name of the current workspaceTerraform Taint
Terraform Taint command will mark the particular resource as tainted so that it will be destroyed when we run the next terraform apply. This will only modify the state file but not the actual infrastructure. This command is used as terraform taint [address-of-resource]. Along with this command, we have many options available. To see those, pass -help argument with the command and you will get the following output
$ terraform taint -help
Usage: terraform taint [options] <address>
Manually mark a resource as tainted, forcing a destroy and recreate
on the next plan/apply.
This will not modify your infrastructure. This command changes your
state to mark a resource as tainted so that during the next plan or
apply that resource will be destroyed and recreated. This command on
its own will not modify infrastructure. This command can be undone
using the "terraform untaint" command with the same address.
The address is in the usual resource address syntax, as shown in
the output from other commands, such as:
aws_instance.foo
aws_instance.bar[1]
module.foo.module.bar.aws_instance.baz
Options:
-allow-missing If specified, the command will succeed (exit code 0)
even if the resource is missing.
-backup=path Path to backup the existing state file before
modifying. Defaults to the "-state-out" path with
".backup" extension. Set to "-" to disable backup.
-lock=true Lock the state file when locking is supported.
-lock-timeout=0s Duration to retry a state lock.
-state=path Path to read and save state (unless state-out
is specified). Defaults to "terraform.tfstate".
-state-out=path Path to write updated state file. By default, the
"-state" path will be used.Terraform untaint
To undo the terraform taint command, we have a command called terraform untaint [address-of-resource]. So, the additional options of this command are exactly the same as the terraform taint command.
Conclusion
In this article, we discussed Terraform CLI and the options of it. This is the third part of the Complete Terraform Tutorial series of DigitalVarys. In our upcoming article, we will discuss more on Terraform State, Modules, and more features as parts of our complete terraform tutorial. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
Pingback: Terraform Modules - Complete Terraform Tutorial - Part- 5 - Digital Varys