Terraform CLI: Unlocking the Power of the Terraform CLI

by Julian Weins 7 min read

If you’ve ever worked with Terraform, you’re probably familiar with the core terraform workflow consisiting of plan, apply, and destroy. But did you know that the CLI has so much more to offer? Check out the downloadable mindmap that I created!

In this article, we’ll dive into the untapped potential of this powerful tool and shed light on the numerous commands that go beyond the traditional trio.

The Three Pillars: Plan, Apply, and Destroy:

When it comes to provisioning infrastructure with Terraform, the plan command provides a way to verify upcoming actions, apply will execute your configuration, and destroy acts as a reset button. These three commands are the cornerstone of any Terraform workflow, also refered as the Core Workflow. However, it’s time to dive into commands and features that can supercharge your infrastructure automation process.

While these three pillars are undoubtedly essential, they only scratch the surface of what the Terraform CLI has to offer. Let’s dive into the untapped potential!

Unlocking the Command Arsenal:

Terraform CLI Mindmap

In reference to the official documentation, I divided the Terraform CLI into four main blocks, each containing a set of commands that share a common purpose. Let’s briefly explore each block and its core functionalities, while I will go into more detail in the upcoming posts.

The Basics:

If you have ever worked with Terraform, you are probably familiar with the main commands:

  • init - Initializes a working directory containing Terraform configuration files.

  • plan - Generates an execution plan for Terraform, highlighting the changes to be made.

  • apply - Applies the changes required to reach the desired state of the configuration.

  • destroy - Destroys Terraform-managed infrastructure.

However, looking at the commands as a whole, we can see that they fall into four main categories: Build, Administration, State Manipulation, and Infrastructure Inspection. Let’s explore each of these categories in more detail.

Build

In this category, I put all the commands that assists you during configuration and executing your scripts. These commands include:

Write node:

  • fmt - Rewrites all Terraform configuration files to a canonical format and style.
  • validate - Validates the Terraform files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.
  • console - Provides an interactive console for evaluating expressions.

Execute node:

  • plan - Generates an execution plan for Terraform, highlighting the changes to be made.
  • apply - Applies the changes required to reach the desired state of the configuration.
  • destroy - Destroys Terraform-managed infrastructure.

Terraform Administration:

This category contains all the commands that help you manage your Terraform environment. Using these terraform features is pretty useful when you are managing with multiple environments (like the three layers: dev, test, prod). Terraform allows you to create workspaces for each environment and manage them separately. Apart from that if you leverage the features of Terraform Cloud, you will already know the two authentication commands: login and logout.

I have included a third category, namely plugins. This category contains all the commands that help you manage your plugins. You can install, update, and remove plugins using these commands. This is especially useful when you are using custom plugins, or you want to up-/downgrade your installed plugins.

Workspaces node:

You might have noticed, that I skipped the repetitive master commands. To follow this mindmap, you will have to put the workspace in from of the following commands. The workspace commands are:

  • select - Selects a workspace.
  • new - Creates a new workspace.
  • list - Lists all workspaces.
  • delete - Deletes a workspace.
  • show - Shows the current workspace.

Note: The init and get command are not directly part of the workspace commands, however, I have included them in the workspace node since they do workspace related stuff.

Plugins node:

As mentioned above, the plugins node contains all the commands that help you manage your plugins. In practice, you rarely need to use these commands, but they are good to know. The commands are:

  • version - Prints the Terraform version.
  • providers - Prints a tree of the providers used in the configuration.

Since providers is a master command, there a three dependent commands:

  • lock - Locks the provider versions used in the configuration.
  • mirror - Mirrors all modules needed for the configuration.
  • schema - Prints the schema of a provider.

Authentication node:

When using Terraform cloud, you need to authenticate against it. Under the hood, they deal with the API Token, that you have to generate in TFCloud and store it locally during your first login attempt.

Basically, these two commands help you with that:

  • login - Obtains and saves an API token for the given Cloud Environment.
  • logout - Removes locally-stored API token for the given Cloud Environment.

State Manipulation:

The real power of Terraform - and what it differs from some competitors - lies in its state management. The state file is the single source of truth for your infrastructure. It contains all the information about your infrastructure, including the resources, their attributes, and the dependencies between them. This information is used by Terraform to plan and apply changes to your infrastructure. You rarely start with a greenfield project, so you may have a closer look on these four nodes:

Import node:

This node only got one command, that is used to import existing infrastructure into Terraform. This is especially useful when you have an existing infrastructure and want to manage it with Terraform. In some cases, you may find a feature that is not yet supported by Terraform. In this case, you can configure it directly through the UI and use the import command to import the resource into your state file and manage it with Terraform. The command is as simple as:

  • import - Imports existing infrastructure into Terraform.

Recreation node:

During runtime, you may get a feeling that some resources may get corrupted. In this case, you can use the taint command to mark the resource as tainted. This will force Terraform to destroy and recreate the resource during the next apply run. The commands are:

  • taint - Marks one or more resources as tainted.
  • untaint - Removes the ‘tainted’ state from one or more resources.

Move Resource node:

Note: The following commands are used with the state master command.

As your managed infrastructure grows, you may see the need to refactor your IaC code. This is especially true when you work as a team and split up the workload. You may already know that every developer has its own style and no styleguide will prevent that - luckily. However, there will be the need to shift resources, merge your modules, or even split them up. Just think of a shift in your patterns as your IaC initiative grows. You should be able to remember the following commands:

  • rm - Removes one or more items from the state file.
  • mv - Moves one or more resources in the state file.

  • replace-provider - Replaces provider instances in the state file.

  • show - Shows the current state or a saved state.

Recovery node:

Note: The following commands are used with the state master command.

When something horribly goes wrong, you may need to recover your state file. I do hope that you have a backup of your state file (luckily, Terraform does that by default), but you may need to recover it from a backup. The following commands will help you with that:

  • pull - Pulls the current state and outputs it to stdout.
  • push - Pushes the given state to the backend.

A command that you will have to use more often is the force-unlock command. This command is used to unlock a locked state file. Even though I used Terraform on my own (at work and in my private projects) it may be that you have to unlock the state file. This can happen when you have a long-running apply command and you cancel it. In this case, the state file may get locked and you have to unlock it manually. The command is:

  • force-unlock - Manually unlocks the state for the defined configuration.

Infrastucture Inspection:

This category contains all the commands that help you inspect your infrastructure. You typically use these commands to get information about your infrastructure. I divided them into state and no-state commands. The state commands are used to inspect your state file, while the no-state commands are used to get information about your current (or planned) infrastructure:

With the master command state:

  • show - Shows the current state or a saved state.
  • list - Lists resources in the state.

Apart from that there are frequently used commands that are also used to inspect your infrastructure. These commands are:

  • output - Reads a previously defined output from your current state file.
  • graph - Creates a visual graph of Terraform resources.
  • show - Inspects Terraform state or plan.

Beyond the Basics:

While we’ve only scratched the surface, these commands set the stage for future exploration. In subsequent blog posts, I will delve into each of the four main blocks in the comprehensive mind map, uncovering additional hidden gems within the Terraform CLI and how to use it. Stay tuned for more deep dives into advanced commands and functionalities that will enhance your infrastructure-as-code workflows.

If you enjoyed this article, remember to bookmark my website and follow me for future updates and detailed discussions on each command.