Terraform
CLI
Cheat
Sheet

Change
backend
con guration
during
the
init  
About
Terraform
CLI
$
terraform
init
­backend­config=cfg/s3.dev.tf
­ Apply
and
de ne
new
variables
value
Terraform,
 a
 tool
 created
 by
 Hashicorp
 in
 2014,
 written
 in
 Go, reconfigure
aims
to
build,
change
and
version
control
your
infrastructure.
This $
terraform
apply
­auto­approve

tool
have
a
powerfull
and
very
intuitive
Command
Line
Interface. ­reconfigure
is
used
in
order
to
tell
terraform
to
not
copy
the ­var
tags­repository_url=${GIT_URL}
existing
state
to
the
new
remote
state
location.
Installation Get
Apply
only
one
module

Install
through
curl $
terraform
apply
­target=module.s3
This
 command
 is
 useful
 when
 you
 have
 de ned
 some
 modules.
Modules
 are
 vendored
 so
 when
 you
 edit
 them,
 you
 need
 to
 get This
-target
option
works
with
terraform
plan
too.
$
curl
­O
https://releases.hashicorp.com/terraform/


1.4.6/terraform_1.4.6_darwin_amd64.zip
 again
modules
content.
$
sudo
terraform_1.4.6_darwin_amd64.zip
 Destroy
$
terraform
get
­update=true

­d
/usr/local/bin/

$
rm
terraform_1.4.6_darwin_amd64.zip $
terraform
destroy
When
you
use
modules,
the
 rst
thing
you’ll
have
to
do
is
to
do
a
terraform
 get.
 This
 pulls
 modules
 into
 the
 .terraform
 directory. Delete
all
the
resources!
OR
install
through
tfenv:
a
Terraform
version
manager Once
 you
 do
 that,
 unless
 you
 do
 another
 terraform
 get
 ­
update=true,
you’ve
essentially
vendored
those
modules. A
deletion
plan
can
be
created
before:
First
of
all,
download
the
tfenv
binary
and
put
it
in
your
PATH.

$
git
clone
https://github.com/tfutils/tfenv.git
 Plan $
terraform
plan
–destroy


­­depth=1
~/.tfenv

$
echo
'export
PATH="$HOME/.tfenv/bin:$PATH"'
 The
plan
step
check
con guration
to
execute
and
write
a
plan
to ­target
option
allow
to
destroy
only
one
resource,
for
example

>>
~/.bash_profile apply
to
target
infrastructure
provider. a
S3
bucket
:

Then,
you
can
install
and
use
desired
version
of
terraform: $
terraform
plan
­out
plan.out $
terraform
destroy
­target
aws_s3_bucket.my_bucket

$
tfenv
install
1.4.6
 It’s
 an
 important
 feature
 of
 Terraform
 that
 allows
 a
 user
 to
 see Debug
$
tfenv
use
1.4.6 which
 actions
 Terraform
 will
 perform
 prior
 to
 making
 any
changes,
 increasing
 con dence
 that
 a
 change
 will
 have
 the The
 Terraform
 console
 command
 is
 useful
 for
 testing
Usage desired
effect
once
applied. interpolations
 before
 using
 them
 in
 con gurations.
 Terraform
console
will
read
con gured
state
even
if
it
is
remote.
When
 you
 execute
 terraform
 plan
 command,
 terraform
 will
 scan
Show
version $
echo
"aws_iam_user.notif.arn"
|
terraform
console

all
*.tf
 les
in
your
directory
and
create
the
plan.
arn:aws:iam::123456789:user/notif
$
terraform
­v


Terraform
v1.4.6 Apply
Logs
level
Init
Terraform Now
you
have
the
desired
state
so
you
can
execute
the
plan.
Set
the
log
to
DEBUG
level
and
save
the
log
in
an
output
external
$
terraform
apply
plan.out le.
$
terraform
init
Good
 to
 know:
 Since
 terraform
 v0.11+,
 in
 an
 interactive
 mode $
TF_LOG_PATH=mylogfile.txt
TF_LOG=debug

It’s
 the
 rst
 command
 you
 need
 to
 execute.
 Unless,
 terraform 
terraform
apply
(non
 CI/CD/autonomous
 pipeline),
 you
 can
 just
 execute
plan,
 apply,
 destroy
 and
 import
 will
 not
 work.
 The
 command
terraform
apply
command
which
will
print
out
which
actions
terraform
init
will
install
: Graph
TF
will
perform.
terraform
modules
By
 generating
 the
 plan
 and
 applying
 it
 in
 the
 same
 command, $
terraform
graph
|
dot
–Tpng
>
graph.png
eventually
a
backend Terraform
 can
 guarantee
 that
 the
 execution
 plan
 won’t
 change,
without
 needing
 to
 write
 it
 to
 disk.
 This
 reduces
 the
 risk
 of Visual
dependency
graph
of
terraform
resources.
and
provider(s)
plugins potentially-sensitive
 data
 being
 left
 behind,
 or
 accidentally
checked
into
version
control. Validate
Init
Terraform
and
don’t
ask
any
input
$
terraform
apply Validate
 command
 is
 used
 to
 validate/check
 the
 syntax
 of
 the
$
terraform
init
­input=false Terraform
 les.
A
syntax
check
is
done
on
all
the
terraform
 les
in
Apply
and
auto
approve the
 directory,
 and
 will
 display
 an
 error
 if
 any
 of
 the
 les
 doesn’t
  validate.
The
syntax
check
does
not
cover
every
syntax
common
$
terraform
apply
­auto­approve issues.
 
$
terraform
validate $
terraform
import
aws_iam_policy.elastic_post
 Usage
arn:aws:iam::123456789:policy/elastic_post
Providers For
example,
we
de nd
outputs
in
a
module
and
when
we
execute
Workspaces terraform
apply
outputs
are
displayed:
You
can
use
a
lot
of
providers/plugins
in
your
terraform
de nition
resources,
so
it
can
be
useful
to
have
a
tree
of
providers
used
by To
 manage
 multiple
 distinct
 sets
 of
 infrastructure $
terraform
apply

modules
in
your
project. resources/environments. ...

Apply
complete!
Resources:
0
added,
0
changed,

$
terraform
providers
 Instead
of
create
a
directory
for
each
environment
to
manage,
we 
0
destroyed.

.
 need
to
just
create
needed
workspace
and
use
them: 

├──
provider.aws
~>
1.24.0
 Outputs:

├──
module.my_module
 

Create
workspace
│


├──
provider.aws
(inherited)
 elastic_endpoint
=
vpc­toto­12fgfd4d5f4ds5fngetwe4.

│


├──
provider.null
 eu­central­1.es.amazonaws.com
│


└──
provider.template
 This
command
create
a
new
workspace
and
then
select
it
└──
module.elastic

$
terraform
workspace
new
dev We
can
extract
the
value
that
we
want
in
order
to
use
it
in
a
script




└──
provider.aws
(inherited) for
example.
With
jq
it’s
easy:
Select
a
workspace
State $
terraform
output
­json

{

$
terraform
workspace
select
dev 



"elastic_endpoint":
{

Show
and
output
the
state
(human
readable
way) 







"sensitive":
false,

List
workspaces 







"type":
"string",

$
terraform
show 







"value":
"vpc­toto­12fgfd4d5f4ds5fngetwe4.

$
terraform
workspace
list
 







eu­central­1.es.amazonaws.com"

Refresh 

default
 



}

*
dev
 }

Compare
 the
 current
 real
 remote
 information
 and
 put
 it
 in
 the 

prod 

state. $
terraform
output
­json
|
jq
'.elastic_endpoint.val
Show
current
workspace "vpc­toto­12fgfd4d5f4ds5fngetwe4.eu­central­1.

$
terraform
refresh es.amazonaws.com"
$
terraform
workspace
show

Pull
remote
state
in
a
local
copy dev gcloud
bulk-export
in
terraform
format
$
terraform
state
pull
>
terraform.tfstate
Tools Export
natively
Google
Cloud
resources
in
Terraform
Push
state
in
remote
backend
storage Usage
jq
$
terraform
state
push
jq
is
a
lightweight
command-line
JSON
processor.
Combined
with $
 gcloud
 beta
 resource­config
 bulk­export
 ­­
This
command
is
usefull
if
for
example
you
riginally
use
a
local
tf terraform
output
it
can
be
powerful. resource­format=terraform
state
and
then
you
de ne
a
backend
storage,
in
S3
or
Consul…

Installation Resources
types
supported:
How
 to
 tell
 to
 Terraform
 you
 moved
 a
 ressource
 in
 a
$
gcloud
beta
resource­config
list­resources
module? For
Linux:

$
sudo
apt­get
install
jq Authors
:
If
 you
 moved
 an
 existing
 resource
 in
 a
 module,
 you
 need
 to
update
the
state:
or @aurelievache
$
terraform
state
mv
aws_iam_role.role1
module.mymodul DevRel
at
OVHcloud
$
yum
install
jq
v1.0.4
How
to
import
existing
resource
in
Terraform?
For
OS
X:
If
 you
 have
 an
 existing
 resource
 in
 your
 infrastructure
 provider,
you
can
import
it
in
your
Terraform
state: $
brew
install
jq