Terraform Cheat Sheet 2026: Commands and HCL Syntax

A quick reference for Terraform — infrastructure as code for any cloud. Bookmark this page.

Workflow Commands

# Initialize working directory
terraform init
terraform init -upgrade          # Upgrade provider versions
terraform init -backend-config=backend.hcl  # Custom backend

# Format and validate
terraform fmt                    # Format all .tf files
terraform fmt -check             # Check formatting (CI/CD)
terraform validate               # Validate configuration

# Plan (preview changes)
terraform plan
terraform plan -out=tfplan       # Save plan to file
terraform plan -target=aws_instance.web  # Plan specific resource
terraform plan -var="env=prod"   # Pass variable

# Apply changes
terraform apply
terraform apply tfplan           # Apply saved plan
terraform apply -auto-approve    # Skip confirmation (CI/CD)
terraform apply -target=aws_instance.web  # Apply specific resource

# Destroy infrastructure
terraform destroy
terraform destroy -target=aws_instance.web  # Destroy specific resource

State Management

# Show current state
terraform show
terraform show -json | jq .

# List resources in state
terraform state list

# Show specific resource
terraform state show aws_instance.web

# Move resource (rename)
terraform state mv aws_instance.old aws_instance.new

# Remove resource from state (without destroying)
terraform state rm aws_instance.web

# Import existing infrastructure
terraform import aws_instance.web i-1234567890abcdef0

# Pull remote state
terraform state pull > state.json

# Push state (careful!)
terraform state push state.json

Workspace Management

# List workspaces
terraform workspace list

# Create and switch
terraform workspace new staging
terraform workspace select production

# Delete workspace
terraform workspace delete staging

# Show current workspace
terraform workspace show

Output and Variables

# Show outputs
terraform output
terraform output -json
terraform output instance_ip      # Specific output

# Pass variables
terraform plan -var="region=eu-west-1"
terraform plan -var-file="prod.tfvars"

# Environment variables
export TF_VAR_region="eu-west-1"
export TF_VAR_instance_type="t3.medium"

Common Patterns

# Backend configuration (S3)
terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "eu-west-1"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

# Provider with version constraint
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  required_version = ">= 1.7.0"
}

Debugging

# Enable debug logging
export TF_LOG=DEBUG
export TF_LOG_PATH=terraform.log

# Graph dependencies
terraform graph | dot -Tpng > graph.png

# Force unlock state (if stuck)
terraform force-unlock LOCK_ID

# Taint resource (force recreation)
terraform taint aws_instance.web    # Deprecated
terraform apply -replace=aws_instance.web  # Modern way

Tips and Tricks

• Always use remote state with locking for team workflows
• Use terraform plan -out=tfplan then terraform apply tfplan in CI/CD
• Use moved blocks instead of terraform state mv for refactoring
• Use lifecycle { prevent_destroy = true } for critical resources
• Use checkov or tfsec for security scanning

Related Resources

• Helm Cheat Sheet
• Git Cheat Sheet
• Linux Cheat Sheet