Skip to main content
This concise guide walks through practical Terraform CLI features: built-in help, command-specific help, plan customization flags, and using environment variables both to set Terraform variables and to provide provider credentials. Keep this as a quick reference while working with Terraform locally or in CI. Minimal Terraform example (we’ll use this throughout) 
provider "random" {}

variable "num_of_pets" {
  type        = number
  description = "How many pets do we want?"
}

resource "random_pet" "name" {
  length = var.num_of_pets
}

output "random_pet_name" {
  value = random_pet.name.id
}

Getting CLI help

Open a terminal in your working directory and request top-level help to see global usage and available subcommands: 
$ terraform --help
Usage: terraform [global options] `<subcommand>` [args]

The available commands for execution are listed below.
The primary workflow commands are given first, followed by
less common or more advanced commands.

Main commands:
  init            Prepare your working directory for other commands
  validate        Check whether the configuration is valid
  plan            Show changes required by the current configuration
  apply           Create or update infrastructure
  destroy         Destroy previously-created infrastructure
Common and advanced commands (excerpt)
CommandUse Case
initInitialize a working directory and download provider plugins
validateCheck HCL syntax and basic configuration consistency
planProduce an execution plan without changing infrastructure
applyCreate or update resources described by the configuration
destroyRemove resources managed by Terraform
stateAdvanced state inspection and manipulation
workspaceManage named workspaces for different state instances
Further down in the full help output you’ll also find less-common and deprecated commands (for example, taint and untaint were deprecated in favor of flags such as -replace). Global options (use these before the subcommand) 
-chdir=DIR     Switch to a different working directory before executing the given subcommand.
-help          Show this help output, or the help for a specified subcommand.
-version       An alias for the "version" subcommand.
Request help for any specific subcommand: 
$ terraform validate --help
This prints what the subcommand does and all supported flags (for example, validate documents JSON output and color control flags). Callout: subcommand help
You can get help for any subcommand (for example, terraform plan --help) to see detailed options, examples, and usage notes.

Deep dive: terraform plan

terraform plan generates a speculative execution plan showing what Terraform would do to bring infrastructure in line with the configuration. It does not perform any changes unless you later pass a saved plan file to apply. Example help excerpt: 
$ terraform plan --help
Usage:  terraform [global options] plan [options]

Generates a speculative execution plan, showing what actions Terraform
would take to apply the current configuration. This command will not
actually perform the planned actions.

You can optionally save the plan to a file, which you can then pass to
the "apply" command to perform exactly the actions described in the plan.

Plan Customization Options:
  -destroy
  -refresh=true|false
  -replace=resource_address
  -target=resource_address
  -var 'foo=bar'
  -var-file=filename
  -out=path
  -parallelism=n
  -state=statefile
  -no-color
  -input=true|false
Plan customization flags — quick reference
FlagPurposeExample
-replace=resource_addressForce resource replacement (replacement of taint)terraform plan -replace=aws_instance.web
-target=resource_addressPlan only specific resource(s)terraform plan -target=module.db
-varSet a variable from the CLIterraform plan -var 'num_of_pets=3'
-var-fileLoad variables from a fileterraform plan -var-file=prod.tfvars
-outSave a plan to a path for later applyterraform plan -out=tfplan
-parallelismLimit concurrent operationsterraform plan -parallelism=4
Notes:
  • Use -out if you want to guarantee that apply performs the same actions as planned.
  • Prefer -var-file or environment variables in CI to avoid leaking secrets in shell history.

Passing Terraform variables via environment

Terraform supports setting input variables from the environment using the TF_VAR_<variable_name> pattern. For the example above, set TF_VAR_num_of_pets to provide num_of_pets from the environment. If you run terraform plan without supplying num_of_pets, Terraform will prompt: 
$ terraform plan
var.num_of_pets
  How many pets do we want?

Enter a value:
Set the variable in a POSIX shell (macOS / Linux): 
export TF_VAR_num_of_pets=3
Rerunning terraform plan will now use that value without prompting: 
$ terraform plan
Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + random_pet_name = (known after apply)

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
If you change TF_VAR_num_of_pets to another number (for example 6), resources depending on var.num_of_pets will reflect the new value on the next plan or apply. Callout: using TF_VAR_ environment variables
Use TF_VAR_<variable_name> to inject Terraform variable values from the environment. Example: export TF_VAR_num_of_pets=3. This is useful in CI/CD pipelines and local scripts.

Environment variables for provider authentication

Provider SDKs typically read standard environment variables for authentication. These are provider-specific and are not Terraform-level variables. Common provider authentication environment variables:
ProviderCommon env varsNotes / docs
AWSAWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGIONSee AWS provider docs: https://registry.terraform.io/providers/hashicorp/aws
GCPGOOGLE_CREDENTIALS, GOOGLE_PROJECT, GOOGLE_REGIONAccepts service account JSON via GOOGLE_CREDENTIALS
AzureARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID, ARM_TENANT_IDAzureRM provider reads these
VaultVAULT_ADDR, VAULT_TOKENUse VAULT_TOKEN or approles for auth
AWS example (POSIX shell): 
export AWS_ACCESS_KEY_ID=AKIAEXAMPLEKEY
export AWS_SECRET_ACCESS_KEY=exampleSecretKeyHere
export AWS_DEFAULT_REGION=us-east-1
And an AWS provider block in HCL: 
provider "aws" {
  region = "us-east-1"
}
Terraform will use the environment variables above to authenticate with AWS during plan or apply. Callout: protect credentials
Never commit credentials, tokens, or secret keys to version control. Use secure secrets management, environment injection in CI/CD, or a secrets backend (e.g., HashiCorp Vault) instead of hardcoding secrets in files.

Summary and quick checklist

  • Use terraform --help and terraform <subcommand> --help to discover commands, flags, and usage examples.
  • terraform plan supports many customization flags (-replace, -target, -var, -var-file, -out); use -out when you need a reproducible apply step.
  • Supply Terraform input variables via the environment using TF_VAR_<variable_name> for automation-friendly workflows.
  • Provider authentication commonly relies on provider-specific environment variables (for example, AWS and Vault); consult provider docs for exact variable names.
  • Never store secrets in source control—use secure vaults or platform-managed secret injection.
Further reading and references That’s it — a compact, practical walkthrough of helpful Terraform CLI commands, plan options, and environment-based variable and credential patterns.

Watch Video