Skip to main content
The Terraform CLI is the primary interface for managing infrastructure as code with Terraform. It provides a consistent command structure across cloud providers and on-premises environments, so the same commands and workflow apply whether you’re deploying to AWS, Azure, GCP, or elsewhere. This predictability helps teams collaborate and automate infrastructure reliably. A typical command pattern is: 
terraform <command> [options]
Once you learn the CLI conventions, you can apply them across every Terraform project.

Command structure and examples

Commands are invoked with the base keyword terraform followed by a subcommand and optional flags or parameters: 
terraform <subcommand> [options or flags]
Example: 
terraform plan -out=planfile
  • terraform — invokes the Terraform CLI.
  • plan — subcommand that generates an execution plan.
  • -out=planfile — optional flag that saves the plan for later use with apply.
Use this structure to compose commands for initialization, validation, planning, applying, and destruction.

Terraform workflow mapped to CLI commands

Terraform’s recommended workflow maps directly to CLI subcommands. Follow these steps to develop, test, and manage infrastructure safely.
StepPurposeCLI Examples
WriteCreate infrastructure definitions in HCL (.tf files).# Edit .tf files
Format & ValidateEnsure readable, valid configuration.terraform fmt
terraform validate
InitInitialize the working directory: download providers, configure backend.terraform init
PlanPreview proposed changes before applying.terraform plan
terraform plan -out=planfile
ApplyProvision or modify resources described in configuration.terraform apply
terraform apply planfile
DestroyTear down managed resources.terraform destroy
Canonical sequence of commands: 
terraform fmt
terraform init
terraform validate
terraform plan
terraform apply
# terraform destroy
Note: Running terraform plan before terraform apply is a best practice—it lets you review changes and avoids surprises.
Be careful with terraform destroy. It will remove infrastructure managed by Terraform. Confirm that you really intend to destroy resources before typing yes.

Core CLI commands — quick reference

Below are the most commonly used Terraform subcommands with a short description and example usage.
CommandPurposeExample
terraform initInitialize a working directory and download providers.terraform init
terraform fmtFormat configuration files.terraform fmt
terraform validateValidate configuration for syntax and internal consistency.terraform validate
terraform planGenerate and display an execution plan.terraform plan -out=planfile
terraform applyExecute changes to reach the desired state.terraform apply
terraform destroyDestroy remote resources managed by a configuration.terraform destroy
terraform stateInspect and modify the state file.terraform state list
terraform showShow state or saved plan details.terraform show planfile
terraform importImport existing resources into state.terraform import aws_instance.example i-12345678
This list is not exhaustive but covers the commands most teams use daily.
The image lists various Terraform subcommands, with some checked off, such as "apply," "init," "destroy," "validate," and "version." It also notes that this is not an exhaustive list.

Additional commonly used subcommands

Beyond the core workflow, Terraform includes powerful subcommands for state management, debugging, and advanced operations:
  • terraform state — inspect and manually modify state objects (use carefully).
  • terraform show — display state or plan details in a human-readable format.
  • terraform import — bring existing external resources under Terraform management.
  • terraform fmt and terraform validate — help enforce configuration quality and consistency.

Environment variables

Environment variables are a secure, convenient way to provide credentials, configure Terraform behavior, and set input variables without embedding secrets in .tf files. Why use environment variables?
  • Avoid committing credentials into version control.
  • Provide defaults or overrides for variables in CI/CD pipelines.
  • Control logging and runtime behavior for debugging.
Common environment variables:
  • TF_LOG — set Terraform logging level (TRACE, DEBUG, INFO, WARN, ERROR). Useful for troubleshooting.
  • TF_VAR_<name> — set Terraform input variables from the environment. For example: 
    export TF_VAR_server_name="prod-db-01"
    A configuration referencing var.server_name will pick up this value.
  • Provider-specific variables — many providers support environment-based credentials (for example AWS or Azure environment variables). Terraform checks multiple sources for credentials, including environment variables and credential helpers.
Example combined environment setup: 
export TF_LOG=DEBUG
export TF_VAR_server_name="prod-db-01"
export AWS_ACCESS_KEY_ID="EXAMPLEACCESSKEY"
export AWS_SECRET_ACCESS_KEY="EXAMPLESECRETKEY"
Use environment variables for credentials and sensitive values instead of hardcoding them into .tf files to reduce the risk of accidentally committing secrets.

Best practices and tips

  • Always run terraform fmt and terraform validate before committing changes.
  • Use terraform plan -out=planfile and terraform apply planfile to ensure the exact planned changes are applied.
  • Store state securely (remote backends like S3 with locking via DynamoDB, or HashiCorp Consul, are recommended for team workflows).
  • Use workspaces, modules, and variable files to organize environments and reusable components.
  • Limit the use of terraform state commands; prefer importing and re-creating resources through configuration when possible.
Wrapping up You now have a concise, practical overview of the Terraform CLI: its command structure, mapped workflow, useful subcommands, and secure use of environment variables. In later sections you can explore advanced topics like remote state backends, workspaces, custom providers, and automation patterns for CI/CD.

Watch Video