How to enable and use Terraform logging for detailed TRACE debugging, including configuration, log setup, interpreting traces, and redacting sensitive data
This lesson shows how to enable Terraform’s logging to get detailed debugging information when troubleshooting configuration or provider issues. Detailed logs can reveal internal graph transforms, provider attachment, HCL source locations, and diff analysis that help diagnose misconfigurations, provider matching problems, or communication errors.
Running a normal plan typically produces a concise summary:
$ terraform planPlan: 3 to add, 0 to change, 0 to destroy.Note: You didn't use the --out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
export TF_LOG=TRACE# optional: write logs to a file instead of STDOUTexport TF_LOG_PATH=./terraform.log
On Windows PowerShell:
$env:TF_LOG = "TRACE"# optional: write logs to a file$env:TF_LOG_PATH = "C:\temp\terraform.log"
After enabling TRACE and running terraform plan, you will observe many more internal messages. The excerpts below are representative: they show Terraform’s graph transforms, provider matching, HCL source ranges, and diff decisions.
You will also see resource attachment and HCL source references, which are useful for pinpointing the source file and location for a resource:
2026-02-14T20:43:00.329-0500 [TRACE] AttachResourceConfigTransformer: attaching provider to aws_subnet.public2026-02-14T20:43:00.329-0500 [TRACE] AttachResourceConfigTransformer: attaching to "aws_subnet.private" (*terraform.NodeApplicableResourceInstance) config from hcl.Range{Filename: "main.tf", Start:hcl.Pos{Line:11, Column:1, Byte:202}, End:hcl.Pos{Line:11, Column:32, Byte:233}}2026-02-14T20:43:00.329-0500 [TRACE] AttachResourceConfigTransformer: attaching provider to aws_subnet.private2026-02-14T20:43:00.329-0500 [TRACE] AttachResourceConfigTransformer: attaching to "aws_vpc.main" (*terraform.NodeApplicableResourceInstance) config from hcl.Range{Filename: "main.tf", Start:hcl.Pos{Line:1, Column:1, Byte:0}, End:hcl.Pos{Line:1, Column:26, Byte:25}}2026-02-14T20:43:00.329-0500 [TRACE] Completed graph transform *terraform.AttachResourceConfigTransformer (no changes)
Diff determination and change representation are also logged:
2026-02-14T20:43:00.329-0500 [TRACE] DiffTransformer: found Create change for aws_subnet.private2026-02-14T20:43:00.329-0500 [TRACE] DiffTransformer: aws_subnet.private will be represented as create2026-02-14T20:43:00.329-0500 [TRACE] DiffTransformer complete2026-02-14T20:43:00.329-0500 [TRACE] Completed graph transform *terraform.DiffTransformer
These traces make it easier to locate where Terraform is assigning providers, how it builds the resource graph, and why particular resources are created, changed, or left unchanged.
TRACE logs can include sensitive data (like provider tokens, API keys, or resource attributes). Avoid sending raw trace logs to third parties without sanitizing them first.
If you must share logs with HashiCorp or a provider, redact secrets (API keys, tokens, passwords, and any sensitive attributes) before uploading. Consider limiting logs to a file and opening it in a secure editor to mask secrets.
After unsetting, terraform plan returns to the normal concise output:
$ terraform planPlan: 3 to add, 0 to change, 0 to destroy.Note: You didn't use the --out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
