Terraform Cheat Sheet
Complete reference guide for Terraform with interactive examples and live playground links
Click on any section to jump directly to it
Basic Commands
Initialization and Setup
Terraform initialization commands
Terraform
# Initialize Terraform
terraform init
# Initialize with specific backend
terraform init -backend-config="bucket=my-terraform-state"
# Initialize with plugin directory
terraform init -plugin-dir=/path/to/plugins
# Initialize with backend configuration
terraform init -backend-config="path/to/backend.hcl"Plan and Apply
Plan and apply commands
Terraform
# Create execution plan
terraform plan -out=tfplan
# Apply changes
terraform apply tfplan
# Apply with auto-approve
terraform apply -auto-approve
# Apply with specific variables
terraform apply -var="instance_type=t3.micro" -var="region=us-west-2"
# Apply with variable file
terraform apply -var-file="prod.tfvars"State Management
State management commands
Terraform
# List resources in state
terraform state list
# Show state details
terraform state show aws_instance.web
# Move resource in state
terraform state mv aws_instance.old aws_instance.new
# Remove resource from state
terraform state rm aws_instance.web
# Import existing resource
terraform import aws_instance.web i-1234567890abcdef0Resource Management
Resource Configuration
Resource configuration examples
Terraform
# Basic resource
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t2.micro"
tags = {
Name = "web-server"
}
}
# Resource with lifecycle
resource "aws_instance" "web" {
# ... basic configuration ...
lifecycle {
create_before_destroy = true
prevent_destroy = false
ignore_changes = [tags]
}
}
# Resource with depends_on
resource "aws_instance" "web" {
# ... basic configuration ...
depends_on = [
aws_security_group.web,
aws_iam_role.web
]
}Data Sources
Data source configuration
Terraform
# Basic data source
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
owners = ["099720109477"]
}
# Data source with dynamic blocks
data "aws_instances" "web" {
filter {
name = "tag:Environment"
values = ["production"]
}
dynamic "filter" {
for_each = var.additional_filters
content {
name = filter.value.name
values = filter.value.values
}
}
}Variables and Outputs
Variables and outputs configuration
Terraform
# Variable definitions
variable "environment" {
description = "Environment name"
type = string
default = "dev"
}
variable "instance_count" {
description = "Number of instances"
type = number
validation {
condition = var.instance_count > 0
error_message = "Instance count must be greater than 0."
}
}
# Output definitions
output "instance_ip" {
description = "Public IP of the instance"
value = aws_instance.web.public_ip
sensitive = false
}
output "database_password" {
description = "Database password"
value = aws_db_instance.database.password
sensitive = true
}Modules and Workspaces
Module Configuration
Module configuration examples
Terraform
# Basic module
module "vpc" {
source = "./modules/vpc"
vpc_cidr = "10.0.0.0/16"
environment = var.environment
}
# Module with version
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "3.0.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
}
# Module with providers
module "vpc" {
source = "./modules/vpc"
providers = {
aws = aws.us-west-2
}
}Workspace Management
Workspace management commands
Terraform
# List workspaces
terraform workspace list
# Create new workspace
terraform workspace new dev
# Select workspace
terraform workspace select prod
# Show current workspace
terraform workspace show
# Delete workspace
terraform workspace delete devRemote State
Remote state configuration
Terraform
# S3 backend configuration
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "path/to/state/file"
region = "us-west-2"
dynamodb_table = "terraform-locks"
encrypt = true
}
}
# Azure backend configuration
terraform {
backend "azurerm" {
resource_group_name = "terraform-state"
storage_account_name = "tfstate"
container_name = "tfstate"
key = "prod.terraform.tfstate"
}
}Security and Best Practices
State Security
State security configuration
Terraform
# Enable state encryption
terraform {
backend "s3" {
# ... other config ...
encrypt = true
kms_key_id = "arn:aws:kms:region:account:key/key-id"
}
}
# Use sensitive variables
variable "db_password" {
description = "Database password"
type = string
sensitive = true
}
# Secure state access
resource "aws_s3_bucket_policy" "state" {
bucket = aws_s3_bucket.state.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = [
aws_s3_bucket.state.arn,
"${aws_s3_bucket.state.arn}/*"
]
Condition = {
Bool = {
"aws:SecureTransport": "false"
}
}
}
]
})
}Provider Configuration
Provider security configuration
Terraform
# AWS provider with assume role
provider "aws" {
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
session_name = "terraform-session"
}
}
# Azure provider with managed identity
provider "azurerm" {
features {}
use_managed_identity = true
}
# GCP provider with service account
provider "google" {
project = "my-project"
region = "us-central1"
credentials = file("path/to/service-account.json")
}Resource Security
Resource security configuration
Terraform
# Secure S3 bucket
resource "aws_s3_bucket" "secure" {
bucket = "my-secure-bucket"
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
lifecycle_rule {
enabled = true
expiration {
days = 90
}
}
}
# Secure security group
resource "aws_security_group" "web" {
name = "web-sg"
description = "Web server security group"
vpc_id = aws_vpc.main.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "web-sg"
}
}Advanced Features
Dynamic Blocks
Dynamic blocks configuration
Terraform
# Dynamic security group rules
resource "aws_security_group" "web" {
# ... basic configuration ...
dynamic "ingress" {
for_each = var.ingress_rules
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}
}
# Dynamic IAM policy
resource "aws_iam_policy" "dynamic" {
name = "dynamic-policy"
dynamic "statement" {
for_each = var.policy_statements
content {
effect = statement.value.effect
actions = statement.value.actions
resources = statement.value.resources
}
}
}Local Values
Local values configuration
Terraform
# Local values
locals {
common_tags = {
Environment = var.environment
Project = var.project
ManagedBy = "Terraform"
}
instance_count = var.environment == "prod" ? 3 : 1
subnet_cidrs = {
public = cidrsubnet(var.vpc_cidr, 8, 0)
private = cidrsubnet(var.vpc_cidr, 8, 1)
}
}
# Using locals
resource "aws_instance" "web" {
# ... basic configuration ...
tags = local.common_tags
}
resource "aws_subnet" "public" {
cidr_block = local.subnet_cidrs.public
# ... other configuration ...
}Terraform Functions
Terraform functions usage
Terraform
# String functions
locals {
name = "my-resource"
formatted_name = format("%s-%s", var.environment, local.name)
upper_name = upper(local.name)
}
# Numeric functions
locals {
instance_count = max(1, var.desired_count)
port_number = tonumber(var.port)
}
# Collection functions
locals {
first_subnet = element(var.subnets, 0)
all_tags = merge(var.tags, local.common_tags)
unique_ports = distinct(var.ports)
}
# Type conversion
locals {
string_list = tolist(var.string_set)
number_map = tomap(var.number_object)
}Terraform - Interactive Developer Reference
Hover over code blocks to copy or run in live playground