`terraform init`	Initialize working directory
`terraform plan`	Show execution plan
`terraform apply`	Apply changes
`terraform apply -auto-approve`	Apply without confirmation
`terraform destroy`	Destroy infrastructure
`terraform validate`	Validate configuration
`terraform fmt`	Format code
`terraform fmt -recursive`	Format all files recursively

State Commands

`terraform state list`	List resources in state
`terraform state show aws_instance.example`	Show resource details
`terraform state mv old_name new_name`	Move/rename resource
`terraform state rm aws_instance.example`	Remove from state
`terraform state pull`	Pull remote state
`terraform state push`	Push state to remote
`terraform refresh`	Refresh state

Other Commands

`terraform output`	Show outputs
`terraform output -json`	Output as JSON
`terraform console`	Interactive console
`terraform graph`	Generate dependency graph
`terraform import aws_instance.example i-1234`	Import existing resource
`terraform taint aws_instance.example`	Mark for recreation
`terraform untaint aws_instance.example`	Remove taint
`terraform workspace list`	List workspaces
`terraform workspace new dev`	Create workspace
`terraform workspace select prod`	Switch workspace

HCL Syntax

Basic Structure

Provider

provider "aws" {
  region = "us-west-2"
}

Resource

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  tags = {
    Name = "example-instance"
  }
}

Data source

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-*"]
  }

  owners = ["099720109477"]
}

Reference data

resource "aws_instance" "web" {
  ami = data.aws_ami.ubuntu.id
}

Variables

Variable declaration

variable "instance_type" {
  description = "EC2 instance type"
  type        = string
  default     = "t2.micro"
}

Variable types

variable "name" {
  type = string
}

variable "count" {
  type = number
}

variable "enabled" {
  type = bool
}

variable "tags" {
  type = map(string)
}

variable "subnets" {
  type = list(string)
}

Use variable

resource "aws_instance" "web" {
  instance_type = var.instance_type
  tags          = var.tags
}

Variable file

# terraform.tfvars
instance_type = "t3.medium"
environment   = "production"

tags = {
  Project = "web-app"
  Team    = "devops"
}

Sensitive variable

variable "db_password" {
  type      = string
  sensitive = true
}

Outputs

Output value

output "instance_ip" {
  description = "Public IP of the instance"
  value       = aws_instance.web.public_ip
}

Sensitive output

output "db_password" {
  value     = random_password.db.result
  sensitive = true
}

Expressions

Expressions & Functions

String interpolation

name = "web-${var.environment}"

Conditional

instance_type = var.environment == "prod" ? "t3.large" : "t3.micro"

For expression (list)

upper_names = [for name in var.names : upper(name)]

For expression (map)

instance_ids = { for k, v in aws_instance.web : k => v.id }

Count

resource "aws_instance" "web" {
  count = 3
  tags = {
    Name = "web-${count.index}"
  }
}

For each (map)

resource "aws_instance" "web" {
  for_each = var.instances

  ami           = each.value.ami
  instance_type = each.value.type

  tags = {
    Name = each.key
  }
}

For each (set)

resource "aws_iam_user" "users" {
  for_each = toset(var.user_names)
  name     = each.value
}

Common Functions

String functions

lower("HELLO")        # "hello"
upper("hello")        # "HELLO"
trim("  hello  ")     # "hello"
split(",", "a,b,c")   # ["a", "b", "c"]
join(",", ["a", "b"]) # "a,b"

Collection functions

length(["a", "b"])    # 2
concat([1,2], [3,4])  # [1,2,3,4]
merge(map1, map2)     # Merge maps
lookup(map, key, default)
element(list, index)
contains(list, value)

Type functions

tostring(42)          # "42"
tonumber("42")        # 42
tolist(set)           # Convert to list
tomap(object)         # Convert to map

File functions

file("script.sh")     # Read file content
fileexists("path")    # Check if exists
templatefile("tpl.sh", { name = "foo" })

Modules

Module Usage

Use local module

module "vpc" {
  source = "./modules/vpc"

  cidr_block = "10.0.0.0/16"
  name       = "my-vpc"
}

Use registry module

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.0.0"

  name = "my-vpc"
  cidr = "10.0.0.0/16"
}

Use GitHub module

module "vpc" {
  source = "github.com/org/repo//modules/vpc?ref=v1.0.0"
}

Module output

resource "aws_instance" "web" {
  subnet_id = module.vpc.public_subnet_ids[0]
}

Create Module

Module structure

modules/vpc/
├── main.tf       # Resources
├── variables.tf  # Input variables
├── outputs.tf    # Output values
└── versions.tf   # Provider versions

Module outputs

# modules/vpc/outputs.tf
output "vpc_id" {
  value = aws_vpc.main.id
}

output "subnet_ids" {
  value = aws_subnet.main[*].id
}

State Management

Remote State

S3 backend

terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-west-2"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

Remote state data

data "terraform_remote_state" "vpc" {
  backend = "s3"

  config = {
    bucket = "my-terraform-state"
    key    = "vpc/terraform.tfstate"
    region = "us-west-2"
  }
}

# Use: data.terraform_remote_state.vpc.outputs.vpc_id

Lifecycle

Lifecycle rules

resource "aws_instance" "web" {
  # ...

  lifecycle {
    create_before_destroy = true
    prevent_destroy       = true
    ignore_changes        = [tags]
  }
}

Depends on

resource "aws_instance" "web" {
  # ...

  depends_on = [
    aws_iam_role_policy.example
  ]
}