By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
init
plan
apply
destroy
A Hyper-Practical, Zero-Fluff Study Guide
Terraform’s CLI workflow (init, plan, apply, destroy) is the core loop of Infrastructure as Code (IaC). Think of it like a construction crew’s playbook: - init = Unloading tools and materials (setting up the environment).- plan = Reviewing the blueprint (what will change?).- apply = Building the structure (deploying resources).- destroy = Demolishing it (cleaning up).
Why this matters in production:- Safety: plan acts as a dry run—preventing accidental deletions or misconfigurations.- Auditability: Every change is logged, version-controlled, and repeatable.- Collaboration: Teams review plan outputs before apply, reducing "oops" moments.- Cost control: destroy lets you tear down unused resources (e.g., dev environments after hours).
Real-world scenario:You inherit a Terraform repo with 50+ AWS resources. The last engineer left no documentation. You need to: 1. Safely update a VPC’s CIDR block without breaking production.2. Verify changes before applying them.3. Clean up unused resources to cut costs.
If you skip plan or init, you risk: - Downtime (e.g., accidentally deleting a database).- Cost spikes (e.g., leaving orphaned EC2 instances running).- Configuration drift (manual changes not tracked in code).
terraform init
-upgrade
-backend-config
terraform plan
-out=tfplan
-var-file=prod.tfvars
-destroy
terraform apply
-auto-approve=false
-auto-approve
-target=aws_instance.web
terraform destroy
-target=aws_s3_bucket.logs
terraform.tfstate
required_providers
aws configure
brew install terraform
us-east-1
mkdir tf-demo && cd tf-demo touch main.tf
# main.tf terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" # Pin to avoid breaking changes } } } provider "aws" { region = "us-east-1" } resource "aws_instance" "web" { ami = "ami-0c55b159cbfafe1f0" # Amazon Linux 2 (us-east-1) instance_type = "t2.micro" tags = { Name = "tf-demo-web" } } resource "aws_security_group" "ssh" { name = "allow_ssh" description = "Allow SSH inbound traffic" ingress { from_port = 22 to_port = 22 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] # ⚠️ Open to the world (fix in prod!) } }
Expected output:
Initializing the backend...Initializing provider plugins...- Finding hashicorp/aws versions matching "~> 5.0"...- Installing hashicorp/aws v5.19.0...- Installed hashicorp/aws v5.19.0 (signed by HashiCorp) Terraform has been successfully initialized!
Key things to check in the output:- + aws_instance.web (resource will be created).- + aws_security_group.ssh (security group will be created).- No ~ (modify) or - (destroy) actions (this is a new deployment).
+ aws_instance.web
+ aws_security_group.ssh
~
-
yes
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
aws ec2 describe-instances --filters "Name=tag:Name,Values=tf-demo-web" --query "Reservations[].Instances[].PublicIpAddress" --output text
Destroy complete! Resources: 2 destroyed.
AmazonEC2FullAccess
AdministratorAccess
.tf
sensitive = true
t3.micro
t2.micro
aws_spot_instance_request
aws_autoscaling_group
Environment = "dev"
modules/vpc
modules/ec2
hcl terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" # Allows 5.x but not 6.0 } } }
hcl terraform { backend "s3" { bucket = "my-tf-state-bucket" key = "prod/terraform.tfstate" region = "us-east-1" dynamodb_table = "terraform-lock" } }
hcl tags = { Owner = "team-infra" Environment = "prod" Terraform = "true" }
-target
Trap: "Initializes the state file" (wrong—state is initialized on first apply).
"What happens if you run terraform apply twice?"
Trap: "It creates duplicate resources" (wrong—Terraform tracks state).
"How do you save a plan for later use?"
terraform plan -out=tfplan
Trap: "Use terraform save" (doesn’t exist).
terraform save
"What’s the safest way to destroy a single resource?"
terraform destroy -target=aws_instance.web
"You need to update a production VPC’s CIDR block without downtime. What’s the safest approach?"- Correct answer: 1. Run terraform plan to review changes. 2. Use terraform apply -target=aws_vpc.prod to update only the VPC. 3. Verify connectivity before updating dependent resources.- Trap: Running apply without -target could modify unrelated resources.
terraform apply -target=aws_vpc.prod
Challenge:Deploy an AWS S3 bucket with versioning enabled, then modify the configuration to add a lifecycle rule that transitions objects to Glacier after 30 days. Verify the changes with plan before applying.
Solution:
# main.tf resource "aws_s3_bucket" "logs" { bucket = "my-unique-bucket-name-12345" # Must be globally unique! } resource "aws_s3_bucket_versioning" "logs" { bucket = aws_s3_bucket.logs.id versioning_configuration { status = "Enabled" } } resource "aws_s3_bucket_lifecycle_configuration" "logs" { bucket = aws_s3_bucket.logs.id rule { id = "glacier-transition" status = "Enabled" transition { days = 30 storage_class = "GLACIER" } } }
Steps:1. Run terraform init.2. Run terraform plan and verify: - + aws_s3_bucket.logs (bucket will be created). - + aws_s3_bucket_versioning.logs (versioning enabled). - + aws_s3_bucket_lifecycle_configuration.logs (lifecycle rule added).3. Run terraform apply.4. Verify in the AWS Console: Bucket → Management → Lifecycle rules.
+ aws_s3_bucket.logs
+ aws_s3_bucket_versioning.logs
+ aws_s3_bucket_lifecycle_configuration.logs
Why it works:- Terraform tracks the state of the bucket and applies only the new lifecycle rule.- Versioning is enabled before the lifecycle rule (order matters!).
-backend-config=backend.tfvars
terraform state list
terraform state show
terraform state show aws_instance.web
terraform output
terraform validate
terraform fmt
-recursive
⚠️ Exam Traps:- terraform init does not create resources—it just sets up the environment.- terraform plan is read-only—it doesn’t modify anything.- terraform destroy is permanent—always review the plan first.- Remote state is required for teams (local state is for solo dev only).
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.