How do I review changes before applying?

Run terraform plan to see proposed changes and use -target for scoped plans. Save the plan with -out=tfplan and apply it later for a deterministic rollout.

How do I manage state safely?

Use a remote backend with state locking to prevent concurrent edits. For migrations, use terraform state mv and pull remote state with terraform state pull when needed.

How do I enforce code quality in CI/CD?

Automate formatting and validation with terraform fmt (and -check) and terraform validate in CI. Consider pre-commit hooks and consistent plan/apply workflows.

terraform-workflow

npx machina-cli add skill agenticdevops/devops-execution-engine/terraform-workflow --openclaw

Files (1)

SKILL.md

5.5 KB

Terraform Workflow

Infrastructure as Code practices with Terraform.

When to Use This Skill

Use this skill when:

Managing infrastructure with Terraform
Reviewing terraform plans
Debugging state issues
Following IaC best practices

Basic Workflow

Initialize

# Initialize working directory
terraform init

# Upgrade providers
terraform init -upgrade

# Reconfigure backend
terraform init -reconfigure

Plan

# Preview changes
terraform plan

# Save plan to file
terraform plan -out=tfplan

# Plan for specific target
terraform plan -target=aws_instance.example

# Plan destroy
terraform plan -destroy

Apply

# Apply changes (with approval)
terraform apply

# Apply saved plan (no approval needed)
terraform apply tfplan

# Auto-approve (use with caution!)
terraform apply -auto-approve

# Apply specific target
terraform apply -target=aws_instance.example

Destroy

# Plan destruction first
terraform plan -destroy

# Destroy with approval
terraform destroy

# Destroy specific resource
terraform destroy -target=aws_instance.example

State Management

View State

# List resources in state
terraform state list

# Show specific resource
terraform state show aws_instance.example

# Full state (sensitive!)
terraform show

State Operations

# Move resource (rename)
terraform state mv aws_instance.old aws_instance.new

# Remove from state (resource still exists)
terraform state rm aws_instance.example

# Import existing resource
terraform import aws_instance.example i-1234567890abcdef0

# Pull remote state locally
terraform state pull > terraform.tfstate.backup

State Locking

# Force unlock (use carefully!)
terraform force-unlock LOCK_ID

Workspaces

# List workspaces
terraform workspace list

# Create workspace
terraform workspace new staging

# Switch workspace
terraform workspace select production

# Current workspace
terraform workspace show

Validation & Formatting

# Validate configuration
terraform validate

# Format code
terraform fmt

# Format check (CI/CD)
terraform fmt -check

# Recursive format
terraform fmt -recursive

Output & Variables

View Outputs

# All outputs
terraform output

# Specific output
terraform output instance_ip

# JSON format
terraform output -json

Variable Files

# Use var file
terraform plan -var-file=production.tfvars

# Override variable
terraform plan -var="instance_type=t3.large"

Debugging

Verbose Logging

# Enable debug logging
export TF_LOG=DEBUG
terraform plan

# Log to file
export TF_LOG_PATH=terraform.log
terraform plan

# Disable logging
unset TF_LOG TF_LOG_PATH

Common Issues

Issue	Cause	Fix
State lock	Concurrent access	`terraform force-unlock`
Provider error	Version mismatch	`terraform init -upgrade`
Resource drift	Manual changes	`terraform refresh` then plan
Cycle error	Circular dependency	Break dependency with `depends_on`

Refresh State

# Update state with real infrastructure
terraform refresh

# Or use plan with refresh
terraform plan -refresh-only

Safe Practices

Plan Review Checklist

Check the summary: How many add/change/destroy?
Review destroys: Any unexpected deletions?
Check sensitive changes: IAM, security groups, encryption
Validate resource names: Especially for stateful resources
Look for force replacements: # forces replacement

Safe Apply Workflow

# 1. Always plan first
terraform plan -out=tfplan

# 2. Review plan carefully
terraform show tfplan

# 3. Apply saved plan
terraform apply tfplan

# 4. Verify changes
terraform show

Prevent Accidental Destroys

# In your terraform config
resource "aws_instance" "critical" {
  # ...

  lifecycle {
    prevent_destroy = true
  }
}

Module Management

# Get modules
terraform get

# Update modules
terraform get -update

# Show module tree
terraform providers

CI/CD Integration

GitHub Actions Example

- name: Terraform Plan
  run: |
    terraform init
    terraform plan -out=tfplan -no-color

- name: Terraform Apply
  if: github.ref == 'refs/heads/main'
  run: terraform apply -auto-approve tfplan

Plan Output for PR

# Generate plan for PR comment
terraform plan -no-color > plan.txt 2>&1

Cost Estimation

# With Infracost
infracost breakdown --path .

# Cost diff
infracost diff --path .

Security Scanning

# With tfsec
tfsec .

# With checkov
checkov -d .

# With trivy
trivy config .

Quick Reference

# Full workflow
terraform init && terraform plan -out=tfplan && terraform apply tfplan

# Check what would be destroyed
terraform plan -destroy | grep "will be destroyed"

# List all resources
terraform state list

# Import resource
terraform import aws_instance.name i-1234567890

# Taint for recreation
terraform taint aws_instance.example
terraform untaint aws_instance.example

Related Skills

aws-ops: For AWS resource verification
git-workflow: For IaC version control
cost-optimization: For infrastructure costs

Source

git clone https://github.com/agenticdevops/devops-execution-engine/blob/main/skills/terraform-workflow/SKILL.mdView on GitHub

Overview

Terraform Workflow provides structured IaC practices for managing infrastructure with Terraform. It covers the full lifecycle—from initialization to destruction—plus state management, workspaces, and safe formatting and validation, ensuring repeatable, auditable deployments.

How This Skill Works

Teams follow a repeatable sequence: initialize with terraform init (including -upgrade and -reconfigure when needed), generate a plan with terraform plan (optionally saving with -out) and apply the saved plan with terraform apply tfplan. State management and workspaces are used to isolate environments, while linting, formatting and validation enforce code quality.

When to Use It

Managing infrastructure with Terraform across environments
Reviewing terraform plans before applying changes
Debugging state issues, drift, or resource renames
Enforcing IaC best practices like formatting and validation in CI/CD
Targeted changes to specific resources using -target or per-resource workflows

Quick Start

Step 1: terraform init -upgrade -reconfigure
Step 2: terraform plan -out=tfplan
Step 3: terraform apply tfplan

Best Practices

Always run terraform plan before applying changes to review impact
Save planned changes with -out and apply the plan to ensure determinism
Use a remote backend with state locking to prevent concurrent edits
Leverage workspaces to separate environments (e.g., staging vs production)
Format and validate configs regularly; automate with CI checks (terraform fmt -check, terraform validate)

Example Use Cases

Plan and apply with a saved plan: terraform init -upgrade -reconfigure; terraform plan -out=tfplan; terraform apply tfplan
Limit changes to a single resource during a rollout using terraform plan -target=aws_instance.example and terraform apply -target=aws_instance.example
Migrate a resource in state: terraform state mv aws_instance.old aws_instance.new
Manage multiple environments via workspaces: terraform workspace new staging; terraform workspace select production
Use a var file for environment-specific config: terraform plan -var-file=production.tfvars

Frequently Asked Questions

Add this skill to your agents