Safe Plan-Apply Workflow

Beginner8 min

Review Terraform plans carefully and use targeted applies to minimize blast radius when making infrastructure changes.

Prerequisites

-Terraform installed

Steps

Run terraform plan and save to file

Generate an execution plan and save it as a binary file for later review or application.

$ terraform plan -out=tfplan

Always save the plan to a file. This ensures the exact reviewed plan is what gets applied.

Review the plan in detail

Display the saved plan in human-readable format to review every change before applying.

$ terraform show tfplan

Apply only the saved plan

Apply the exact saved plan without re-computing changes, ensuring consistency with what was reviewed.

$ terraform apply tfplan

Never run 'terraform apply' without a saved plan in production. It recomputes changes which may differ from what you reviewed.

Target a specific resource for apply

Apply changes to only a specific resource when you want to limit the blast radius.

$ terraform plan -target=aws_instance.web -out=tfplan

Targeted applies are useful for debugging but should not be the norm. Terraform warns about this for a reason.

Use detailed exit codes in CI

Use -detailed-exitcode to programmatically determine if changes are pending (exit 2) or clean (exit 0).

$ terraform plan -detailed-exitcode; echo "Exit code: $?"

Exit code 0 means no changes, 1 means error, 2 means changes pending. Useful for CI/CD decision logic.

Full Script

full-script.sh

#!/bin/bash
set -euo pipefail

# Safe Terraform Plan-Apply Workflow
# Reviews plan and prompts before applying

echo "==> Running terraform plan..."
terraform plan -out=tfplan -detailed-exitcode 2>&1 | tee /tmp/tf-plan-output.txt
EXIT_CODE=${PIPESTATUS[0]}

if [ "$EXIT_CODE" -eq 0 ]; then
  echo "No changes needed. Infrastructure is up to date."
  exit 0
elif [ "$EXIT_CODE" -eq 1 ]; then
  echo "ERROR: Plan failed. Check the output above."
  exit 1
fi

echo ""
echo "==> Plan summary:"
terraform show -no-color tfplan | grep -E "^(Plan:|  #|  \+|  -|  ~)" | head -30

echo ""
read -p "Apply this plan? (yes/no): " CONFIRM
if [ "$CONFIRM" = "yes" ]; then
  echo "==> Applying plan..."
  terraform apply tfplan
  echo "==> Apply complete."
else
  echo "==> Apply cancelled."
  rm -f tfplan
fi

FAQ

Discussion

Loading comments...

#!/bin/bash set -euo pipefail # Safe Terraform Plan-Apply Workflow # Reviews plan and prompts before applying echo "==> Running terraform plan..." terraform plan -out=tfplan -detailed-exitcode 2>&1 | tee /tmp/tf-plan-output.txt EXIT_CODE=${PIPESTATUS[0]} if [ "$EXIT_CODE" -eq 0 ]; then echo "No changes needed. Infrastructure is up to date." exit 0 elif [ "$EXIT_CODE" -eq 1 ]; then echo "ERROR: Plan failed. Check the output above." exit 1 fi echo "" echo "==> Plan summary:" terraform show -no-color tfplan | grep -E "^(Plan:| #| \+| -| ~)" | head -30 echo "" read -p "Apply this plan? (yes/no): " CONFIRM if [ "$CONFIRM" = "yes" ]; then echo "==> Applying plan..." terraform apply tfplan echo "==> Apply complete." else echo "==> Apply cancelled." rm -f tfplan fi