Skip to content

Terraform Plan & Apply: Deployment Workflow

DodaTech 5 min read

In this tutorial, you'll learn about Terraform Plan & Apply: Deployment Workflow. We cover key concepts, practical examples, and best practices.

The Terraform plan and apply workflow is the core deployment cycle that lets you preview infrastructure changes before executing them, ensuring safe and predictable infrastructure modifications.

What You'll Learn

In this tutorial, you will learn how to run Terraform plan and apply, interpret plan output, use target and parallelism flags, handle apply failures, and automate the workflow in CI/CD pipelines.

Why It Matters

The plan-apply cycle is Terraform's killer feature. Plans show exactly what will change before any resource is modified. This prevents accidental deletions, resource replacements, and configuration drift that plague manual infrastructure management.

Real-World Use

DodaTech runs <a href="/devops/terraform/">terraform</a> plan in every pull request as a CI check. Durga Antivirus Pro's platform engineers review plan output before any apply. This workflow has prevented dozens of accidental resource deletions and configuration errors.

Terraform Plan

The plan command creates an execution plan showing what Terraform will do to reach the desired state:

terraform plan

Expected output:

Terraform used the selected providers to generate the following execution plan.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
  - destroy

Terraform will perform the following actions:

  # aws_instance.web will be created
  + resource "aws_instance" "web" {
      + ami           = "ami-0c55b159cbfafe1f0"
      + instance_type = "t2.micro"
      + tags          = {
          + "Name" = "WebServer"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Plan Symbols

  • + (create): Terraform will create a new resource
  • - (destroy): Terraform will delete a resource
  • ~ (update in-place): Terraform will modify existing resource attributes
  • -/+ (replace): Terraform will destroy and recreate the resource

Save Plan to File

terraform plan -out=plan.tfplan

Expected output: A binary plan file is saved. Applying this exact plan ensures no configuration drift between plan and apply.

Terraform Apply

The apply command executes the changes shown in the plan:

terraform apply

Expected output: Terraform shows the plan and prompts for confirmation. Type "yes" to proceed. Resources are created in dependency order.

Apply with Saved Plan

terraform apply plan.tfplan

Expected output: Applies the exact plan without re-reading configuration or prompting. This is the recommended approach for CI/CD pipelines.

Auto-Approve

terraform apply -auto-approve

Expected output: Skips the confirmation prompt. Use only in automated pipelines where human review happens at the plan stage.

Advanced Plan Options

Target Specific Resources

terraform plan -target=aws_instance.web

Expected output: The plan includes only the targeted resource and its dependencies. Use sparingly -- targeting bypasses full dependency resolution.

Plan with Variable Input

terraform plan -var="instance_type=t3.large" -var-file=production.tfvars

Expected output: Variables override default values for this plan run without modifying configuration files.

Destroy Plan

terraform plan -destroy

Expected output: Shows what would be destroyed without executing the destruction.

Handling Apply Failures

When apply fails mid-way, Terraform may have created some resources and failed on others:

# Check current state
terraform state list

# Verify what was created
terraform apply

Expected output: Re-running <a href="/devops/terraform/">terraform</a> apply after fixing the error picks up where it left off. Terraform handles partial completion gracefully by comparing state with configuration.

Force Unlock

If state is locked due to a failed or interrupted apply:

terraform force-unlock LOCK_ID

Expected output: Removes the lock. Only use this when you are certain no other process is running.

Parallelism

Control how many resources Terraform creates simultaneously:

terraform apply -parallelism=10

Expected output: Terraform creates up to 10 resources in parallel. The default is 10. Lower values reduce API rate limits but slow deployments.

Common Mistakes

1. Skipping Plan Before Apply

Running <a href="/devops/terraform/">terraform</a> apply without first reviewing the plan risks unexpected resource destruction or modification.

2. Ignoring Destroy Symbols in Plans

The - symbol in plans indicates resource deletion. Always review destroy actions before applying.

3. Using Auto-Approve in Production

-auto-approve skips the safety check. Use it only in CI/CD where plan review happens separately.

4. Losing Plan Files

Applying without the saved plan file re-reads configuration, which may have changed since planning. Always save and use plan files in pipelines.

5. Apply Timeouts on Long-Running Resources

Some resources take minutes to create. Use -timeout=30m for resources like RDS instances that take longer than the default timeout.

Practice Questions

1. What do the symbols +, -, ~, and -/+ mean in a plan? + creates, - destroys, ~ updates in-place, -/+ destroys and recreates.

2. Why should you save plan files in CI/CD? Saved plans ensure the exact same changes are applied that were reviewed. Configuration may change between plan and apply.

3. How do you handle a failed Terraform apply? Fix the error and re-run <a href="/devops/terraform/">terraform</a> apply. Terraform compares state with configuration and creates only the missing resources.

4. What does the -target flag do and why should it be used sparingly? -target limits the plan to specific resources and their dependencies. It bypasses full dependency resolution and can cause incomplete state.

5. Challenge: Create a multi-resource configuration, run <a href="/devops/terraform/">terraform</a> plan -out=plan.tfplan, apply from the saved plan, then run <a href="/devops/terraform/">terraform</a> plan -destroy to verify the destruction plan.

Mini Project: Safe Deployment Workflow

Write a configuration with an S3 bucket, EC2 instance, and security group. Run <a href="/devops/terraform/">terraform</a> plan, save to a file, review the output, then apply. Introduce an error (wrong AMI), observe the plan update, fix it, and re-apply. Practice the full feedback loop.

Terraform Workspaces
Remote Backends

What's Next

Master the Terraform plan and apply workflow, then configure Remote Backends for team-based state management and collaboration.

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro