Terraform has a small CLI surface, but the commands interact in ways that aren’t obvious until something goes wrong — and the Terraform Associate exam tests exactly those interactions. “Which command does X” questions are some of the easiest points on the exam if you’ve organized the commands in your head, and some of the easiest to fumble if you haven’t.
This cheat sheet groups every command you realistically need by what job it does, with the flags and gotchas that show up in real work and in exam questions.
The Core Workflow
The famous cycle. If you know nothing else, know this:
terraform init # set up the working directory
terraform plan # preview changes
terraform apply # execute changes
terraform destroy # tear everything downterraform init
Run first, in every new or changed working directory. It:
- Downloads provider plugins (per
required_providersconstraints) - Initializes or migrates the backend
- Downloads modules referenced in configuration
It does not create infrastructure or validate your logic. Useful variants:
terraform init -upgrade # allow newer provider versions within constraints
terraform init -backend-config=prod.hcl # supply backend values at init time
terraform init -migrate-state # move state when the backend changed
terraform init -reconfigure # reinitialize backend, ignore existing configterraform plan
Computes the diff between configuration, state, and reality. Nothing is changed.
terraform plan -out=tfplan # save the plan for a guaranteed-identical apply
terraform plan -refresh-only # show drift without proposing config changes
terraform plan -target=aws_instance.web # narrow scope (sparingly!)
terraform plan -var="env=prod" -var-file="prod.tfvars"Plan symbols worth recognizing on sight: + create, - destroy, ~ update in place, -/+ destroy then recreate, <= read (data source).
terraform apply
terraform apply # plan + interactive approval
terraform apply tfplan # execute a saved plan, no prompt
terraform apply -auto-approve # skip approval (CI pipelines)
terraform apply -replace=aws_instance.web # force recreation of one resourceThat last flag matters: -replace is the modern way to force a rebuild. It superseded terraform taint, which still exists but is deprecated — a distinction the exam checks.
terraform destroy
Destroys everything in state (it’s an alias for apply -destroy). Accepts -target for selective teardown and -auto-approve for automation.
Writing & Validating Configuration
| Command | Job | Touches infra? |
|---|---|---|
terraform fmt | Rewrites files to canonical HCL style | No |
terraform validate | Checks syntax and internal consistency | No |
terraform console | Interactive REPL to evaluate expressions | No |
The exam’s favorite trap pair: fmt formats, validate validates — and neither checks against real cloud APIs (that’s what plan does). validate requires an initialized directory; fmt does not.
terraform fmt -recursive # format subdirectories too
terraform fmt -check # CI mode: exit non-zero if files would changeterraform console is criminally underused for learning: it’s the fastest way to test a for expression or builtin function before committing it to a config.
Inspecting What Exists
terraform show # human-readable state (or a saved plan file)
terraform state list # all resource addresses in state
terraform state show aws_instance.web # full attributes of one resource
terraform output # values of root module outputs
terraform output -raw db_endpoint # script-friendly single value
terraform graph # dependency graph in DOT formatManipulating State
These change Terraform’s bookkeeping, never the infrastructure itself:
terraform state mv aws_instance.a aws_instance.b # rename/move an address
terraform state rm aws_instance.legacy # forget a resource (it survives in the cloud)
terraform state pull # dump raw state JSON
terraform state push local.tfstate # overwrite remote state (recovery only)The pairing to memorize: state rm forgets, import remembers. To bring an existing, unmanaged resource under Terraform:
terraform import aws_instance.web i-0abc123def456Or declaratively, in Terraform 1.5+ (the version the current exam expects you to know):
import {
to = aws_instance.web
id = "i-0abc123def456"
}The import block participates in plan, can generate configuration with -generate-config-out, and is now the recommended approach. For the deeper story on state, see our Terraform state management guide.
Workspaces
CLI workspaces give you multiple state files from one configuration:
terraform workspace list
terraform workspace new staging
terraform workspace select prod
terraform workspace show
terraform workspace delete stagingInside configuration, the current workspace is available as terraform.workspace. Exam nuance: CLI workspaces and HCP Terraform workspaces are different concepts that share a name — CLI workspaces are alternate state files; HCP workspaces are full units of organization with their own variables, runs, and permissions.
Recovery & Edge Cases
The commands you hope to never need, which is exactly why they’re tested:
| Situation | Command |
|---|---|
| Stale state lock after a crashed run | terraform force-unlock <LOCK_ID> |
| Force a resource to be recreated | terraform apply -replace=<addr> |
| Mark a resource for recreation (deprecated) | terraform taint <addr> |
| Sync state to reality without config changes | terraform apply -refresh-only |
| Log in to HCP Terraform | terraform login |
| Check version and platform | terraform version |
The “Which Command?” Drill
Cover the right column and quiz yourself — this exact mapping, in scenario form, is worth several questions on the Associate exam:
| You need to… | Command |
|---|---|
| Download providers and modules | init |
| Preview without changing anything | plan |
Canonically format .tf files | fmt |
| Check config is syntactically valid | validate |
| Rename a resource without recreating it | state mv |
| Stop managing a resource but keep it alive | state rm |
| Start managing an existing resource | import |
| Force-recreate one resource | apply -replace |
| See one resource’s attributes | state show |
| Break a stuck lock | force-unlock |
| Evaluate an expression interactively | console |
| Switch to another state file | workspace select |
If you can do this table cold, CLI questions become free points. The harder version — where the exam gives you a scenario (“a teammate’s apply crashed and now every plan errors out…”) and you pick the command — is what timed practice is for. The full-length mocks in the Sailor.sh Terraform Associate bundle lean heavily on scenario-form CLI questions, with explanations of why each near-miss command (refresh vs -refresh-only, taint vs -replace, rm vs destroy -target) is wrong.
Frequently Asked Questions
Q: What’s the difference between terraform validate and terraform plan?
A: validate checks syntax and internal consistency offline — no credentials, no API calls. plan contacts providers and compares against real infrastructure.
Q: Is terraform taint gone?
A: It still works but is deprecated. Use terraform apply -replace=<address> — it shows the replacement in the plan instead of mutating state ahead of time.
Q: Do I need to run init after adding a module?
A: Yes. New providers, new modules, or a changed backend all require re-running terraform init.
Q: How many CLI questions are on the Terraform Associate exam? A: The CLI and core workflow are tested throughout — between the dedicated workflow objectives and state-command scenarios, expect a substantial share of the exam to be answerable directly from this page.
Next Steps
Commands are the mechanical layer — the exam also wants the concepts underneath. Round out your prep with the complete Terraform Associate exam guide, the count vs for_each deep dive, and 25 free practice questions. Then check how many “which command?” scenarios you can clear in the free interactive TF-004 practice set — and when the table above feels automatic, pressure-test it with timed full-length mock exams.