Terraform Associate Exam Cram - Part 4

Use Terraform outside the core workflow

This is the Part 4 of the Terraform Associate Exam Cram. It covers the following Terraform Associate Certification exam objectives:

4	Use Terraform outside the core workflow	Documentation	Tutorial
4a	Describe when to use `terraform import` to import existing infrastructure into your Terraform state	Command: import Import usage tips
4b	Use `terraform state` to view Terraform state	State Command	Manage Resources in Terraform State
4c	Describe when to enable verbose logging and what the outcome/value is	Debugging Terraform	Troubleshoot Terraform
	Practice Questions

< Prev: Objective 3 - Understand Terraform basics
Next >: Objective 5 - Interact with Terraform modules

4a. Describe when to use `terraform import` to import existing infrastructure into your Terraform state

The terraform import command brings existing resources (created manually or by another tool) into Terraform state so Terraform can manage them. The import command can import resources into child modules as well as directly into the root module. This command does not modify the infrastructure.

Usage: terraform import [options] <resource_type>.<name> <resource_id>

<resource_id> - the existing resource ID. The syntax of the given ID is dependent on the resource type being imported.
<resource_type>.<name> - a valid Terraform resource address.

Options:

-config=path - Path to a directory of Terraform configuration files to use to configure the provider. Defaults to pwd. If no config files are present, they must be provided via the input prompts or env vars.
-input=false - Disable interactive input prompts.
-lock=false - Don't hold a state lock during the operation. This is dangerous if others might concurrently run commands against the same workspace.
-lock-timeout=0s - Duration to retry a state lock.
-no-color - If specified, output won't contain any color.
-var 'foo=bar' - Set a variable in the Terraform configuration. This flag can be set multiple times. This is only useful with the -config flag.
-var-file=foo - Set variables in the Terraform configuration from a file. If terraform.tfvars or any .auto.tfvars files are present, they will be automatically loaded.
-ignore-remote-version - A rare option used for the remote backend only. See the remote backend documentation for more information.

Examples:

# Import an AWS instance into the aws_instance.example resource terraform import aws_instance.example i-1234567890abcdef # Import an AWS instance into the aws_instance.example resource in vm module terraform import module.vm.aws_instance.example i-1234567890abcdef # Import an AWS instance into the first instance of the aws_instance.example resource with count terraform import 'aws_instance.example[0]' i-1234567890abcdef # Import an AWS instance into the "primary" instance of the aws_instance.example resource with for_each terraform import 'aws_instance.example["primary"]' i-1234567890abcdef

Import usage notes:

Use terraform import to migrate manually created resources under Terraform management or align Terraform state with existing infra.
import only updates the state, it does not modify the infra and does not generate config.
Prior to running terraform import, it is necessary to manually add a resource configuration block for the object to be imported. The block must have all attributes and values matching the object's configuration to avoid unintended changes during subsequent terraform apply.
Only one resource can be imported at a time.
It is also possible to import to resources in child modules, or to single instances of a resource with count or for_each.

HCP Terraform:

When using terraform import with HCP Terraform, the import command runs locally and does not have access to information from HCP Terraform. To successfully perform an import, it is required to set local variables to match the remote workspace variables in HCP Terraform.

4b. Use `terraform state` to view Terraform state

To list and explore resources in the state, use the following commands:

terraform state list [options] [address...] - List resources in the state. The address argument can be used to filter the instances by resource or module. If no pattern is given, all resource instances are listed.
Options:
- -state=statefile - Path to a Terraform state file to use to look up Terraform-managed resources. By default, Terraform will consult the state of the currently-selected workspace.
- -id=ID - Filters the results to include only instances whose resource types have an attribute named "id" whose value equals the given id string.
terraform state show [options] ADDRESS - Show the attributes of a single resource in the Terraform state. The address argument must be used to specify a single resource.
Options:
- -state=statefile - Path to a Terraform state file to use to look up Terraform-managed resources. By default it will use the state "terraform.tfstate" if it exists.
terraform show [options] [path] - Output a Terraform state or plan file in a human-readable form. If no path is specified, the current state will be shown. Use -json to format the output in a machine-readable form.

Advanced terraform state commands:

The rest of the terraform state commands perform advanced state management operations and should be used only in exceptional situations:

Debugging / troubleshooting resource mappings.
Refactoring configuration (rename/move resources).
Cleaning up state without destroying infra.

Usage: terraform state <subcommand> [options] [args]

Subcommands:

terraform state mv [options] SOURCE DESTINATION - Move an item matched by the source address given to the destination address. This command can also move to a destination address in a completely different state file. Use this for simple resource renaming, moving items to and from a module, moving entire modules, and more. It can also be used for refactoring one configuration into multiple separately managed Terraform configurations.
Options:
- -dry-run - Prints what would have been moved but doesn't actually move anything.
- -lock=false - Don't hold a state lock during the operation. Dangerous if others might concurrently run commands against the same workspace.
- -lock-timeout=0s - Duration to retry acquiring a state lock.
- -ignore-remote-version - Rare option used for the remote backend only. See the remote backend documentation for details.
- -state, -state-out - State file locations (local backend only).
terraform state pull [options] - Pull the current state from its location, upgrade the local copy, and output it to stdout. As part of this process, Terraform will upgrade the state format of the local copy to the current version. The primary use of this is for state stored remotely.
terraform state push [options] PATH - Update remote state from a local state file at PATH. This command "pushes" a local state and overwrites remote state with a local state file. The command will protect you against writing an older serial or a different state file lineage unless you specify the "-force" flag. If PATH is "-", then this command will read the state to push from stdin.
Options:
- -force - Write the state even if lineages don't match or the remote serial is higher.
- -lock=false - Don't hold a state lock during the operation. Dangerous if others might concurrently run commands against the same workspace.
- -lock-timeout=0s - Duration to retry acquiring a state lock.
terraform state replace-provider [options] FROM_PROVIDER_FQN TO_PROVIDER_FQN - Replace provider for resources in the Terraform state.
Options:
- -auto-approve - Skip interactive approval.
- -lock=false - Don't hold a state lock during the operation. Dangerous if others might concurrently run commands against the same workspace.
- -lock-timeout=0s - Duration to retry acquiring a state lock.
- -ignore-remote-version - Rare option used for the remote backend only. See the remote backend documentation for details.
- -state, -state-out - State file locations (local backend only).
terraform state rm [options] ADDRESS... - Remove one or more items specified by the given addresses from the Terraform state, causing Terraform to "forget" those items without first destroying them in the remote system. If you give the address of an entire module then all of the instances in that module and any of its child modules will be removed from the state. If you give the address of a resource that has "count" or "for_each" set, all of the instances of that resource will be removed from the state.
Options:
- -dry-run - Prints what would have been removed but doesn't actually remove anything.
- -backup=PATH - Path where Terraform should write the backup state.
- -lock=false - Don't hold a state lock during the operation. Dangerous if others might concurrently run commands against the same workspace.
- -lock-timeout=0s - Duration to retry acquiring a state lock.
- -state=PATH - Path to the state file to update. Defaults to the current workspace state.
- -ignore-remote-version - Continue even if remote and local Terraform versions are incompatible. May result in an unusable workspace, so use with extreme caution.

Note, all state management commands that modify the state create a timestamped backup of the state prior to making modifications.

Other state-related commands:

terraform force-unlock [options] LOCK_ID - Manually unlock the state for the defined configuration. This will not modify your infrastructure.
terraform refresh [options] - Read the current settings from all managed remote objects and update the Terraform state to match.
terraform taint [options] ADDRESS - Mark the resource specified by the given addresses as "tainted". This will not modify your infrastructure directly, but subsequent Terraform plans will include actions to destroy the remote object and create a new object to replace it. You can remove the "taint" state from a resource instance using the terraform untaint command.

4c. Describe when to enable verbose logging and what the outcome/value is

Terraform logging helps diagnose errors, provider issues, API calls, or unexpected behavior. It provides insight into provider interactions and dependency graph building.

The TF_LOG environment variable is used to set the log level:

TRACE - most detailed, includes internal steps, API calls, etc.
DEBUG - useful detail for troubleshooting.
INFO / WARN / ERROR - progressively less verbose.
JSON - outputs logs at the TRACE level or higher in JSON format.

Logging can be enabled separately for terraform itself and the provider plugins using the TF_LOG_CORE or TF_LOG_PROVIDER environment variables. These take the same level arguments as TF_LOG, but only activate a subset of the logs.

To persist logged output you can set TF_LOG_PATH in order to force the log to always be appended to a specific file when logging is enabled. Note that even when TF_LOG_PATH is set, TF_LOG must be set in order for any logging to be enabled.

Example:

export TF_LOG=TRACE # Levels: TRACE, DEBUG, INFO, WARN, ERROR export TF_LOG_PATH=terraform.log # Write log to file (optional)

Practice Questions

What does the terraform state command do?

Can terraform apply command directly import existing infrastructure?

How is Terraform import run?

How can you enable verbose debug messages to see from which paths Terraform is loading providers?

You created virtual machines (VMs) using AWS console, but now you want to manage them with Terraform. What steps must you take to bring these VMs under Terraform management?

What is the purpose of the terraform import command?

How can you remove a resource from Terraform management without deleting it from the real infrastructure?

When would you use the terraform output command outside the core workflow?

What is the use of the terraform console command?

How can the terraform state subcommands assist in troubleshooting or maintenance?