Terraform Lesson 5 – Terraform Workflow | Dataplexa

Terraform Course

I. Terraform Fundamentals
1. What is Terraform 2. Why Infrastructure as Code Matters 3. Terraform vs CloudFormation vs ARM 4. Terraform Architecture 5. Terraform Workflow 6. Installation and Setup 7. Configuration Files 8. Providers 9. Resources 10. Beginner Best Practices
II. Terraform Core Concepts
11. Variables 12. Output Values 13. Data Sources 14. Terraform State Explained 15. Local vs Remote State 16. Backend Configuration 17. State Locking and Consistency 18. Terraform State Commands 19. Terraform Import 20. Lifecycle Rules 21. Dependencies 22. Count and for_each 23. Dynamic Blocks 24. Workspaces 25. Core Best Practices
III. Modules, Security & Cloud
26. Modules Introduction 27. Creating Reusable Modules 28. Module Versioning 29. Security Best Practices 30. Secrets Management 31. Terraform with AWS 32. Terraform with Azure 33. Terraform with GCP 34. Terraform with Kubernetes 35. Terraform Troubleshooting
IV. Advanced Terraform & Real-World
36. Terraform at Scale 37. Terraform in CI/CD Pipelines 38. Terraform with Jenkins 39. Terraform with GitOps 40. Drift Detection 41. Upgrade Strategies 42. Terraform Testing 43. Performance Optimization 44. Terraform Anti-Patterns 45. Mini Project
Section I · Lesson 5

Terraform Workflow

You know the four commands. But knowing commands is not the same as knowing how to work. This lesson shows you what a professional Terraform workflow looks like end to end — and exactly where teams cut corners and pay for it later.

This lesson covers

The complete dev-to-production workflow → What happens inside each command → Working as a team with shared state → The write, plan, apply loop

The Workflow Most Tutorials Skip

Most Terraform tutorials show you terraform apply and call it a workflow. That is not a workflow — that is a single command run in isolation. A real workflow is the full cycle from writing configuration to safely deploying changes to production, including every review, every check, and every gate along the way.

Teams that skip the workflow and treat Terraform as "just run apply" are the same teams that accidentally destroy production databases. The commands are safe. The process is what makes them safe to use on infrastructure that matters.

The Complete Workflow

A professional Terraform workflow has six stages. The first four happen locally. The last two happen through a controlled process — either manually with discipline or automated through CI/CD.

1. Write Edit .tf files in your editor 2. Format + Validate terraform fmt terraform validate 3. Plan terraform plan Review the diff 4. PR Review Team reviews plan output 5. Apply Staging first then production 6. Verify Confirm + commit Happens locally on your machine Controlled process — reviewed and gated

1. Write

Edit your .tf files in your editor. Add a resource, change a variable, remove something that is no longer needed. This is where all infrastructure changes originate — in code, in a text file, on a branch.

2. Format and Validate

terraform fmt auto-formats your files to the canonical HCL style. terraform validate checks that your configuration is syntactically correct before you waste time running a plan on broken code. Both run in under a second.

3. Plan

Run terraform plan -out=tfplan and read every line. Every + is a new resource. Every ~ is a modification. Every - is a destruction. Save the plan to a file so the exact plan you reviewed is the one that gets applied.

4. Pull Request Review

Push your branch and open a pull request. Attach the plan output so reviewers see the real infrastructure impact — not just the code change. A teammate approves both before anything is applied. This gate is what catches the mistake before production.

5. Apply — Staging First

After approval, apply to staging. Confirm the change behaves as expected. Only then apply to production. This sequence — staging before production, always — is what gives teams the confidence to make infrastructure changes without fear.

6. Verify

Run terraform plan once more. The output should show zero changes. If it does not — something changed outside Terraform or a resource did not reach its desired state. Investigate before closing the PR.

The Two Commands You Have Not Seen Yet

Stage 2 introduced two commands that did not appear in earlier lessons. They are short, fast, and should become automatic habits before every plan.

New terms:

  • terraform fmt — formats all .tf files to the canonical HashiCorp style. Modifies files in place. Run before every commit.
  • terraform validate — checks for syntax errors and internal consistency. Does not connect to any cloud provider. Catches things like referencing a variable that does not exist. Instant and offline.
  • terraform plan -out=tfplan — saves the execution plan to a binary file. When you run terraform apply tfplan, Terraform executes exactly that saved plan — no surprises between review and apply. Essential for CI/CD.
  • terraform show — prints a saved plan file or current state in human-readable format. Use terraform show tfplan to inspect a saved plan before applying.
# The full local workflow — run in this order every time

# Format all .tf files to canonical style
terraform fmt

# Check for syntax errors and consistency issues
terraform validate

# Generate and save the execution plan
terraform plan -out=tfplan

# Inspect the saved plan before applying
terraform show tfplan

# Apply exactly the saved plan — no re-planning, no surprises
terraform apply tfplan

# Confirm zero drift after apply
terraform plan
$ terraform fmt
main.tf
variables.tf

$ terraform validate
Success! The configuration is valid.

$ terraform plan -out=tfplan

  # aws_instance.web_server will be created
  + resource "aws_instance" "web_server" {
      + ami           = "ami-0c55b159cbfafe1f0"
      + instance_type = "t2.micro"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
Saved the plan to: tfplan

$ terraform apply tfplan

aws_instance.web_server: Creating...
aws_instance.web_server: Creation complete after 32s [id=i-0abc123def456789]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

$ terraform plan
No changes. Your infrastructure matches the configuration.

What just happened?

  • fmt printed the files it modified. main.tf and variables.tf had formatting issues that were corrected. Silence means everything was already clean.
  • The plan was saved then applied directly. terraform apply tfplan executed exactly the reviewed plan — no re-plan, no risk of infrastructure changing between review and apply.
  • The final plan showed zero changes. "No changes. Your infrastructure matches the configuration." — this is the confirmation every clean apply should end with.

Working as a Team — Shared State

When you work alone, the state file lives on your machine. When you work in a team, that breaks immediately — two engineers cannot share a state file that only one of them has.

The solution is a remote backend — a shared location where the state file lives. Every team member and every CI pipeline reads from and writes to the same state. The most common setup is an S3 bucket with DynamoDB for state locking — locking prevents two applies running simultaneously and corrupting the state file.

Remote backends are covered fully in Section II. For now: local state is for learning only. Any infrastructure a team manages together needs remote state from day one.

Engineer A terraform apply local machine Engineer B terraform apply local machine CI Pipeline terraform apply on merge to main Remote State (S3 + DynamoDB lock)

All engineers and CI pipelines share the same remote state — locking prevents simultaneous applies

Common Mistakes

Running terraform apply without a saved plan

A plain terraform apply runs a fresh plan internally. If infrastructure changed between your last review and the apply — a teammate made a change, something external updated — you are applying a plan you never saw. Always use -out=tfplan and apply from the file.

Applying directly to production without staging

Staging exists so problems surface where the cost of failure is low. Teams that skip staging are betting the change is correct. Eventually that bet fails — and it is always on a Friday afternoon.

Using local state for team infrastructure

If the state file only exists on one engineer's laptop and that laptop is lost or that engineer leaves — the team loses track of everything Terraform manages. Resources still exist in the cloud but Terraform no longer knows about them. Recovering from lost state is painful. Use remote state from the first apply.

The habit that separates careful engineers from careless ones

Run terraform plan after every terraform apply. Ten seconds. If the output says "No changes" — the apply worked cleanly. If it still shows changes — something did not apply correctly or something changed outside Terraform. Finding that out immediately is infinitely better than finding out three weeks later when production breaks.

Practice Questions

1. Which command automatically formats your .tf files to the canonical HCL style?



2. What command saves the execution plan to a file called tfplan so it can be applied exactly as reviewed?



3. After a clean terraform apply, what should a follow-up terraform plan show?



Quiz

1. What does terraform validate do and what does it not do?


2. Why does a remote state setup typically include a DynamoDB table alongside the S3 bucket?


3. What is the correct sequence when applying an approved infrastructure change?


Up Next · Lesson 6

Installation and Setup

Theory ends here. Lesson 6 is hands-on — Terraform installed, AWS configured, first real apply running on your machine.

← Previous Course Index Next →