plan, apply & destroy
The Terraform workflow, safely.
The Terraform workflow is a short, safe cycle of four commands, and its defining feature is that it always shows you what it will do before it does it. init sets up a working directory (downloads providers, configures the backend); plan computes and displays the changes without making them; apply executes those changes; and destroy tears everything down. The plan-then-apply gate is what makes Terraform safe to use on real infrastructure — you never change anything you have not first reviewed.
$ terraform init # one-time setup: download providers, init the backend$ terraform plan # DRY RUN: show exactly what would change (no changes made)Plan: 2 to add, 0 to change, 0 to destroy.$ terraform apply # execute — shows the plan again and asks to confirmEnter a value: yesaws_security_group.web_sg: Creation completeaws_instance.web: Creation complete$ terraform destroy # tear it all down (also shows a plan and confirms)
Reading a plan
The plan is the most important output to learn to read, because it is your last chance to catch a mistake. Each resource is marked with a symbol: + to create, ~ to change in place, - to destroy, and -/+ to replace (destroy then recreate — the dangerous one, because it means downtime or data loss for that resource). The summary line ("2 to add, 0 to change, 0 to destroy") is your headline check. If the plan proposes to destroy or replace something you did not intend, stop — that is the signal to fix your code before applying.
$ terraform plan# aws_instance.web will be updated in-place~ resource "aws_instance" "web" {~ instance_type = "t3.micro" -> "t3.small" # ~ = change in place (safe)}# aws_db_instance.main must be replaced-/+ resource "aws_db_instance" "main" { # -/+ = DESTROY and recreate (data loss!)~ engine_version = "14" -> "16"}Plan: 1 to add, 1 to change, 1 to destroy.