Geek Logbook

Tech sea log book

Recent Posts

Categories

#50projectsIn50days Airflow Amazon Web Services Apache Iceberg AWS Azure bash Batch CAP Coders At Work Data data lakes Data Warehouse Docker Edsger W. Dijkstra Excel Git Hadoop HDFS Hellerstein Hive Javascript Networking NoSql Postman Power Bi Powershell Pyspark Python Redash S3 Social Skills Software Developer Spark Spark: The Definitive Guide SQL SSH terraform Testing The Elements of Programming Style Traversy Media Understanding Distributed Systems Virtual Box whale-alert Yaml

Archives

Why You Should Use the -out Option with terraform plan

When working with Terraform, a common workflow involves running terraform plan followed by terraform apply. However, you may have come across the following warning:

“You didn’t use the -out option to save this plan, so Terraform can’t guarantee to take exactly these actions if you run ‘terraform apply’ now.”

This message is more than a suggestion—it highlights a potential risk in your workflow. Let’s explore what it means and why it matters.

What Does -out Do?

terraform plan

displays a list of changes Terraform would make to reach your desired infrastructure state. However, unless explicitly saved, this plan is ephemeral. If your infrastructure, state, or configuration changes—even slightly—between running plan and apply, the actions taken by Terraform may differ from what you originally saw.

To prevent this, you can generate a plan file and apply it later with confidence:

terraform plan -out=tfplan

This command saves a binary representation of the plan to tfplan. You can then apply that exact plan using:

terraform apply tfplan

Why It Matters

1. Guaranteed Consistency
By saving the plan to a file, you ensure that the actions executed by apply are exactly those computed by plan, regardless of any changes to your infrastructure or code in the meantime.

2. Safer in Production
In production environments, even minor unexpected changes can lead to downtime or outages. Using -out ensures you avoid surprises during deployment.

3. CI/CD and Auditability
In automated pipelines, a plan can be generated, reviewed, approved, and then applied—possibly by different systems or teams. The -out file acts as a contract between planning and execution, supporting traceability and compliance.

Example Workflow

terraform plan -out=tfplan
terraform apply tfplan

This two-step process is especially useful in teams where infrastructure changes are reviewed or require approval before deployment.

Best Practices

  • Use -out in all production environments or when changes require manual review.
  • Avoid applying plans that haven’t been reviewed.
  • Store plan files temporarily or in artifact repositories for traceability.
  • For CI/CD pipelines, integrate plan and apply as distinct, reviewable steps.

Conclusion

While it’s easy to run terraform apply immediately after terraform plan, this approach introduces a level of uncertainty that can be avoided. The -out option provides a clear separation of intent and execution, offering stronger guarantees in both manual and automated workflows.

If you’re not already using terraform plan -out, it’s a simple but effective way to make your infrastructure deployments more predictable and reliable.

Tags:
Previous Article
Next Article