3.3.1. terraform plan and Saved Plans
💡 First Principle: plan is the safe rehearsal — it refreshes state and computes the create/update/destroy actions but enacts none of them — so it's the command you run freely and often, and the one whose output you review before committing.
terraform plan refreshes the state against real infrastructure (by default), compares it to your configuration, and prints the proposed actions using consistent symbols:
| Symbol | Meaning |
|---|---|
+ | Create a new resource |
- | Destroy a resource |
~ | Update in place |
-/+ | Destroy and recreate (replacement) |
<= | Read (data source) |
Saving the plan with terraform plan -out=tfplan writes the exact planned actions to a file. You can then run terraform apply tfplan to apply precisely those actions with no re-planning and no approval prompt — the review already happened. Other useful flags: -refresh=false (skip the refresh, plan against state as-is) and -target (limit planning to specific resources, used sparingly).
⚠️ Exam Trap: plan is read-only with respect to infrastructure, but by default it does refresh state to detect drift. The exam may distinguish "plan changes nothing in the cloud" (true) from "plan never touches state" (it updates the in-memory state during refresh; with a saved plan the on-disk effects are deferred to apply). Also remember: applying a saved plan file skips the approval prompt.
Reflection Question: Why does applying a saved plan file not prompt for approval, while a bare terraform apply does?
