Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
9.2. Quick Reference
Command cheat sheet:
| Command | Job | Changes real infra? | Notes |
|---|---|---|---|
init | Set up backend, providers, modules | No | Required first; writes lock file |
fmt | Canonical formatting | No | -check for CI; style only |
validate | Syntax + internal consistency | No | Needs init; no credentials |
plan | Preview diff | No | -out saves; refreshes state |
apply | Enact changes | Yes | Updates state; prompts unless -auto-approve or saved plan |
destroy | Tear down managed resources | Yes | Reverse-dependency order; scoped to state |
import | Bring resource into state | No (record) | Classic = state only, no config |
state list/show | Inspect state | No | Read-only |
state mv/rm | Edit state record | No | rm ≠ destroy |
force-unlock | Release stuck lock | No | Use only when sure |
"Which feature?" decision aid:
High-yield facts to memorize:
~> 1.2allows 1.x ≥ 1.2 (not 2.0);~> 1.2.3allows only 1.2.x patches.sensitivehides display only — secrets still sit in state in plaintext.- Variable precedence (high→low): command line
-var/-var-file→*.auto.tfvars→terraform.tfvars→TF_VAR_env vars. plansymbols:+create,-destroy,~update in place,-/+replace.- Applying a saved plan skips the approval prompt.
versionargument works only for registry modules; Git uses?ref=.- Local module sources must start with
./or../. - Locking is automatic on supporting backends; S3 commonly pairs with DynamoDB; HCP Terraform locks for you.
moved/removedand refresh-only are all state-only — they don't change real infrastructure.- Sentinel/OPA policy enforcement is an HCP/Enterprise feature; hard-mandatory can't be overridden.
Written byAlvin Varughese
Founder•18 professional certifications