The Terraform apply command is a critical step in the Core Terraform Workflow that executes the planned infrastructure changes. Understanding apply confirmation and auto-approve is essential for the Terraform Associate certification.
When you run 'terraform apply', Terraform first generates an exe…The Terraform apply command is a critical step in the Core Terraform Workflow that executes the planned infrastructure changes. Understanding apply confirmation and auto-approve is essential for the Terraform Associate certification.
When you run 'terraform apply', Terraform first generates an execution plan showing what actions it will take. By default, Terraform requires interactive confirmation before proceeding with any changes. This safety mechanism displays a prompt asking you to type 'yes' to confirm the changes. This confirmation step prevents accidental modifications to your infrastructure and gives operators a final opportunity to review the planned changes.
The confirmation prompt shows:
- Resources to be created (marked with +)
- Resources to be modified (marked with ~)
- Resources to be destroyed (marked with -)
The '-auto-approve' flag bypasses this interactive confirmation step. When you execute 'terraform apply -auto-approve', Terraform proceeds with applying changes as soon as the plan is generated, requiring no manual intervention.
Use cases for auto-approve include:
1. CI/CD pipelines where automated deployments are necessary
2. Scripted infrastructure provisioning
3. Scheduled maintenance tasks
4. Testing environments where rapid iteration is needed
However, using auto-approve carries risks. Since there is no human verification step, any errors in configuration will be applied to your infrastructure. Best practices suggest:
- Only use auto-approve in controlled environments
- Implement proper code review processes before merging changes
- Run 'terraform plan' separately in CI/CD pipelines for review
- Consider using saved plan files with 'terraform apply planfile' for safer automation
For production environments, many organizations prefer running 'terraform plan -out=planfile' first, reviewing the output, then applying with 'terraform apply planfile'. This approach provides automation benefits while maintaining oversight of infrastructure changes.
Apply Confirmation and Auto-Approve in Terraform
What is Apply Confirmation?
When you run terraform apply, Terraform displays the execution plan and prompts you to confirm before making any changes to your infrastructure. This interactive confirmation step requires you to type yes to proceed. This safeguard ensures that you review proposed changes before they are implemented, preventing accidental modifications to your infrastructure.
What is Auto-Approve?
The -auto-approve flag bypasses the interactive confirmation prompt when running terraform apply or terraform destroy. When you use this flag, Terraform proceeds with the planned changes as soon as the plan is generated.
Understanding apply confirmation and auto-approve is crucial because:
1. Safety: The default confirmation prompt protects against unintended infrastructure changes 2. Automation: Auto-approve is essential for CI/CD pipelines where interactive prompts are not possible 3. Best Practices: Knowing when to use each approach demonstrates proper Terraform workflow understanding
How It Works in the Core Workflow:
1. Run terraform apply 2. Terraform generates an execution plan 3. The plan is displayed showing resources to be created, modified, or destroyed 4. Terraform prompts: Do you want to perform these actions? 5. You must type yes to proceed (or use -auto-approve to skip this step)
When to Use Auto-Approve:
- Automated CI/CD pipelines - Scripted deployments - Non-production environments with proper safeguards - When a separate plan review step has already occurred
When NOT to Use Auto-Approve:
- Production environments (in most cases) - Manual operations where review is beneficial - When you have not previously reviewed the plan
Exam Tips: Answering Questions on Apply Confirmation and Auto-Approve
1. Remember the default behavior: By default, terraform apply always prompts for confirmation. Questions may test whether you know this is the standard behavior.
2. Flag syntax: The correct flag is -auto-approve (with a hyphen). Watch for incorrect variations in answer choices.
3. Automation scenarios: When questions mention CI/CD pipelines, automated deployments, or scripted operations, -auto-approve is typically the relevant answer.
4. Plan and apply relationship: You can run terraform plan -out=planfile and then terraform apply planfile. When applying a saved plan file, Terraform does not prompt for confirmation because the plan was already reviewed.
5. Destroy command: Remember that -auto-approve also works with terraform destroy.
6. Safety considerations: If a question asks about best practices or safe operations, the answer typically favors manual confirmation over auto-approve.
7. Input variable: Do not confuse -auto-approve with -input=false, which controls whether Terraform prompts for input variables.
Key Points to Remember:
- Default apply requires typing yes to confirm - -auto-approve skips the confirmation prompt - Saved plan files applied with terraform apply planfile do not require confirmation - Auto-approve is commonly used in automated pipelines - Manual confirmation is preferred for production changes