Applying saved plan files is a crucial step in the Core Terraform Workflow that ensures consistency and predictability when making infrastructure changes. When you run 'terraform plan -out=planfile', Terraform generates a binary file containing the exact changes it intends to make to your infrastru…Applying saved plan files is a crucial step in the Core Terraform Workflow that ensures consistency and predictability when making infrastructure changes. When you run 'terraform plan -out=planfile', Terraform generates a binary file containing the exact changes it intends to make to your infrastructure. This saved plan file captures the state of your configuration and the proposed modifications at that specific moment.
To apply a saved plan file, you use the command 'terraform apply planfile' where 'planfile' is the path to your saved plan. This approach offers several significant advantages in production environments.
First, it guarantees that the changes applied match exactly what was reviewed during the planning phase. Since infrastructure and state can change between planning and applying, using a saved plan prevents unexpected modifications that might occur if you ran a fresh plan during apply.
Second, saved plan files are essential for CI/CD pipelines and automated workflows. Teams can separate the plan and apply stages, allowing for manual review and approval processes between them. This creates an audit trail and ensures proper governance over infrastructure changes.
Third, when applying a saved plan, Terraform skips the interactive approval prompt because the plan was already generated and presumably reviewed. This makes automation more straightforward while maintaining safety through the explicit plan file requirement.
Important considerations include that plan files are tied to the specific Terraform version and provider versions used during creation. They also contain sensitive information and should be stored securely. Plan files become stale if the underlying state changes, causing the apply to fail with an error indicating the plan is no longer valid.
Best practices recommend generating fresh plans close to apply time, implementing proper access controls for plan files, and using remote backends with state locking to prevent concurrent modifications. This workflow pattern is fundamental for teams practicing infrastructure as code at scale.
Applying Saved Plans in Terraform: Complete Guide
What is a Saved Plan File?
A saved plan file in Terraform is a binary file that captures the exact set of changes Terraform will make to your infrastructure. When you run terraform plan -out=planfile, Terraform creates this file containing all the proposed modifications, additions, and deletions to your resources.
Why is Applying Saved Plans Important?
1. Consistency and Safety: Saved plans ensure that the changes you reviewed are exactly what gets applied. Between running plan and apply, infrastructure state could change, but a saved plan locks in the specific actions.
2. Separation of Duties: In enterprise environments, one team can create and review the plan while another team with elevated privileges applies it.
3. Audit Trail: Saved plans provide documentation of what was intended to be changed at a specific point in time.
4. CI/CD Pipelines: Automated workflows benefit from saved plans by separating the planning stage from the apply stage, allowing for manual approval gates.
How Saved Plans Work
Creating a Saved Plan: terraform plan -out=myplan.tfplan
This command generates a plan and saves it to myplan.tfplan. The file is binary and contains: - The configuration snapshot - The state snapshot at plan time - All variable values - The provider versions
Applying a Saved Plan: terraform apply myplan.tfplan
When you apply a saved plan: - Terraform skips the planning phase entirely - No confirmation prompt is displayed - The exact changes from the plan file are executed - Variable flags (-var) are not accepted since variables are embedded in the plan
Key Behaviors to Remember
1. No Approval Prompt: When applying a saved plan, Terraform does not ask for confirmation. It assumes you already reviewed and approved the plan.
2. State Lock: If the state has changed since the plan was created, Terraform will detect this and refuse to apply the outdated plan.
3. Plan File Expiration: While plan files do not technically expire, they become invalid if the underlying state changes.
4. Variable Handling: You cannot pass -var or -var-file flags when applying a saved plan because all variable values are already stored in the plan file.
Common Commands Comparison
terraform apply - Creates a new plan and prompts for approval terraform apply -auto-approve - Creates a new plan and applies with no prompt terraform apply planfile - Applies saved plan with no prompt (no new plan created)
Exam Tips: Answering Questions on Applying Saved Plans
1. Remember the No-Prompt Behavior: Questions often test whether you know that applying a saved plan skips the approval prompt.
2. Variable Flags Are Invalid: If a question asks about passing -var flags when applying a saved plan, remember this is not allowed.
3. Binary Format: Plan files are binary, not human-readable. Use terraform show planfile to view contents.
4. State Drift Detection: Terraform validates that state has not changed since plan creation. Questions may test this safety mechanism.
5. File Extension Convention: While any filename works, .tfplan is the conventional extension for plan files.
6. Use Case Scenarios: Be prepared for questions about when saved plans are beneficial, such as CI/CD pipelines or separation of responsibilities.
7. Distinguish Commands: Know the difference between terraform plan, terraform plan -out=file, terraform apply, and terraform apply planfile.