Reconciling state with infrastructure is a critical process in Terraform that ensures the state file accurately reflects the actual resources deployed in your infrastructure. When you run terraform plan or terraform apply, Terraform performs a refresh operation to compare the current state file aga…Reconciling state with infrastructure is a critical process in Terraform that ensures the state file accurately reflects the actual resources deployed in your infrastructure. When you run terraform plan or terraform apply, Terraform performs a refresh operation to compare the current state file against the real-world infrastructure.
During reconciliation, Terraform queries the cloud provider APIs to discover the actual configuration of managed resources. It then compares these real values against what is stored in the state file. This process identifies three types of discrepancies: resources that exist in state but not in infrastructure (deleted externally), resources with configuration differences between state and reality (manual changes), and resources that exist in infrastructure but not in state (out-of-band additions).
The terraform refresh command explicitly performs this reconciliation, updating the state file to match current infrastructure. However, this command is being deprecated in favor of using terraform plan -refresh-only or terraform apply -refresh-only, which provide better visibility into changes before they are applied to the state.
When drift is detected, Terraform has several options. If the configuration matches the desired state but differs from actual infrastructure, Terraform will propose changes to bring infrastructure back in line. If manual changes were made that you want to keep, you can update your configuration to match the new reality.
Best practices for state reconciliation include running regular plans to detect drift early, using automation to prevent manual infrastructure changes, implementing state locking to prevent concurrent modifications, and storing state remotely for team collaboration. Understanding reconciliation helps maintain infrastructure consistency and prevents unexpected behavior during deployments. The state file serves as Terraforms source of truth, making accurate reconciliation essential for reliable infrastructure management and ensuring your declared configuration remains synchronized with deployed resources.
Reconciling State with Infrastructure in Terraform
What is State Reconciliation?
State reconciliation is the process by which Terraform compares its stored state file with the actual infrastructure that exists in your cloud provider or platform. This comparison allows Terraform to understand what changes need to be made to align your infrastructure with your desired configuration.
Why is State Reconciliation Important?
State reconciliation is crucial for several reasons:
• Drift Detection: Infrastructure can change outside of Terraform through manual modifications, other automation tools, or API calls. Reconciliation identifies these differences.
• Accurate Planning: Terraform needs to know the current state of resources to generate accurate execution plans.
• Resource Management: It ensures Terraform maintains an accurate understanding of what it manages versus what exists in reality.
• Consistency: Helps maintain the desired state of infrastructure as defined in your configuration files.
How State Reconciliation Works
When you run terraform plan or terraform apply, Terraform performs these steps:
1. Refresh Phase: Terraform queries the real infrastructure using provider APIs to get the current state of all managed resources.
2. Comparison: The refreshed data is compared against the stored state file.
3. Difference Calculation: Terraform identifies discrepancies between the configuration, state file, and actual infrastructure.
4. Plan Generation: Based on differences found, Terraform creates an execution plan to reconcile the infrastructure with the desired configuration.
The terraform refresh Command
The terraform refresh command updates the state file to match real-world infrastructure. Key points:
• It reads the current settings from all managed remote objects • Updates the Terraform state to match • Does not modify infrastructure, only the state file • As of Terraform 0.15.4, this is deprecated in favor of terraform apply -refresh-only
Using -refresh-only Flag
The recommended approach for state reconciliation is:
terraform apply -refresh-only
This command: • Shows what changes Terraform detected in the infrastructure • Allows you to review changes before updating state • Provides an approval step before modifying the state file • Is safer than the deprecated refresh command
Handling Drift
When drift is detected, you have options:
• Accept the drift: Update state to match reality using refresh-only • Correct the drift: Run terraform apply to make infrastructure match configuration • Update configuration: Modify your Terraform files to match the desired new state
The -refresh=false Flag
You can skip the refresh phase using:
terraform plan -refresh=false
This is useful when: • You know the state is accurate • You want faster plan generation • You are troubleshooting state issues
Exam Tips: Answering Questions on Reconciling State with Infrastructure
• Remember the default behavior: Terraform automatically refreshes state during plan and apply operations by default.
• Know the deprecated command: Questions may reference terraform refresh but understand that terraform apply -refresh-only is the modern replacement.
• Understand the refresh-only workflow: This updates state to match infrastructure but does not change infrastructure itself.
• Recognize drift scenarios: When asked about infrastructure changed outside Terraform, think about reconciliation and how Terraform detects these changes.
• State file priority: Terraform uses the state file as its source of truth for what it manages, but reconciliation ensures accuracy.
• Plan output interpretation: Know that plan output shows the difference between desired configuration and current state after refresh.
• No infrastructure changes during refresh: A key concept is that refresh operations only modify the state file, never the actual infrastructure.
• Watch for trick questions: Some questions may confuse refresh with apply - remember they serve different purposes.