Terraform Dry Run Explained with Examples

A dry run in Terraform is a preview of changes before anything is created or destroyed. You use terraform plan to compare your configuration and state to the real infrastructure and see the actions Terraform would take. 

In this article, we will look at some examples of dry-running Terraform in practice.

A Terraform dry run is achieved using the terraform plan command. It lets you preview infrastructure changes without actually applying them. 

terraform plan reads current provider data to refresh state and evaluate data sources, which are read only. Use -refresh=false to skip reads and use -refresh-only to check for drift without proposing changes.

Because it does not call your cloud provider’s mutation APIs, it’s safe to run repeatedly while you refine variables and code. You can also save a plan to a file and review it later, or feed the exact, locked set of actions into terraform apply to guarantee nothing unexpected slips in between the preview and the execution.

Saved plans are binary files. Use terraform show tfplan or terraform show -json tfplan to review them. Applying a saved plan reuses the exact inputs and will fail if the state has changed since the plan was created. 

You’ve modified your Terraform configuration to upgrade the instance type of a web server in the development environment. Before applying, you want to confirm that this is the only change.

Step 1: Select the correct workspace:

terraform workspace select dev

Step 2: Run a dry run and save the plan:

terraform plan -var-file=dev.tfvars -out=tfplan

Optionally run terraform show tfplan or terraform show -json tfplan to review the saved plan output.

Step 3: Review the output

Terraform shows that the resource aws_instance.web will change from t3.small to t3.medium. No other resources are listed, which confirms your change is isolated.

If the preview looks correct, you can later apply exactly that plan:

terraform apply tfplan

This workflow helps ensure no unintended changes sneak in between your preview and your apply. The saved plan (tfplan) locks the proposed state, guaranteeing consistency during deployment, which can be useful for code reviews or CI/CD pipelines.

If the state changes before you apply, Terraform will report that the saved plan is stale and you should create a new plan.

Let’s imagine you’re preparing to remove a legacy S3 and CloudFront module. Before deleting, you want to understand the blast radius.

Step 1: Modify the code

Comment out or delete the old module in your Terraform configuration.

Step 2: Run a targeted destroy plan:

terraform plan -destroy -target=module.legacy -out=destroy.tfplan

For most cleanups remove the module from code and run a normal terraform plan without -destroy or -target. Use -target only when you need to narrow scope for troubleshooting.

Step 3: Inspect the dry run

Terraform lists every resource it would destroy: S3 buckets, policies, CloudFront distributions, and dependencies.

If you notice other resources still referencing these, you can fix the dependencies and rerun the plan until only the intended items appear.

Step 4: Apply the reviewed plan (optional)

terraform apply destroy.tfplan

By previewing the destruction, you avoid unexpected downtime or data loss. The saved plan (destroy.tfplan) acts as a safety checkpoint, so you only apply what’s been reviewed and approved.

In remote runs the plan file is not on your machine, so review and approve it in the UI or fetch the JSON plan from the service if you need to share it.

terraform plan gives you a safe preview of changes and helps you confirm intent. Save the plan when you want to apply exactly what you reviewed. If state changes before you apply, create a new plan and review again. 

For routine work, update code and run a full plan and reserve -target for troubleshooting only. 

On remote runs, review and approve the plan in the UI or export JSON when you need to share it.

Terraform is really powerful, but to achieve an end-to-end secure GitOps approach, you need to use a product that can run your Terraform workflows. Spacelift takes managing Terraform to the next level by giving you access to a powerful CI/CD workflow and unlocking features such as:

• Policies (based on Open Policy Agent)
• Multi-IaC workflows
• Self-service infrastructure
• Integrations with any third-party tools

If you want to learn more about Spacelift, create a free account today or book a demo with one of our engineers.

Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.