Managing infrastructure with Terraform requires visibility into resource attributes stored in the state file. The terraform state show command provides a way to inspect these attributes, helping users verify configurations, debug issues, and ensure consistency.
In this guide, we’ll explore how to use this command effectively to inspect resources, including standalone, remote, and module-based resources.
The terraform state show command is used to retrieve and display the current state of a specific resource managed by Terraform. It provides detailed information about the resource’s attributes, including IDs, IPs, names, and computed values, as stored in Terraform’s state file, helping users debug configurations, verify deployments, and understand real-world resource properties.
terraform state show [options] <resource_address><resource_address> specifies the resource to display, using its full address from the state file (e.g., aws_instance.my_instance).
The terraform state show command has one optional flag:
-state=path: This flag allows you to specify a different path to the state file. By default, it usesterraform.tfstate. However, this option is ignored when using remote state, as Terraform automatically fetches the state from the backend.
Note: This command does not modify the state; it only displays stored resource data.
Before we go into the examples, you can use terraform state list to find the correct resource address.
terraform state listExample output:
aws_instance.example
aws_s3_bucket.my_bucketExample 1: Showing a resource
For this example, let’s display an AWS instance.
Ensure you are in the Terraform project directory where the state file (terraform.tfstate) is stored, then run the terraform state show command followed by the resource address to inspect its current attributes.
terraform state show aws_instance.my_instanceThe command will return the details of the specified EC2 instance as stored in the Terraform state.
# aws_instance.my_instance:
resource "aws_instance" "my_instance" {
id = "i-1234567890abcdef"
ami = "ami-0abcdef1234567890"
instance_type = "t2.micro"
availability_zone = "us-east-1a"
key_name = "my-key"
public_ip = "34.201.10.20"
private_ip = "10.0.1.5"
}The output varies, depending on your resource configuration.
Example 2: Showing a resource from a remote state
When using a remote backend (e.g., AWS S3, Terraform Cloud, or Consul), Terraform stores the state file remotely instead of locally. You can still use terraform state show to inspect a resource in the remote state.
Here, we’ll be displaying an AWS S3 bucket from a remote state.
Ensure Terraform is initialized and configured to access the remote backend. If authentication is required, ensure Terraform has access (via credentials or environment variables).
Run terraform state show with the resource address, just as you would for a local state.
terraform state show module.s3_bucket.aws_s3_bucket.my_bucketPossible output:
# module.s3_bucket.aws_s3_bucket.my_bucket:
resource "aws_s3_bucket" "my_bucket" {
id = "my-terraform-bucket"
bucket = "my-terraform-bucket"
acl = "private"
region = "us-east-1"
versioning {
enabled = true
}
}Note: If you are managing multiple workspaces, use terraform workspace select <workspace_name> before running terraform state show.
Example 3: Showing a module resource
When a resource is managed within a module, its state is stored under the module’s namespace. To inspect it, you need to reference the full module path in the terraform state show command.
In this example, let’s display an Azure Virtual Machine from a module.
terraform state show module.azure_vm.azurerm_virtual_machine.my_vmThe module path (module.azure_vm) must match the module name in your Terraform configuration.
If the module is inside another module (nested modules), use:
terraform state show module.parent_module.module.child_module.azurerm_virtual_machine.my_vmThe possible output we are expecting for this example:
# module.azure_vm.azurerm_virtual_machine.my_vm:
resource "azurerm_virtual_machine" "my_vm" {
id = "/subscriptions/xxxxxx/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm"
name = "my-vm"
location = "East US"
resource_group_name = "my-rg"
vm_size = "Standard_B2s"
os_disk {
caching = "ReadWrite"
storage_account_type = "Premium_LRS"
}
network_interface_ids = [
"/subscriptions/xxxxxx/resourceGroups/my-rg/providers/Microsoft.Network/networkInterfaces/my-vm-nic"
]
admin_username = "azureuser"
tags = {
environment = "dev"
}
}Example 4: Showing sensitive values
Terraform marks resource attributes such as passwords, client secrets, and private keys as sensitive. By default, Terraform hides these values in plan and apply outputs, but they are still stored in the state file. While terraform state show can reveal some stored values, Terraform does not display attributes explicitly marked as sensitive.
For example, if you want to display an AWS RDS instance with sensitive values, run:
terraform state show aws_db_instance.my_databaseThe output:
# aws_db_instance.my_database:
resource "aws_db_instance" "my_database" {
id = "my-db-instance"
identifier = "my-db-instance"
engine = "mysql"
engine_version = "8.0.28"
instance_class = "db.t3.micro"
allocated_storage = 20
username = "admin"
password = (sensitive value)
endpoint = "my-db-instance.abcdefg123.us-east-1.rds.amazonaws.com"
port = 3306
}Note: Sensitive values are stored in the state file but are not visible when running terraform state show unless explicitly exposed in Terraform outputs.
Terraform is really powerful, but to achieve an end-to-end secure Gitops approach, you need to use a product that can run your Terraform workflows. Spacelift takes managing Terraform to the next level by giving you access to a powerful CI/CD workflow and unlocking features such as:
- Policies (based on Open Policy Agent) – You can control how many approvals you need for runs, what kind of resources you can create, and what kind of parameters these resources can have, and you can also control the behavior when a pull request is open or merged.
- Multi-IaC workflows – Combine Terraform with Kubernetes, Ansible, and other infrastructure-as-code (IaC) tools such as OpenTofu, Pulumi, and CloudFormation, create dependencies among them, and share outputs
- Build self-service infrastructure – You can use Blueprints to build self-service infrastructure; simply complete a form to provision infrastructure based on Terraform and other supported tools.
- Integrations with any third-party tools – You can integrate with your favorite third-party tools and even build policies for them. For example, see how to integrate security tools in your workflows using Custom Inputs.
Spacelift enables you to create private workers inside your infrastructure, which helps you execute Spacelift-related workflows on your end. Read the documentation for more information on configuring private workers.
You can check it out for free by creating a trial account or booking a demo with one of our engineers.
The terraform state show command is a useful tool for inspecting resource attributes stored in the Terraform state. Whether working with local, remote, or module-based resources, it helps verify configurations, troubleshoot issues, and maintain consistency.
Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.
Discover a better way to manage Terraform
Spacelift helps manage Terraform state, build more complex workflows, supports policy as code, programmatic configuration, context sharing, drift detection, resource visualization and many more.
