Terraform Target Flag: How to Target Resources in Terraform

The -target flag tells Terraform to plan, apply, or destroy a specific resource or module instead of the entire configuration. In this article, we will look at how to target specific resources in Terraform. We will explain the use of the -target option, and how to use it to target single and multiple resources with some examples, and in what circumstances you should avoid using it.

Targeting individual resources can be useful for troubleshooting errors, but should not be part of your normal workflow.

What we will cover:

1. What is target in Terraform?
2. How do you target resources in Terraform?
3. How to target Terraform module?
4. Targeting resources with terraform plan
5. How do you target destroy in Terraform?
6. When to avoid using Terraform -target?
7. -target vs -replace vs -exclude

In Terraform, -target is a command-line option that lets you plan or apply changes to specific resources or modules only, instead of your entire configuration. It’s handy for troubleshooting, one-off fixes, or accelerating changes in large deployments.

However, -target tells Terraform to focus on just part of the dependency graph. This can lead to partial updates, skipped changes, and long-term drift if you rely on it in routine workflows. HashiCorp explicitly recommends using resource targeting only for exceptional situations, not as your default deployment strategy.

Without the -target option, the terraform plan, terraform apply or terraform destroy commands would take the entire configuration into account rather than a specific resource or set of Terraform resources.

Your Terraform configuration file usually defines multiple resources, such as an Azure Virtual Machine and an Azure Storage account.

You can use the -target option to specify a resource identifier. With the apply and destroy commands, the operation will then apply to the target resources only, and when run with the plan command, the output will be limited to show the planned changes to the targeted resources only.

Example 1: Terraform apply — single resource using -target=resource

To apply changes to a single resource in Terraform, use the -target option with the full resource address during terraform apply.

In our example, to apply changes only to the Azure Virtual Machine and ignore all other resources, you can run terraform apply command with the -target option to reference the VM:

terraform apply -target=azurerm_linux_virtual_machine.example

In this command, azurerm_linux_virtual_machine.example is the resource identifier of the Virtual Machine instance resource defined in your Terraform configuration file.

Example 2: Terraform apply — multiple resources using -target=resource

To target multiple resources in Terraform, use multiple -target flags in your command. Each -target must specify a full resource address. This selectively applies or plans only the listed resources and their dependencies. 

For example, to apply changes to your Azure Virtual Machine and Azure Storage Account only and ignore all other resources, you can run terraform apply command with the -target option to reference both resources:

terraform apply -target=azurerm_linux_virtual_machine.example -target=azurerm_storage_account.example

In this command, azurerm_linux_virtual_machine.example is the resource identifier of the Virtual Machine instance resource, and azurerm_storage_account.example is the resource identifier of the Azure Storage account defined in your Terraform configuration file.

Note: Overusing targeting can cause drift or incomplete state changes, so it’s best used for troubleshooting or partial updates.

To target a Terraform module, you can use the -target option followed by the module path and the resource identifier. The format is <module_path>.<resource_identifier>.

Terraform will also apply changes to all resources that depend on that module, so be sure to understand the dependencies in your Terraform configuration before targeting a module.

To apply changes to your Azure Virtual Machine when defined in a module only and ignore all other resources, you can run terraform apply command with the -target option to reference the VM only:

terraform apply -target=module.vm.azurerm_linux_virtual_machine.example

In this command, the module is called vm, where the resource identifier is azurerm_linux_virtual_machine.example.

How to target multiple Terraform modules

To target multiple Terraform modules, use the -target flag with each module path explicitly defined during terraform apply or terraform plan.

Each module must be specified with its full resource or module address, for example:

terraform apply -target=module.network -target=module.database

To manage multiple modules more safely, structure your project with clear module boundaries and use workspaces or separate state files when isolation is required.

You can also use the -target option with the terraform plan command in the same way as terraform apply, using the -target flag followed by the resource address. This limits the plan to only the specified resources and their dependencies.

For example, to reference a VM only:

terraform plan -target=azurerm_linux_virtual_machine.example

Read more about targeting resources with terraform plan.

To target and destroy a specific resource in Terraform, use the -target flag with the terraform destroy command. This destroys only the specified resource without affecting the rest of the infrastructure. 

Use this feature carefully, as destroying a single resource may break dependencies or state consistency if other resources depend on it. Always run terraform plan first to verify the impact.

For example, similar to the apply and plan command, to destroy your Azure Virtual Machine only and ignore all other resources, you can run terraform destroy command with the -target flag to reference the VM only:

terraform destroy -target=azurerm_linux_virtual_machine.example

In short: use -target only for exceptional debugging or emergency fixes. If it’s part of your normal deployment process, your project layout probably needs refactoring. Before reaching for -target, consider whether -replace, smaller modules, or platform features like Spacelift stacks can solve the same problem more safely.

Avoid using the -target flag in Terraform during standard or routine deployments, as it can lead to inconsistent infrastructure states and break Terraform’s dependency graph.

The -target flag forces Terraform to focus only on specific resources, bypassing the usual dependency-aware planning and apply logic. This is useful for debugging or deploying isolated changes, but overuse can create drift, partial updates, or unintended side effects.

Reserve -target for exceptional cases like:

• Isolating a failing resource to unblock a deployment
• Manually reapplying a resource after an external change
• Migrating or replacing a specific module without affecting others

For example, consider a storage account generated with a name using the random_pet resource (an interesting resource that generates random pet names intended to be used as unique identifiers for other resources). 

Targeting the storage account in isolation would leave the state inconsistent: random_pet would generate a new name on the next full apply, but the state file would still reference the old one, leading to drift between configuration and reality. This is exactly the kind of dependency Terraform’s graph is designed to handle for you.

-target isn’t the only flag for narrowing down what Terraform operates on. Depending on what you’re actually trying to do, one of the alternatives is usually a cleaner fit:

Flag	What it does	Available in	Typical use case
-target=ADDRESS	Operates on the resource and its dependencies	Terraform & OpenTofu	Debugging or unblocking a single resource
-replace=ADDRESS	Forces a destroy-and-recreate of the resource on the next apply	Terraform & OpenTofu	Recreating a resource without changing config (replaces the deprecated terraform taint)
-exclude=ADDRESS	Operates on everything except the resource and its dependents	OpenTofu 1.10+	Skipping a slow, locked, or temporarily broken resource
-target-file=FILE / -exclude-file=FILE	Reads addresses from a file instead of repeating flags	OpenTofu 1.10+	Phased rollouts, CI/CD, large selection lists

If a resource has drifted, become corrupted, or just needs to be rebuilt (for example, an EC2 instance with broken cloud-init), reach for -replace rather than destroying and re-applying with -target:

terraform apply -replace=aws_instance.web

This keeps the dependency graph intact and only schedules the one resource for replacement. It’s the modern equivalent of terraform taint, which has been deprecated since Terraform 0.15.2.

When to use -exclude (OpenTofu only)?

If one resource is causing problems but you still want to apply changes to everything else, -exclude is much safer than listing every other resource with -target:

tofu apply -exclude=aws_db_instance.legacy

For larger exclusion lists, put them in a file and use -exclude-file=excludes.txt. Note that the positive flags (-target, -target-file) and negative flags (-exclude, -exclude-file) are mutually exclusive, so you can’t combine them in a single command.

Terraform is really powerful, but to achieve an end-to-end secure GitOps approach, you need a platform that can orchestrate your Terraform workflows. Spacelift is the infrastructure orchestration platform built for the AI-accelerated software era.

It manages the full lifecycle for both traditional infrastructure as code (IaC) and AI-provisioned infrastructure, giving you access to a powerful CI/CD workflow and unlocking features such as:

• Policies (based on Open Policy Agent) – You can control how many approvals you need for runs, what kind of resources you can create, and what kind of parameters these resources can have, and you can also control the behavior when a pull request is open or merged.
• Multi-IaC workflows – Combine Terraform with Kubernetes, Ansible, and other IaC tools such as OpenTofu, Pulumi, and CloudFormation, create dependencies among them, and share outputs.
• Build self-service infrastructure – You can use Templates and Blueprints to build self-service infrastructure; simply complete a form to provision infrastructure based on Terraform and other supported tools.
• AI-powered provisioning and diagnostics – Spacelift Intelligence adds an AI-powered layer for natural language provisioning, diagnostics, and operational insight across your infrastructure workflows.
• Integrations with any third-party tools – You can integrate with your favorite third-party tools and even build policies for them. For example, see how to integrate security tools in your workflows using Custom Inputs.

Spacelift enables you to create private workers inside your infrastructure, which helps you execute Spacelift-related workflows on your end. Read the documentation for more information on configuring private workers.

You can check it for free by creating a trial account or requesting a demo with one of our engineers.

The -target argument is another useful tool that can be used to select single or sets of defined resources to ensure that all other changes to all other resources in your Terraform configuration files are ignored.

Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.