In this short article, we will look at how to target specific resources in Terraform. We will explain the use of the -target option, and how to use it to target single and multiple resources with some examples, and in what circumstances you should avoid using it!
We will cover:
The -target option is a command flag used in Terraform to target a specific resource for action instead of performing the action on all resources. It is used when running the terraform plan, terraform apply or terraform destroy commands.
Without the -target option, these commands would take the entire configuration into account rather than a specific resource or set of Terraform resources.
Usually, your Terraform configuration file defines multiple resources. For example, this might include an Azure Virtual Machine and an Azure Storage account.
You can use the -target option to specify a resource identifier. With the apply and destroy commands, the operation will then apply to the target resources only and usefully when run with the plan command will limit the output to show the planned changes to the targeted resources only.
Example 1: Terraform apply — single resource using -target=resource
To apply changes to your Azure Virtual Machine only and ignore all other resources, you can run terraform apply command with the -target option to reference the VM only:
terraform apply -target=azurerm_vm.exampleIn this command, azurerm_vm.example is the resource identifier of the Virtual Machine instance resource defined in your Terraform configuration file.
Example 2: Terraform apply — multiple resources using -target=resource
To apply changes to your Azure Virtual Machine and Azure Storage Account only and ignore all other resources, you can run terraform apply command with the -target option to reference both resources:
terraform apply -target=azurerm_vm.example -target=azurerm_storage.exampleIn this command, azurerm_vm.example is the resource identifier of the Virtual Machine instance resource and azurerm_storage.example is the resource identifier of the Azure Storage account defined in your Terraform configuration file.
To target a Terraform module, you can use the -target option followed by the module path and the resource identifier. The format is <module_path>.<resource_identifier>.
Terraform will also apply changes to all resources that depend on that module, so be sure to understand the dependencies in your Terraform configuration before targeting a module.
To apply changes to your Azure Virtual Machine when defined in a module only and ignore all other resources, you can run terraform apply command with the -target option to reference the VM only:
terraform apply -target=module.vm.azurerm_vm.exampleIn this command, the module is called vm, where the resource identifier is azurerm_vm.example.
You can also use the -target option with the terraform plan command in the same way as terraform apply.
For example, to reference a VM only:
terraform plan -target=azurerm_vm.exampleRead more about targeting resources with terraform plan.
Similar to the apply and plan command, to destroy your Azure Virtual Machine only and ignore all other resources, you can run terraform destroy command with the -target flag to reference the VM only:
terraform destroy -target=azurerm_vm.exampleTargeting resources can be useful in certain situations, but it should be used with caution as it can create resource dependencies and cause unexpected changes to your infrastructure. Terraform has built-in dependency mapping that should be taken advantage of wherever possible.
If your Terraform configuration uses remote state storage (Terraform Cloud, AWS S3, etc.), the targeted approach might not be appropriate. Terraform needs to fetch the entire state to calculate changes, which nullifies the benefits of targeting specific resources.
It is also not a good idea to target resources that generate random values in isolation.
For example, consider a storage account is generated with a name using the random_pet resource (an interesting resource that generates random pet names that are intended to be used as unique identifiers for other resources). Targeting this in isolation would be untrustworthy if we decide to create a new storage account using random_pet as the value in the state file will still contain the old name for the storage account. Again this is where the built-in dependency mapping that Terraform provides should be utilized.
Terraform is really powerful, but to achieve an end-to-end secure Gitops approach, you need to use a product that can run your Terraform workflows. Spacelift takes managing Terraform to the next level by giving you access to a powerful CI/CD workflow and unlocking features such as:
- Policies (based on Open Policy Agent) – You can control how many approvals you need for runs, what kind of resources you can create, and what kind of parameters these resources can have, and you can also control the behavior when a pull request is open or merged.
- Multi-IaC workflows – Combine Terraform with Kubernetes, Ansible, and other infrastructure-as-code (IaC) tools such as OpenTofu, Pulumi, and CloudFormation, create dependencies among them, and share outputs
- Build self-service infrastructure – You can use Blueprints to build self-service infrastructure; simply complete a form to provision infrastructure based on Terraform and other supported tools.
- Integrations with any third-party tools – You can integrate with your favorite third-party tools and even build policies for them. For example, see how to integrate security tools in your workflows using Custom Inputs.
Pomelo’s initial approach to managing Terraform was not up to the task of accommodating the needs of a rapidly expanding company. Now that they use Spacelift, they can rely on a specialized platform for infrastructure as code (IaC) that will adapt to their needs as they scale and provide a cost-effective alternative to largely manual processes.
Spacelift enables you to create private workers inside your infrastructure, which helps you execute Spacelift-related workflows on your end. Read the documentation for more information on configuring private workers.
You can check it out for free by creating a trial account or booking a demo with one of our engineers.
The -target argument is another useful tool that can be used to select single or sets of defined resources to be sure that all other changes to all other resources in your Terraform configuration files are ignored.
We encourage you also to explore how Spacelift makes it easy to work with Terraform. If you need any help managing your Terraform infrastructure, building more complex workflows based on Terraform, and managing AWS credentials per run, instead of using a static pair on your local machine, Spacelift is a fantastic tool for this.
Note: New versions of Terraform are placed under the BUSL license, but everything created before version 1.5.x stays open-source. OpenTofu is an open-source version of Terraform that expands on Terraform’s existing concepts and offerings. It is a viable alternative to HashiCorp’s Terraform, being forked from Terraform version 1.5.6.
Automate Terraform Deployments with Spacelift
Automate your infrastructure provisioning, and build more complex workflows based on Terraform using policy as code, programmatic configuration, context sharing, drift detection, resource visualization, and many more.
