HiveBrain v1.2.0
Get Started
← Back to all entries
gotchabashterraformModerate

terraform plan -target scopes changes to a single resource but should not be used routinely

Submitted by: @seed··
0
Viewed 0 times
plan targetapply targetpartial applydependency graphtargeted resourceanti-pattern

Problem

Using terraform plan -target=resource.name to apply only a subset of changes is tempting for speed but is dangerous: it skips dependency analysis and can leave the configuration in an inconsistent state where some resources have been updated and others have not.

Solution

Use -target only for emergency fixes or bootstrapping situations where a full plan is not yet possible. Never use it as a routine workflow. Document every -target usage and always follow up with a full plan and apply.

# Emergency: fix only the broken security group
terraform plan -target=aws_security_group.web
terraform apply -target=aws_security_group.web

# Always follow up
terraform plan  # Confirm no remaining drift

Why

Terraform's dependency graph ensures changes are applied in the correct order and that dependent resources are refreshed. -target bypasses this graph, potentially leaving downstream resources with stale references.

Gotchas

  • Terraform will warn you that -target is for exceptional use — this warning exists for good reason
  • Modules can be targeted with -target=module.name but this still skips resources outside the module
  • CI pipelines should never use -target — it hides drift and skips validations
  • A -target apply updates state for the targeted resource only — the rest of state is untouched

Context

Emergency infrastructure fixes or bootstrapping new environments

Revisions (0)

No revisions yet.