{"id":2137,"date":"2026-02-21T03:12:59","date_gmt":"2026-02-20T14:12:59","guid":{"rendered":"https:\/\/www.ronella.xyz\/?p=2137"},"modified":"2026-02-21T03:12:59","modified_gmt":"2026-02-20T14:12:59","slug":"understanding-state-with-show-state-and-output","status":"publish","type":"post","link":"https:\/\/www.ronella.xyz\/?p=2137","title":{"rendered":"Understanding State with show, state, and output"},"content":{"rendered":"

Terraform\u2019s state<\/strong> is how it \u201cremembers\u201d what exists in your infrastructure so it can plan precise, minimal changes instead of blindly recreating resources. In this article, we\u2019ll treat Terraform as a black box and learn how to inspect<\/em> its memory using three key CLI tools: terraform show<\/code>, the terraform state<\/code> subcommands, and terraform output<\/code>.<\/p>\n

\n

1. What Terraform State Actually Is<\/h2>\n

Terraform keeps a mapping between:<\/p>\n

    \n
  • Your configuration (.tf<\/code> files)<\/li>\n
  • The real resources in your cloud provider (IDs, IPs, ARNs, etc.)<\/li>\n<\/ul>\n

    This mapping lives in a state file, usually terraform.tfstate<\/code>, and often in a remote backend such as S3, Azure Blob Storage, or GCS for team use. The state includes every attribute of every managed resource, plus metadata used for things like dependency ordering and change detection.<\/p>\n

    Why you care:<\/strong><\/p>\n

      \n
    • Debugging: Is Terraform seeing the same thing you see in the console?<\/li>\n
    • Refactoring: How do you rename resources without destroying them?<\/li>\n
    • Automation: How do you feed outputs into CI\/CD or other tools?<\/li>\n<\/ul>\n

      You should never<\/strong> hand-edit the state file; instead you use the CLI commands discussed below to read or safely modify it.<\/p>\n

      \n

      2. terraform show<\/code> \u2014 Inspecting the Whole State or a Plan<\/h2>\n

      Think of terraform show<\/code> as \u201cdump what Terraform currently knows\u201d \u2014 it turns a state file or a saved plan into a human-readable or JSON view.<\/p>\n

      Core usage<\/h2>\n
      # Show the current state snapshot (from the active backend)\nterraform show\n\n# Show a specific state file\nterraform show path\/to\/terraform.tfstate\n\n# Show a saved plan file\nterraform show tfplan\n\n# Machine-readable JSON for tooling\nterraform show -json > plan.json<\/code><\/pre>\n
        \n
      • Without a file argument, terraform show<\/code> prints the latest state snapshot from the active backend.<\/li>\n
      • With a plan file, it describes the proposed actions and resulting state.<\/li>\n
      • With -json<\/code>, you get a structured document that external tools (e.g. CI, tests) can parse and validate.<\/li>\n<\/ul>\n
        \n
        Important: When using -json<\/code>, sensitive values are printed in plain text<\/strong>; handle this carefully in pipelines and logs.<\/p>\n<\/blockquote>\n
        When to use terraform show<\/code><\/h2>\n
        Use it when:<\/p>\n
          \n
        • You want a global view<\/strong>: \u201cWhat exactly is Terraform tracking right now?\u201d<\/li>\n
        • You want to inspect a plan artifact<\/strong> (plan -out tfplan<\/code>) before approving it in CI.<\/li>\n
        • You want to feed state or plan data into a tool (via -json<\/code>) for policy checks, drift checks, or custom validation.<\/li>\n<\/ul>\n
          Conceptually, terraform show<\/code> is read-only and holistic: it treats the state (or plan) as a whole, rather than individual resources.<\/p>\n
          \n
          3. terraform state<\/code> \u2014 Fine-Grained State Inspection and Surgery<\/h2>\n
          The terraform state<\/code> command is a group of subcommands<\/strong> designed specifically to inspect and modify<\/em> state without touching real infrastructure. This is the surgical toolkit you reach for when refactoring or repairing.<\/p>\n
          Key subcommands<\/h2>\n\n\n\n\n\n\n\n\n\n\n
          Command<\/th>\nWhat it does<\/th>\nTypical use<\/th>\n<\/tr>\n<\/thead>\n
          terraform state list<\/code><\/td>\nLists all resource addresses in state<\/td>\n\u201cWhat is Terraform tracking?\u201d<\/td>\n<\/tr>\n
          terraform state show ADDRESS<\/code><\/td>\nShows attributes of one resource<\/td>\nDebugging one resource (IDs, IPs, tags, etc.)<\/td>\n<\/tr>\n
          terraform state mv SRC DEST<\/code><\/td>\nMoves\/renames a resource in state<\/td>\nRefactors config without destroy\/recreate<\/td>\n<\/tr>\n
          terraform state rm ADDRESS<\/code><\/td>\nRemoves a resource from state<\/td>\nStop managing a resource without deleting it<\/td>\n<\/tr>\n
          terraform state pull<\/code><\/td>\nPrints raw state to stdout<\/td>\nBackup, inspection, or external processing<\/td>\n<\/tr>\n
          terraform state push<\/code><\/td>\nUploads a local state file<\/td>\nRestore\/correct broken remote state (used rarely, carefully)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
          3.1 terraform state list<\/code><\/h2>\n
          terraform state list\n# e.g.\n# aws_instance.web[0]\n# aws_instance.web[1]\n# aws_security_group.allow_ssh<\/code><\/pre>\n
          This gives you the resource addresses<\/strong> Terraform knows about, optionally filtered by a prefix. It\u2019s extremely useful when working with modules or count\/for_each, because you can see the exact address Terraform expects.<\/p>\n
          3.2 terraform state show<\/code><\/h2>\n
          terraform state show aws_instance.web[0]<\/code><\/pre>\n
          This prints every attribute of that specific resource as seen in state \u2014 IDs, IPs, tags, relationships, and computed attributes. Semantically, it answers: \u201cWhat does Terraform think this one resource looks like?\u201d<\/em>.<\/p>\n
          Use it when:<\/p>\n
            \n
          • Debugging drift: console vs state mismatch.<\/li>\n
          • Understanding complex resources: which subnet, which IAM role?<\/li>\n
          • Checking data sources that were resolved at apply time.<\/li>\n<\/ul>\n
            Note the difference:<\/p>\n
              \n
            • terraform show<\/code> \u2192 everything (or full plan).<\/li>\n
            • terraform state show ADDRESS<\/code> \u2192 one resource only.<\/li>\n<\/ul>\n
              3.3 terraform state mv<\/code> \u2014 Refactor Without Downtime<\/h2>\n
              terraform state mv aws_instance.web aws_instance.app<\/code><\/pre>\n
              If you simply rename the block in your .tf<\/code> code, Terraform will plan to destroy<\/strong> the old resource and create<\/strong> a new one because it assumes they\u2019re unrelated. state mv<\/code> tells Terraform that the underlying resource<\/em> is the same, you\u2019re just changing the mapping.<\/p>\n
              This is critical for:<\/p>\n
                \n
              • Renaming resources.<\/li>\n
              • Moving resources into\/out of modules.<\/li>\n
              • Splitting a monolith configuration into multiple modules\/workspaces.<\/li>\n<\/ul>\n
                3.4 terraform state rm<\/code> \u2014 Stop Managing Without Deleting<\/h2>\n
                terraform state rm aws_instance.legacy<\/code><\/pre>\n
                This removes the resource from Terraform\u2019s management while leaving it alive in your provider. Use this when decommissioning Terraform from part of your estate or when you temporarily need Terraform to \u201cforget\u201d something (e.g. migration to a different tool).<\/p>\n
                3.5 terraform state pull<\/code> \/ push<\/code><\/h2>\n
                These expose and manipulate the raw state blob:<\/p>\n
                terraform state pull > backup.tfstate\nterraform state push backup.tfstate<\/code><\/pre>\n
                They\u2019re useful for backups or extremely rare recovery scenarios, but they\u2019re dangerous<\/strong> if misused, so in practice you rely much more on list<\/code>, show<\/code>, mv<\/code>, and rm<\/code>.<\/p>\n
                \n
                4. terraform output<\/code> \u2014 Consuming State Safely<\/h2>\n
                terraform output<\/code> reads output values<\/strong> defined in the root module and prints their values from the state file. It is the \u201cofficial interface\u201d for other systems (and humans) to consume selected bits of state without parsing the state file directly.<\/p>\n
                4.1 Defining outputs in configuration<\/h2>\n
                In your root module:<\/p>\n
                output "instance_ips" {\n  value = aws_instance.web[*].public_ip\n}\n\noutput "lb_address" {\n  value = aws_lb.web.dns_name\n}\n\noutput "db_connection_string" {\n  value     = module.database.connection_string\n  sensitive = true\n}<\/code><\/pre>\n
                  \n
                • Outputs are calculated after terraform apply<\/code> and stored in state.<\/li>\n
                • Only root module<\/strong> outputs are visible to terraform output<\/code>; child module outputs must be re-exposed.<\/li>\n<\/ul>\n
                  4.2 Using terraform output<\/code> interactively<\/h2>\n
                  # Show all outputs for the root module\nterraform output\n\n# Show one specific output\nterraform output lb_address\n\n# Machine-readable JSON\nterraform output -json\n\n# Raw string (no quotes\/newlines), perfect for scripts\nterraform output -raw lb_address<\/code><\/pre>\n
                    \n
                  • With no arguments, it prints all root outputs.<\/li>\n
                  • With a NAME<\/code>, it prints just that value.<\/li>\n
                  • -json<\/code> gives a JSON object keyed by output name; can be piped into jq<\/code> or similar tools.<\/li>\n
                  • -raw<\/code> prints a bare string\/number\/boolean; ideal when exporting in shell scripts without extra quoting.<\/li>\n<\/ul>\n
                    This is the idiomatic way to feed state into:<\/p>\n
                      \n
                    • CI\/CD pipelines (e.g. get ALB DNS for integration tests).<\/li>\n
                    • Other scripts (e.g. configure DNS records).<\/li>\n
                    • Other tools (e.g. Ansible inventory).<\/li>\n<\/ul>\n
                      \n
                      5. Putting It Together: A Simple Example<\/h2>\n
                      Below is a minimal, self-contained configuration you can run locally.<\/p>\n
                      5.1. Prerequisites<\/h2>\n
                        \n
                      1. \n
                        LocalStack running (Docker is typical):<\/p>\n
                        docker run --rm -it -p 4566:4566 -p 4510-4559:4510-4559 localstack\/localstack<\/code><\/pre>\n
                        LocalStack\u2019s edge endpoint is exposed on http:\/\/localhost:4566<\/code> by default.<\/p>\n<\/li>\n
                      2. \n
                        Terraform installed (1.x).<\/p>\n<\/li>\n<\/ol>\n
                        5.2. Terraform Configuration Using LocalStack<\/h2>\n
                        Create a directory (for example tf-localstack-ec2<\/code>) and within it create two files: versions.tf<\/code> and main.tf<\/code>.<\/p>\n
                        versions.tf<\/code><\/h4>\n
                        Lock AWS provider to a version that is known to work well with LocalStack (4.x is a common choice):<\/p>\n
                        terraform {\n  required_version = ">= 1.6.0"\n\n  required_providers {\n    aws = {\n      source  = "hashicorp\/aws"\n      version = "~> 5.0"\n    }\n  }\n}<\/code><\/pre>\n
                        main.tf<\/code><\/h4>\n
                        provider "aws" {\n  region                      = "us-east-1"\n  access_key                  = "test"\n  secret_key                  = "test"\n  skip_credentials_validation = true\n  skip_metadata_api_check     = true\n  skip_requesting_account_id  = true\n\n  endpoints {\n    ec2 = "http:\/\/localhost:4566"\n  }\n}\n\nresource "aws_instance" "web" {\n  ami           = "ami-12345678"\n  instance_type = "t3.micro"\n\n  tags = {\n    Name = "tf-demo-web-localstack"\n  }\n}\n\noutput "web_public_ip" {\n  value = aws_instance.web.public_ip\n}<\/code><\/pre>\n
                        Notes:<\/p>\n
                          \n
                        • The endpoints.ec2<\/code> block points the EC2 API at LocalStack\u2019s edge endpoint.<\/li>\n
                        • Credentials are dummy; LocalStack doesn\u2019t actually validate them.<\/li>\n
                        • The AMI ID is a placeholder; LocalStack typically does not require the AMI to exist, but EC2 support is limited and can hang for some combinations. For state\/command learning it\u2019s usually enough that Terraform \u201cthinks\u201d it created something.<\/li>\n<\/ul>\n
                          5.3. How to Apply and Validate<\/h2>\n
                          From the directory containing these files:<\/p>\n
                            \n
                          1. \n
                            Initialize and apply<\/strong><\/p>\n
                            terraform init\nterraform apply -auto-approve<\/code><\/pre>\n
                            Terraform will talk to LocalStack instead of AWS because of the custom endpoint.<\/p>\n<\/li>\n
                          2. \n
                            Validate with show<\/code><\/strong><\/p>\n
                            terraform show<\/code><\/pre>\n
                            Confirm there is a aws_instance.web<\/code> block with attributes populated from LocalStack\u2019s response.<\/p>\n<\/li>\n
                          3. \n
                            Validate with state<\/code><\/strong><\/p>\n
                            terraform state list\n# should include:\n# aws_instance.web\n\nterraform state show aws_instance.web<\/code><\/pre>\n
                            This tells you what Terraform\u2019s state holds for this specific resource address.<\/p>\n<\/li>\n
                          4. \n
                            Validate with output<\/code><\/strong><\/p>\n
                            terraform output web_public_ip\nterraform output -raw web_public_ip<\/code><\/pre>\n
                            For LocalStack, the public IP may be empty or synthetic depending on EC2 emulation level, but the command proves the wiring from resource \u2192 state \u2192 output.<\/p>\n<\/li>\n<\/ol>\n
                            5.4. Rationale for These Choices<\/h2>\n
                              \n
                            • We override only the EC2 endpoint to keep the example close to \u201creal\u201d AWS code while still talking to LocalStack.<\/li>\n
                            • We relax provider validations (skip_*<\/code> flags) because LocalStack does not implement all AWS account\/metadata APIs.<\/li>\n<\/ul>\n
                              With this setup, you can safely experiment with terraform show<\/code>, terraform state *<\/code>, and terraform output<\/code> on your laptop, without touching real AWS accounts or incurring cost.<\/p>\n
                              \n
                              6. Conceptual Summary: Which Command When?<\/h2>\n\n\n\n\n\n\n\n\n\n\n
                              Need<\/th>\nCommand<\/th>\nRationale<\/th>\n<\/tr>\n<\/thead>\n
                              See everything Terraform knows<\/td>\nterraform show<\/code><\/td>\nWhole-state, read-only view (or a plan)<\/td>\n<\/tr>\n
                              Inspect one resource deeply<\/td>\nterraform state show ADDRESS<\/code><\/td>\nFocused, per-resource state inspection<\/td>\n<\/tr>\n
                              List all tracked resources<\/td>\nterraform state list<\/code><\/td>\nDiscover resource addresses in state<\/td>\n<\/tr>\n
                              Rename\/move resources\/modules<\/td>\nterraform state mv<\/code><\/td>\nRefactor mappings without downtime<\/td>\n<\/tr>\n
                              Forget a resource but keep it alive<\/td>\nterraform state rm<\/code><\/td>\nStop managing without deleting<\/td>\n<\/tr>\n
                              Give other tools a clean interface<\/td>\nterraform output<\/code> \/ -json<\/code> \/ -raw<\/code><\/td>\nOfficial way to expose selected state data developer.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
                              The underlying rationale is separation of concerns:<\/p>\n
                                \n
                              • terraform show<\/code> \u2192 observability of plans and state<\/em>.<\/li>\n
                              • terraform state<\/code> \u2192 precise manipulation and inspection of state<\/em>.<\/li>\n
                              • terraform output<\/code> \u2192 controlled, stable API to state for humans and downstream systems<\/em>.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
                                Terraform\u2019s state is how it \u201cremembers\u201d what exists in your infrastructure so it can plan precise, minimal changes instead of blindly recreating resources. In this article, we\u2019ll treat Terraform as a black box and learn how to inspect its memory using three key CLI tools: terraform show, the terraform state subcommands, and terraform output. 1. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[94],"tags":[],"_links":{"self":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/2137"}],"collection":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2137"}],"version-history":[{"count":1,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/2137\/revisions"}],"predecessor-version":[{"id":2138,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=\/wp\/v2\/posts\/2137\/revisions\/2138"}],"wp:attachment":[{"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ronella.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}