Terraform Plan Output Explained - Reading and Understanding Plan Results

Learn to read Terraform plan output like a pro. Understand create, update, destroy symbols, moved blocks, and how to catch issues before applying changes.

Terraform Plan Output Explained - Reading and Understanding Plan Results

February 16, 2026
2 min read
Posted by Luca Berton
Terraform, DevOps, Best Practices

Introduction

The terraform plan command is your safety net before making infrastructure changes. Understanding its output is critical for preventing costly mistakes. This guide teaches you to read plan output efficiently.

Running Terraform Plan

terraform plan
terraform plan -out=tfplan        # Save plan to file
terraform plan -target=aws_instance.web  # Plan specific resource
terraform plan -var="env=prod"    # With variables

Understanding Plan Symbols

Terraform uses symbols to indicate what will happen:

Symbol	Meaning	Color
`+`	Create	Green
`-`	Destroy	Red
`~`	Update in-place	Yellow
`-/+`	Destroy and recreate	Red/Green
`<=`	Read (data source)	Cyan

Example Plan Output

Terraform will perform the following actions:

  # aws_instance.web will be updated in-place
  ~ resource "aws_instance" "web" {
        id            = "i-0abc123"
      ~ instance_type = "t3.micro" -> "t3.small"
        tags          = {
            "Name" = "web-server"
        }
    }

  # aws_security_group.allow_http will be created
  + resource "aws_security_group" "allow_http" {
      + arn         = (known after apply)
      + id          = (known after apply)
      + name        = "allow-http"
      + vpc_id      = "vpc-12345"
      
      + ingress {
          + cidr_blocks = ["0.0.0.0/0"]
          + from_port   = 80
          + protocol    = "tcp"
          + to_port     = 80
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Reading the Summary Line

Plan: 2 to add, 1 to change, 3 to destroy.

This tells you:

2 to add: New resources being created
1 to change: Existing resources being modified
3 to destroy: Resources being removed

Dangerous Signs to Watch For

Unexpected Destroys

  # aws_db_instance.main will be destroyed
  - resource "aws_db_instance" "main" {

Why it happens: Changed an attribute that forces replacement (like engine_version).

Force Replacement

  # aws_instance.web must be replaced
  -/+ resource "aws_instance" "web" {
      ~ ami           = "ami-old" -> "ami-new" # forces replacement

The # forces replacement comment is critical — it means the resource will be destroyed and recreated.

Known After Apply

      + id = (known after apply)

This is normal for computed attributes. But watch for:

      ~ security_groups = (known after apply)

If a value you set changes to “known after apply”, something may be wrong.

Saving and Applying Plans

# Save plan
terraform plan -out=tfplan

# Review saved plan
terraform show tfplan

# Apply saved plan (no confirmation needed)
terraform apply tfplan

# JSON output for automation
terraform plan -json -out=tfplan
terraform show -json tfplan

Hands-On Courses

Terraform for Beginners — Plan output covered in detail
Terraform Beginners on CopyPasteLearn

Conclusion

Reading terraform plan output is a skill that prevents infrastructure disasters. Always review the plan summary, watch for unexpected destroys and force replacements, and save plans before applying in production.