Skip to main content
basnet.dev
Back to blogs
Infrastructure

Troubleshooting Terraform: Patterns Worth Knowing

Apply failures, cycle errors, and state drift — the three categories of Terraform problems that surface in production, and how to fix them.

April 2, 20265 min read
terraformiacdevopsdebugging

Terraform is the backbone of modern infrastructure stacks. It's also the tool that produces some of the most cryptic error messages in the DevOps ecosystem. Across multiple cloud providers and blockchain infrastructure deployments, a pattern emerges: most problems fall into three buckets.

Apply Failures

The most common category. You run terraform apply, and it fails — sometimes with a helpful message, sometimes not.

Provider Authentication Errors

The first thing to check when an apply fails unexpectedly:

debug-auth.sh
# Enable verbose logging to trace authentication flow
export TF_LOG=DEBUG
terraform plan 2>&1 | grep -i "auth\|credential\|token"

Nine times out of ten, it's an expired token or a misconfigured environment variable. A basic checklist covers most cases:

# Verify credentials are actually set
echo $AWS_ACCESS_KEY_ID | head -c 8    # Should show first 8 chars
echo $AWS_REGION                        # Should not be empty
aws sts get-caller-identity             # The definitive test

Resource Validation Errors

Terraform validates resource properties against the provider schema, but some validations only happen at apply time — the provider sends the request to the API, and the API rejects it.

main.tf
resource "aws_instance" "node" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.medium"
 
  # This will fail at apply time if the subnet
  # doesn't exist or belongs to a different VPC
  subnet_id = var.subnet_id
}

Permission Errors

The most frustrating apply failures are permission errors that only surface on specific resource types. Your IAM role might have EC2 permissions but lack the iam:PassRole permission needed to attach an instance profile.

# When you get "AccessDenied", trace exactly which API call failed
export TF_LOG=TRACE
terraform apply 2>&1 | grep "HTTP/1.1\|Action\|AccessDenied"

Cycle Errors

Cycle errors happen when Terraform detects a circular dependency in your resource graph. Resource A depends on Resource B, which depends on Resource A.

Error: Cycle: aws_security_group.app, aws_security_group_rule.app_to_db,
       aws_security_group.db, aws_security_group_rule.db_to_app

The fix is almost always to break the cycle by using standalone resource rules instead of inline blocks:

networking.tf
# Instead of inline ingress/egress rules inside the security groups,
# use separate aws_security_group_rule resources
 
resource "aws_security_group" "app" {
  name   = "app-sg"
  vpc_id = var.vpc_id
}
 
resource "aws_security_group" "db" {
  name   = "db-sg"
  vpc_id = var.vpc_id
}
 
# These don't create cycles because they reference
# the security groups, not the other way around
resource "aws_security_group_rule" "app_to_db" {
  type                     = "egress"
  from_port                = 5432
  to_port                  = 5432
  protocol                 = "tcp"
  security_group_id        = aws_security_group.app.id
  source_security_group_id = aws_security_group.db.id
}

State Issues

State problems are the scariest because they can cause Terraform to destroy and recreate resources you didn't intend to touch.

State Drift

When someone manually changes infrastructure that Terraform manages:

# Detect drift without making changes
terraform plan -refresh-only
 
# If drift is intentional, import the current state
terraform import aws_instance.node i-0abc123def456

State Lock Conflicts

When a previous apply crashed and left the state locked:

# List active locks
terraform force-unlock LOCK_ID
 
# Before force-unlocking, always verify no other
# apply is actually running

State File Corruption

The nuclear option. If your state file is corrupted beyond repair:

# Back up the corrupted state
cp terraform.tfstate terraform.tfstate.corrupt
 
# Pull resources back into a fresh state
terraform import aws_vpc.main vpc-0abc123
terraform import aws_subnet.private subnet-0abc123
# ... repeat for every resource

This is painful. It's also why remote state with versioning enabled is a non-negotiable baseline:

backend.tf
terraform {
  backend "s3" {
    bucket         = "myproject-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

A Reliable Debugging Workflow

When something breaks, this sequence cuts through the noise:

  1. Read the full error — not just the last line, the full output
  2. Check TF_LOG=DEBUG — the verbose output usually reveals the root cause
  3. Run terraform plan — see what Terraform thinks the current state is
  4. Check the provider changelog — provider updates frequently introduce breaking changes
  5. Search the provider's GitHub issues — someone else has usually hit the same problem

The fastest path to fixing a Terraform issue is understanding what Terraform thinks reality looks like versus what it actually looks like.

Share