terraform console: REPL for HCL expressions

What console does

terraform console is a REPL (Read-Eval-Print Loop). You type an expression, Terraform evaluates it, and prints the result. It works like python or node with no flags.

This is the most underrated tool in Terraform. It is free, does not modify state, and does not call the cloud (beyond reading already-refreshed data), yet it saves hours of debugging.

Basic usage

cd ~/myproject

terraform console

The prompt appears:

>

Type expressions:

> 1 + 2

3

> "hello, " + "world"

"hello, world"

> upper("terraform")

"TERRAFORM"

> length([1, 2, 3, 4])

4

To exit, type exit or press Ctrl+D.

Checking variables and locals

> var.region

"us-east-1"

> local.name_prefix

"linuxlab-dev-us-east-1"

> local.common_tags

tomap({

  "Env" = "dev"

  "ManagedBy" = "terraform"

  "Project" = "linuxlab-terraform-course"

})

This is the main use case. When a locals value is assembled from five nested functions, reading it by eye is not feasible. In console, one expression shows the actual computed value.

Checking types

The type() function is a special operator available only in console:

> type(var.region)

string

> type(var.tags)

map of string

> type([1, 2, 3])

tuple([number, number, number])

> type(toset(["a", "b"]))

set of string

This is useful when you are unsure whether something is a list or a tuple, a map or an object. See hcl-types for the difference.

Accessing state

After apply, all created resources are readable in console:

> aws_s3_bucket.demo.arn

"arn:aws:s3:::linuxlab-hello-abc123"

> aws_s3_bucket.demo.tags

tomap({

  "Owner" = "student"

})

> [for b in aws_s3_bucket.many : b.id]

[

  "linuxlab-count-0-abc",

  "linuxlab-count-1-def",

]

This is safe. No changes happen. It is plain state reading through the same expressions you use in HCL.

Testing functions

Before writing an expression in HCL, test it in console:

> format("%s in region %s", upper("dev"), "us-east-1")

"DEV in region us-east-1"

> merge({a = 1, b = 2}, {b = 99, c = 3})

{

  "a" = 1

  "b" = 99

  "c" = 3

}

> [for x in [1, 2, 3, 4] : x * 2 if x > 2]

[

  6,

  8,

]

This is much faster than the cycle of editing HCL, running plan, reading the diff, and realizing the expression was wrong. Console is a unit test for a single line.

Non-interactive mode with echo

Sometimes you need a single expression value from a script:

echo 'type(var.tags)' | terraform console

echo 'aws_s3_bucket.demo.arn' | terraform console -no-color

Pass it via stdin. Convenient for CI or documentation.

Multi-line expressions

In the REPL you can enter multiple lines by wrapping them in braces:

> {

  name = "myapp"

  tags = {

    Owner = "platform"

  }

}

{

  "name" = "myapp"

  "tags" = {

    "Owner" = "platform"

  }

}

This is useful for testing complex object literals.

Pitfalls

• Console requires a valid config. If HCL has a syntax error, console will not start. Run validate first.

• Console reads the current state. If state is empty (before apply), aws_s3_bucket.demo.arn will fail with "resource not found". That is expected: the resource does not exist yet.

• Console does not refresh. Values come from the state file as it stands. If something changed in the cloud outside Terraform, console will not see it. To update: terraform refresh (but it modifies state, use with care).

• Sensitive values are masked. If an output is marked sensitive = true, console shows (sensitive value). To reveal it, use the nonsensitive() function.

• Workspace matters. Console operates in the active workspace. If you switched to staging, you see the staging state. terraform workspace show prints the current workspace.

• Console does not run provisioners. No local-exec, no external commands. Only pure expressions.