What does terraform apply/plan refresh-only do?

Question

So I'm a bit confused on what terraform plan refresh-only is giving me. Essentially with just terraform plan it was saying it detected changes outside of terraform (that was me) and it was trying to "correct" these changes, sadly correcting these change requires the recreation of the resource. However if I add "refresh-only" after the plan, it removes that recreation and now says it will update the tfstate to match what changes I have done manually.

Is my understanding of this correct or are there things I'm missing?

Answer 1

A "normal" terraform plan includes two main behaviors:

1. Update the state from the previous run to reflect any changes made outside of Terraform. That's called "refreshing" in Terraform terminology.
2. Comparing that updated state with the desired state described by the configuration, and in case of any differences generating a proposed set of actions to change the real remote objects to match the desired state.

When you create a "refresh-only" plan, you're disabling the second of those, but still performing the first. Terraform will update the state to match changes made outside of Terraform, and then ask you if you want to commit that result as a new state snapshot to use on future runs. Typically the desired result of a refresh-only plan is for Terraform to report that there were no changes outside of Terraform, although Terraform does allow you to commit the result as a new state snapshot if you wish, for example if the changes cascaded from an updated object used as a data resource and you want to save those new results.

A refresh-only plan prevents Terraform from proposing any actions that would change the real infrastructure for that particular plan, but it does not avoid the need to deal with any differences in future plans. If the changes that Terraform is proposing are not acceptable then to move forward you will either need to change the configuration to match your actual desired state (for example, to match the current state of the object you don't want to replace) or change the real infrastructure (outside of Terraform) so it will match your configuration.

Answer 2

For all terraform commands that involves states, e.g., plan, apply, refresh (deprecated and is now '-refresh-only'), it is useful to think about it in terms of 2 things:

• The authoritative state
• The states being compared Note that the 'authoritative state' is NEVER changed as a result of the command.

There are 3 types of 'state' (loosely):

• Actual state of your infra (actual-state)
• terraform state file (tf-state-file)
• State described by terraform code config (tf-dsl-config)

When you do terraform plan/apply WITH -refresh-only:

• The authoritative state is 'actual-state'
• The states being compared in 'terraform plan -refresh-only' is 'actual-state' vs. 'tf-state-file'
• The outcome of 'terraform apply -refresh-only' is 'tf-state-file' is synced to become 'actual-state'

When you do terraform plan/apply WITHOUT -refresh-only:

• The authoritative state is 'tf-dsl-config'
• The states being compared in 'terraform plan' is 'tf-dsl-config' vs. 'actual-state'
• The outcome of 'terraform apply' is 'actual-state' is synced to become 'tf-dsl-config'

For more details of what authoritative states are, and what states are being compared for various terraform commands see:

This is from https://medium.com/code-oil/understanding-terraform-plan-apply-refresh-only-the-myths-and-fixing-drift-5963207a1df8