What does the `-target` flag do, and why is it discouraged for routine use?

4 minadvancedterraformtargetclibest-practices

Quick Answer

`terraform plan/apply -target=aws_instance.web` restricts Terraform to only that resource (and its dependencies), skipping everything else in the configuration — useful in genuine emergencies, like fixing one broken resource without waiting for an unrelated, slow, or currently-broken part of the plan to also process. It's discouraged as routine practice because it produces a plan that's *not* a full reconciliation of configuration against state — resources outside the target can silently drift further out of sync, and repeated reliance on `-target` is often a sign the configuration's state/blast-radius is too large and should be split into smaller, independently-applied units instead.

Detailed Answer

-target looks like a convenient way to speed up a slow plan/apply by narrowing its scope, but it quietly breaks one of Terraform's core guarantees, which is why HashiCorp's own docs actively warn against habitual use.

What it does

terraform apply -target=aws_instance.web

This restricts the operation to aws_instance.web and whatever it depends on — everything else in the configuration is left completely untouched by this run, even if their configuration has also changed.

Legitimate emergency use case

Imagine a specific resource is broken (say, a misconfigured security group is blocking production traffic right now) but the rest of the plan is currently failing for an unrelated reason (a different resource's provider is having an outage, or a large, slow apply is mid-flight). -target lets you fix just the broken resource immediately without needing the entire configuration to plan/apply cleanly first.

Why it's discouraged as routine practice

  1. It's not a full reconciliation. A targeted apply only evaluates and applies the graph reachable from the target — anything else that changed in configuration since the last full apply doesn't get applied, and doesn't even get reported. State and configuration can end up disagreeing about resources you didn't touch, invisibly.
  2. It masks scope problems. If you find yourself reaching for -target regularly, it's usually a signal that a single Terraform configuration/state file has grown to cover too much — too many resources whose applies now take too long or too often conflict — and the real fix is splitting that state into smaller, independently-applied units (see the best-practices question on state size), not routinely working around the symptom with targeting.
  3. It complicates plan review. A plan produced with -target shows a subset of what would normally be reviewed, making it easy to miss that some other, unrelated change is still pending against the full configuration.

The right mental model

Treat -target the same way you'd treat a "break glass in case of emergency" tool: acceptable for a genuine, time-sensitive incident where you understand exactly what you're narrowing the scope to and why, but never a habitual part of a normal deployment workflow — a normal apply should always operate over the full configuration so its plan output remains a trustworthy, complete picture of everything that's about to change.

Related Resources