Terraform Replace - The Modern Way to Rebuild Resources
Introduction
If you’ve used Terraform long enough, you probably remember the good old terraform taint and untaint commands.
They were handy for forcing Terraform to rebuild specific resources when something went wrong.
But in modern Terraform (v0.15+), taint/untaint is deprecated — and we now have a better, more predictable way to do the same thing:
the -replace flag. 🚀
🧠 The Story — When a Resource Refuses to Behave
A few months ago, I was debugging a flaky EC2 instance.
Terraform insisted,
“No changes. Everything is up to date.”
Except it wasn’t.
The instance had drifted — manually modified outside Terraform — and needed a rebuild.
Previously, I would’ve used:
terraform taint aws_instance.web
terraform apply
But since that’s deprecated, the modern approach is to use -replace.
⚙️ The Modern Replacement — terraform apply -replace
Instead of tainting the resource, you can now do:
terraform apply -replace="aws_instance.web"
This tells Terraform explicitly to destroy and recreate the specified resource —
no tainting, no state changes, just a clean rebuild during apply.
🔄 ASCII Flow — How -replace Works
+-----------------------+
| terraform plan |
+----------+------------+
|
v
(Detects Replace Flag)
|
v
+----------+------------+
| terraform apply |
| Destroy + Recreate |
| Only Targeted Resource|
+------------------------+
It’s simpler, safer, and keeps your state file clean.
💡 Why -replace Is Better
✅ No manual state edits — Unlike taint, this doesn’t mark anything in the state file.
✅ Predictable behavior — You see exactly which resources will be replaced before applying.
✅ One-liner control — Works with both plan and apply.
✅ Supports multiple resources — Replace several resources in a single run.
Example:
terraform apply -replace="aws_instance.web" -replace="aws_security_group.web_sg"
🧩 Real-Life Use Cases
- A resource is stuck in an inconsistent or failed state
- You’ve made manual changes in the cloud provider console
- You need to re-provision a single resource without touching others
- A module upgrade requires fresh resources
🧠 Pro Tip — Use It with terraform plan
If you’re cautious (and you should be), always preview the changes before applying:
terraform plan -replace="aws_instance.web"
This gives you a clear diff of what Terraform will destroy and recreate.
⚠️ Things to Keep in Mind
-replaceis temporary — it only applies to the current run.- Use it carefully in production — especially when replacing critical resources like databases.
- Combine with
create_before_destroy(via lifecycle) if you need zero downtime.
🚀 Summary
Terraform’s -replace flag is the modern, safer successor to taint/untaint.
It’s designed for the same purpose — rebuilding problematic resources — but with clearer intent and cleaner state handling.
So next time you hear Terraform whisper, “No changes,” but you know something’s wrong…
just replace it. 😉
TL;DR
| Command | Description | Status |
|---|---|---|
terraform taint <resource> | Mark resource for recreation | ❌ Deprecated |
terraform untaint <resource> | Remove taint mark | ❌ Deprecated |
terraform apply -replace=<resource> | Recreate resource cleanly | ✅ Modern & Recommended |