All Products
Search

This Product

    :Using the provider

    Document Center

    :Using the provider

    Last Updated:Oct 21, 2025

    After you learn the basic concepts and workflow of Terraform, you can use it to create, update, and destroy infrastructure resources.

    Terraform workflow

    image

    The Terraform workflow consists of four steps:

    1. Write infrastructure template files

      Define your infrastructure as code in template files. These files describe the resources that you want to configure.

    2. Generate an execution plan

      Run the terraform plan command to generate an execution plan for the desired state.

    3. Apply the execution plan

      Run the terraform apply command to apply the plan and build the infrastructure described in the template.

    4. Change the configuration and apply changes incrementally

      When the template changes, Terraform determines what has changed and creates incremental execution plans to apply the changes.

    Install Terraform

    Terraform is pre-installed on Alibaba Cloud Shell. You can also install it on your local machine from a binary package or using a package manager for your operating system.

    For example, to manually install Terraform on a Windows machine, download the appropriate package from the Terraform download page and unzip it. The Terraform package contains a single binary file named terraform. Add the path to the Terraform binary to your PATH environment variable. Then, you can open a new terminal and run the terraform -help command to verify the installation.

    For more information, see Install the provider.

    Terraform identity authentication

    Terraform identity authentication is the process of authenticating the Alibaba Cloud Terraform Provider. After authentication, Terraform can communicate with Alibaba Cloud APIs to create and manage your resources.

    The Alibaba Cloud Terraform Provider supports multiple authentication methods. The method that you choose depends on your use case and the environment where you install and run Terraform. This section describes how to set credentials using environment variables. For more information, see Terraform identity authentication.

    • If you run Terraform on your local machine, you need an Alibaba Cloud RAM user with an AccessKey. Log on to the Users page of the Alibaba Cloud RAM console. Select an existing user or create a new one, and then create an AccessKey for the user. After you obtain the AccessKey ID and AccessKey secret, set the ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables. Terraform uses these credentials for authentication.

    export ALICLOUD_ACCESS_KEY="<AccessKey ID>"
export ALICLOUD_SECRET_KEY="<AccessKey secret>"

    • If you run Terraform on Cloud Shell

      Terraform is pre-authenticated when you run it on Cloud Shell. Cloud Shell is a compute engine virtual machine that provides automatic identity credentials. When you log on to Cloud Shell, the ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables are automatically set based on your logon identity. You do not need to set them manually.

    • If you run Terraform on an Alibaba Cloud ECS instance

      If you run Terraform on an Alibaba Cloud ECS instance, you can manually set the ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables. Terraform then uses these credentials for authentication. However, for security reasons, we recommend that you use the ECS server role authentication method when you run Terraform on an Alibaba Cloud ECS instance.

    • If you run Terraform in an Alibaba Cloud ACK container

      If you run Terraform in an Alibaba Cloud ACK container, you can set the ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables in the Dockerfile. When a new container is created, Terraform uses these credentials for authentication. However, for security reasons, we recommend that you use the OIDC role assumption (AssumeRoleWithOIDC) authentication method when you run Terraform in an Alibaba Cloud ACK container.

    • If you run Terraform on a machine outside Alibaba Cloud

      If you run Terraform on a machine outside Alibaba Cloud, you can manually set the ALICLOUD_ACCESS_KEY and ALICLOUD_SECRET_KEY environment variables on the machine. Terraform then uses these credentials for authentication.

    Example

    This example shows how to create a simple VPC network to help you better understand the Terraform workflow.

    image

    First, create a configuration file with a .tf extension. In the file, define Alibaba Cloud as the provider and add HCL code to create an Alibaba Cloud VPC instance. After you save the code, switch to the directory where the file is saved. Run terraform init to initialize the Alibaba Cloud provider. Run the terraform plan and terraform apply commands to generate and apply the execution plan. After you run terraform apply, a VPC network named the-first-vpc is created on Alibaba Cloud.