terraform graph: Visualizing Dependencies (2026)

terraform graph is an official feature that outputs the dependencies derived from the current configuration or plan in the DOT language, which you can then render with tools such as Graphviz.

On exams, dependency resolution concepts, the meaning of flags like -type and -draw-cycles, and use cases for visualization come up frequently. In day-to-day work it is used to detect cycles and verify create/destroy ordering.

Fundamentals of terraform graph

terraform graph writes the dependency graph that Terraform resolved between resources to standard output in DOT format. Piping it into the Graphviz dot command lets you save the result as PNG or SVG. The behavior is part of Terraform's stable core functionality and can be invoked reproducibly from the CLI.

The graph is useful for understanding the order in which resources are created, the order in which they are destroyed, and whether any cycles exist. In large codebases it helps you grasp the overall shape, and it can prompt you to revisit module design and the need for depends_on.

Output is DOT (Graphviz); render images with dot -Tpng, -Tsvg, and similar
Displays the dependency graph based on the configuration and state of the execution directory
Options control the type (plan / plan-destroy), cycle highlighting, and module depth
For huge configurations the node count gets large, so observing step by step with depth limits or filters is realistic

Minimum workflow (convert DOT to SVG)

terraform graph | dot -Tsvg > graph.svg
# If Graphviz is not installed, install it via your OS package manager
# macOS: brew install graphviz
# Ubuntu/Debian: sudo apt-get install graphviz

Reading the dependency graph: what nodes and edges mean

Nodes correspond mostly to resource, data, module, and provider entities. Edges (directed arrows) show the direction of dependency: a downstream node is only evaluated/created once its upstream nodes are ready. data sources are read-only and are usually referenced by resources.

On destroy the direction of dependencies is reversed. What was downstream during creation becomes upstream during destruction, so to check destroy ordering you should pick a graph type aimed at destroy.

resource.aws_xxx.name is a node for a managed resource
data.aws_xxx.name is a read node; it does not affect create ordering directly but does affect resolution order
module.mod_name often appears as a hub for a subgraph
Edges form from depends_on or attribute references

Typical dependency flow (on create)

# Reading notes:
# - instance.web depends on VPC(main)
# - instance.web references AMI(data)
# - EIP depends on instance.web

Example: generate an intermediate DOT file first and then view it

terraform graph -type=plan > plan.dot
dot -Tpng plan.dot -o plan.png
# View: open plan.png (macOS) or xdg-open plan.png (Linux)

Practical uses: debugging and design verification

When creates or changes feel out of order, the first step is to visualize dependencies with the graph. You can spot missing explicit depends_on declarations or cases where attribute references create indirect dependencies.

If a cycle is suspected, enable cycle highlighting and narrow module depth down to the minimum reproducible unit. When the change set is large, it is efficient to look at only the structure of the top-level modules first.

Cycle detection: -draw-cycles highlights suspect edges
Control module expansion: -module-depth=N (0 expands everything; numeric values reveal step by step)
Pre-check destroy ordering: -type=plan-destroy
Review support: produce SVG artifacts in CI and diff them per PR

Example: cycle highlighting with module depth

terraform graph -draw-cycles -module-depth=1 | dot -Tsvg > shallow.svg
terraform graph -draw-cycles -module-depth=0 | dot -Tsvg > full.svg
# A realistic workflow: skim with shallow.svg and only dive into full.svg where needed

Output processing and option comparison

Because the output is DOT, you can pick layout and format options via Graphviz. For readability we recommend SVG: easy to zoom and search, and well suited to review-time diffing.

By combining graph types and supporting flags, you can tailor the visualization to your goal. Combining destroy-order checks, cycle detection, and step-by-step module expansion is the practical pattern. Exact option lineup and defaults may change between Terraform versions, so check the official docs for the version you are using each time.

SVG supports zooming and text search, making reviews easier
PNG is a single image that is easy to share but does not scale well
For large configurations, combining -type with -module-depth is effective

Option	Target / meaning	Main use	Caveats
-type=plan	Dependencies at plan time (order of creates/changes)	Verify order before apply; surface unexpected dependencies	Depends on state and configuration; output reflects a point in time
-type=plan-destroy	Dependencies for the destroy plan (safe order of destruction)	Pre-check destructive changes and tear-down	Note that the direction of dependencies is reversed compared to create time
-draw-cycles	Highlight cyclic dependencies	Debug complex designs; surface implicit dependencies	If a cycle cannot be resolved, the design itself needs rework
-module-depth=N	Control the depth of module expansion (0 expands everything)	Skim large configurations step by step; simplify reviews	Restricting depth hides detailed nodes

Switching formats and producing review-friendly output

# High-resolution SVG output
terraform graph -type=plan | dot -Tsvg > plan.svg

# For destroy-plan inspection
terraform graph -type=plan-destroy | dot -Tpng > destroy.png

# Example: produce an artifact in CI
terraform graph -module-depth=1 | dot -Tsvg > overview.svg

Exam focus points (Associate/Pro)

On Associate, the basics of dependency resolution (explicit depends_on vs. implicit attribute references), the purpose of the graph command, and the workflow of visualizing with Graphviz tend to appear. Being able to state what -draw-cycles does, and knowing the output is DOT, are baseline expectations.

On Professional, visualization strategy in modular and large-scale configurations, validating destroy plans, and leveraging the graph in CI/CD pipelines are more likely to come up as practical operational design.

graph visualizes dependencies derived from plan/configuration; it is not a live topology of real resources
Output is DOT (text); images are generated by Graphviz
Use -draw-cycles to identify cyclic dependencies
Use -type=plan-destroy to check destroy ordering

Baseline commands to keep handy for exams

terraform graph -type=plan | dot -Tsvg > plan.svg
terraform graph -type=plan-destroy | dot -Tsvg > destroy.svg
terraform graph -draw-cycles -module-depth=1 | dot -Tsvg > cycles.svg

Common pitfalls and best practices

For very large configurations, a fully expanded graph quickly becomes unreadable. The practical pattern is to restrict the hierarchy with -module-depth, identify the area of interest, and then dive deeper.

Because data sources are not creation targets, treat them as hints about evaluation dependencies rather than as ground truth about ordering. To understand destroy order, always inspect a plan-destroy-style graph.

Output details and default values may change between versions. For flag semantics and output interpretation, check the official Terraform documentation for the version you are using.

Observe huge graphs step by step (control depth or verify against subsets)
Resolve cycles via design improvements (extract dependencies, split deploys)
Prefer SVG for images (easier zoom, search, and review diffing)
Automation: produce graph output as an artifact in CI and require review on every PR

Techniques for narrowing the scope (examples)

# Skim just under each module
terraform graph -module-depth=1 | dot -Tsvg > overview.svg

# Simple filtering on the DOT text with grep (e.g. compute module)
terraform graph > all.dot
grep -E "module.compute|cluster|aws_instance" all.dot > focus.dot
# Note: regex filtering is a quick hack, not a formal filter mechanism

Check your understanding

Associate / Pro

問題 1

You want to verify the dependency order at destroy time and visualize whether tear-down can proceed safely. Which command is most appropriate?

terraform graph -type=plan-destroy | dot -Tsvg > destroy.svg
terraform graph -draw-cycles | dot -Tsvg > cycles.svg
terraform show -json | dot -Tsvg > show.svg
terraform validate -graph | dot -Tsvg > validate.svg

正解: A

To check destroy ordering you visualize the dependencies from the destroy plan, which is exactly what -type=plan-destroy does. -draw-cycles highlights cycles, terraform show -json outputs JSON instead of DOT, and validate has no graph output.

Frequently Asked Questions

Can terraform graph output JSON?

No. terraform graph writes DOT (Graphviz) format to standard output. If you need a machine-readable representation, consider terraform show -json against a saved plan or state file.

Can I inspect dependencies without Graphviz?

For small configurations you can read the raw DOT text, but in practice rendering with Graphviz is far easier to read and better suited to reviews. Generating SVGs in CI and sharing them is the practical approach.

Can I render only a specific module as a separate image?

terraform graph itself does not support per-module split output. The practical workflow is to control expansion with -module-depth and then post-process the DOT (grep or a script) to extract the module of interest. For large estates, splitting into sub-configurations and running graph locally also works well.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

Visualizing Dependency Graphs with terraform graph: Practical and Exam Tips for Associate/Pro