terraform validate: Static Config Checking (2026)

terraform validate is a command that checks the syntax and internal consistency of configuration files offline. Because it does not contact remote APIs, it slots safely into automation pipelines.

This article covers both the exam-relevant points (Associate) and real-world use cases. We dig into what validate can and cannot detect, its relationship with init, and how to design CI gates around it.

Basics and Scope of terraform validate

terraform validate checks whether the Terraform configuration in the current directory (or a specified module directory) is syntactically correct and internally consistent. It is a static check that never touches cloud APIs or backends.

It primarily detects HCL syntax errors, type and required-attribute mismatches, module call input/output mismatches (when modules are installed), and invalid blocks or arguments. It cannot verify the existence of resources or detect cloud-side constraints such as naming collisions, missing permissions, or quota overruns.

When you reference modules or providers, run terraform init first to fetch the dependencies — accurate validation depends on it. The -json option emits machine-readable output, which is convenient for summarizing failure reasons in CI.

No remote access (safe to automate)
Strong at static checks for syntax, types, and internal references
Running after terraform init is the stable choice in practice (when modules or providers are referenced)
-json produces machine-readable results

Command	Primary Purpose	Remote Access	init Required?
validate	Static check of syntax and internal consistency	No	Recommended (to resolve dependencies)
fmt -check	Verify formatting compliance	No	Not required
plan	Compute diff (execution plan)	Yes (talks to state and providers)	Required
init	Fetch providers/modules and initialize	Yes (registry, etc.)	—

Where validate fits in a CI pipeline

Basic local validation flow

terraform init
terraform validate
# When CI needs machine-readable output
terraform validate -json | jq '.diagnostics[] | {severity,summary,detail}'

CI/CD Gate Design and Operational Tips

validate fails fast, so the standard pattern is to run it right after init. Catching syntax and type mismatches here reduces reviewer load. Combine it with fmt -check to enforce style and syntax mechanically in one pass.

To reduce noise in CI, pass -no-color for readable logs and use -json to summarize failures. When validate fails, skip downstream heavy jobs (plan/apply) to save cost.

Standard ordering: init → validate → fmt -check → plan
Log optimization: aggregate with -no-color and -json
PR-only: a lightweight workflow with just validate/format works well

Minimal GitHub Actions example

name: tf-validate
on: [pull_request]
jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.6.6
      - name: Init
        run: terraform init -input=false -no-color
      - name: Validate
        run: terraform validate -no-color

Validating Variables, Types, and Provider Constraints

validate checks that variable type declarations are consistent with their default values. It does not accept -var or -var-file itself, so actual input-value validation happens in plan. When variable types are strict, type mismatches in defaults surface early.

required_providers and required_version declarations are checked for syntax and constraint consistency. Note that when you depend on external modules or providers, accurate input/output checking may require init to run first.

Type mismatches (e.g., a numeric default for a string variable) are caught immediately by validate
An unset required variable itself is not an error here (checked in plan)
Fetch providers/modules with init before validating

Minimal example that catches a type mismatch

# versions.tf
terraform {
  required_version = ">= 1.5.0"
  required_providers {
    random = {
      source  = "hashicorp/random"
      version = ">= 3.5.0"
    }
  }
}

# variables.tf
variable "env" {
  type = string
  # Intentional type mismatch (number): validate errors
  default = 123
}

# main.tf
output "env_out" {
  value = var.env
}

# Run
# terraform init
# terraform validate  # => fails with variable type mismatch

Using validate When Developing Modules

You can run terraform validate against a module directory on its own. It statically surfaces input/output consistency issues, unused variables, and unreferenced outputs. It is a good minimum check before publishing a module.

When validating together with the calling (root) module, run init first to fetch module dependencies. validate can then more accurately catch type and required-ness mismatches on input variables.

Always pass validate before distributing a module
Specify description/type/default on variables to improve diagnostic readability
For breaking changes to inputs/outputs, run validate/plan together against a sample root

Example: validating a module and its caller

# modules/network/variables.tf
variable "name" {
  type        = string
  description = "network name"
}

# modules/network/outputs.tf
output "name_out" { value = var.name }

# root/main.tf
module "net" {
  source = "./modules/network"
  name   = 100  # Intentional type mismatch: caught by validate
}

# Run
# terraform init
# terraform validate  # => diagnostic: module.net.name requires a string

Common Errors and Practical Fixes

Diagnostic messages include severity (error/warning), summary, and detail. Syntax errors point to a file and line, and type mismatches show both expected and actual types. When module resolution fails, suspect a missing init run or an incorrect source URL.

In CI, skipping downstream jobs on a validate failure and keeping just the diagnostic summaries in the log keeps operations simple. Formatting the -json output with jq and pasting a lightweight summary into PR comments is a stable pattern.

syntax error: check for missing commas, braces, or quotes
Invalid function argument: revisit types and nullability
Module not installed: run terraform init and re-check source

Bash example gating on validate's exit code

set -euo pipefail
terraform init -input=false -no-color
if ! terraform validate -no-color; then
  echo "validate failed; skipping plan" >&2
  exit 1
fi
# If we got here, continue with plan, etc.

Check Your Understanding

Associate

問題 1

Which problem is terraform validate best suited to detect?

Variable type declaration vs. default value mismatch
Collision with an existing S3 bucket name (on the account side)
Expired cloud credentials
Exceeding the organization's resource quota

正解: A

terraform validate performs static checks of syntax and internal consistency. It catches mismatches between a variable's type and its default value, but cloud-side existence checks, credential state, and quotas all require remote access and are out of scope for validate.

Frequently Asked Questions

Can I run validate without first running terraform init?

Yes, for simple configurations with no external modules or provider dependencies. When module or provider references are involved, running validate after init is the reliable approach because dependencies need to be resolved first.

Can validate accept -var or -var-file to check input values?

No. validate does not accept -var or -var-file. Input-value validation happens during plan. validate is focused on syntax, type, and internal reference consistency.

How should I use the JSON output?

-json produces machine-readable diagnostics. In CI, use a tool like jq to extract severity/summary, keep logs concise, and post a summary to PR comments or failure notifications to streamline operations.

Check what you learned with practice questions

Practice with certification-focused question sets

無料で問題を解いてみる

Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.

terraform validate: Key Points and Syntax Validation Use Cases