Terraformcloud~7 mins

Provisioner failure behavior in Terraform - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Sometimes when Terraform creates resources, it runs extra scripts called provisioners. These scripts can fail, and Terraform needs to know what to do next. This concept explains how Terraform handles failures in these provisioners and how you can control that behavior.

When you want to run a setup script on a virtual machine after it is created.

When you need to install software automatically on a new server during deployment.

When you want to copy files to a resource right after it is created.

When you want to control if Terraform should stop or continue when a provisioner script fails.

When you want to debug why a resource creation failed due to a script error.

Config File - main.tf

main.tf

resource "aws_instance" "example" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"

  provisioner "local-exec" {
    command = "echo Hello from provisioner"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo apt-get update",
      "sudo apt-get install -y nginx"
    ]

    on_failure = "continue"
  }
}

This Terraform file creates an AWS EC2 instance.

The local-exec provisioner runs a simple local command after the instance is created.

The remote-exec provisioner runs commands on the instance to update packages and install nginx.

The on_failure = "continue" setting tells Terraform to keep going even if the remote commands fail.

Commands

This command prepares Terraform to work with the AWS provider and downloads necessary plugins.

Terminal

terraform init

Expected OutputExpected

Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v4.0.0... - Installed hashicorp/aws v4.0.0 (signed by HashiCorp) Terraform has been successfully initialized!

This command creates the AWS instance and runs the provisioners. The apply runs without asking for confirmation.

Terminal

terraform apply -auto-approve

Expected OutputExpected

aws_instance.example: Creating... aws_instance.example: Provisioning with 'local-exec'... aws_instance.example (local-exec): Executing: ["sh" "-c" "echo Hello from provisioner"] aws_instance.example: Provisioning with 'remote-exec'... aws_instance.example (remote-exec): Connecting to remote host via SSH... aws_instance.example (remote-exec): Running inline script aws_instance.example (remote-exec): sudo: unable to resolve host ip-172-31-0-1 aws_instance.example (remote-exec): Reading package lists... aws_instance.example (remote-exec): E: Could not get lock /var/lib/dpkg/lock-frontend - open (11: Resource temporarily unavailable) aws_instance.example (remote-exec): E: Unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock-frontend), is another process using it? aws_instance.example: Creation complete after 1m10s [id=i-0abcd1234efgh5678] Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

→

-auto-approve - Skip manual approval to apply changes immediately

This command removes the AWS instance and cleans up resources without asking for confirmation.

Terminal

terraform destroy -auto-approve

Expected OutputExpected

aws_instance.example: Refreshing state... [id=i-0abcd1234efgh5678] aws_instance.example: Destroying... aws_instance.example: Still destroying... [id=i-0abcd1234efgh5678, 10s elapsed] aws_instance.example: Destruction complete after 20s Destroy complete! Resources: 1 destroyed.

→

-auto-approve - Skip manual approval to destroy resources immediately

Key Concept

If a provisioner fails, Terraform can either stop the whole process or continue based on the on_failure setting.

Common Mistakes

Not setting on_failure and expecting Terraform to continue after a provisioner error.

By default, Terraform stops if a provisioner fails, so the deployment halts unexpectedly.

Set on_failure = "continue" in the provisioner block if you want Terraform to keep going despite errors.

Using provisioners for tasks that can be done with native Terraform resources or cloud-init.

Provisioners are less reliable and harder to debug than native methods.

Use provisioners only as a last resort; prefer native Terraform features or cloud-init scripts.

Summary

Terraform provisioners run scripts on resources after creation to perform setup tasks.

If a provisioner fails, Terraform stops by default unless on_failure is set to continue.

Use terraform apply to create resources and run provisioners, and terraform destroy to clean up.