In today’s post, I will cover the lifecycle of working with Terraform—commands that drive the provisioning, maintenance, and destruction of infrastructure. Understanding this lifecycle isn't just useful for sysadmins or DevOps—it’s critical for red teams operators automating infrastructure for engagements.

The Terraform lifecycle can be broken down into a few essential commands: init, plan, apply, destroy, refresh, taint, and import. Each plays a specific role in managing the infrastructure via Terraform.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Let’s start with terraform init, this is the first command we run in any new Terraform directory. It initializes the working directory, downloads the necessary provider plugins (like AWS, Azure, GCP, etc.), and sets up the backend if one is being used. Without this, Terraform won’t be able to execute any of the following commands—it simply won’t know what it’s working with.

Next is terraform plan. This command performs dry run that shows what Terraform intends to do based on the given configuration—whether it will create, update, or destroy resources. This is critical in production environments to avoid accidental changes, but it’s also just as useful for red team operators who want to ensure their infrastructure changes are intentional, minimal, and predictable—especially when operating in stealth or constrained environments.

Once the plan looks good, we run terraform apply. This actually provisions (or changes) the infrastructure i.e. Terraform applies the changes defined in the plan to the target environment.

When the infrastructure is no longer needed, or when we want to clean up a lab environment quickly, we use terraform destroy. It tears down all resources managed by the state file. For red teams, this is a powerful capability—being able to bring up and tear down infrastructure on-demand reduces digital footprints and operational risk.

terraform refresh is used to sync the state file with real-world infrastructure. For instance, if someone changed a resource outside Terraform (via the console or CLI), refresh makes sure the local state reflects that. While often used to reconcile drift, this can help an operator confirm if infrastructure tampering or detection has occurred—especially in long-running campaigns or during evasion testing.

The terraform taint command is used to manually mark a resource for recreation during the next apply. Imagine a scenario where a resource was provisioned correctly, but is misbehaving or misconfigured in a way that Terraform doesn’t detect. Tainting forces Terraform to destroy and recreate it. This is especially useful in ops-heavy engagements or when testing resiliency by recycling critical infrastructure.

Finally, terraform import allows to bring existing infrastructure into Terraform management. Whether taking over an existing cloud environment for red team testing or converting manual setups into codified ones, import is the bridge between what's already out there and our Terraform code.

Real-world usage scenarios

In red team environments, these commands can be automated to spin up disposable infrastructure—like redirectors, C2 staging environments, or cloud-based phishing sites—only when needed, and then destroyed to minimize exposure.

Tainting is often used to replace flaky virtual machines or services. A red teamer might use it to simulate service outages or test the robustness of cloud failover systems.

Import is widely used during cloud migrations or audits. Red teams might use it to "take over" assets they discover in compromised cloud environments and bring them under their own infrastructure management for staging or command and control.

A practical example: imagine your operation requires setting up a redirector in AWS, a C2 server in Azure, and logging pipelines in GCP. Using init, plan, and apply, you bring it all up in minutes. Once the campaign ends, destroy wipes the infrastructure clean, leaving almost no trace. Combine that with refresh to detect unauthorized changes (think blue team interference) or import to gain visibility over a compromised environment, and you’re operating at a much higher level of control.

TL;DR
The Terraform lifecycle includes init, plan, apply, refresh, taint, destroy and import commands. These lifecycle commands are the foundation for infrastructure tradecraft. 

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.