How to Get Rid of the Terraform Taint

Terraform taint refers to a marker that sets a Terraform-managed resource as tainted. A tainted resource means the Terraform-managed resource is in a bad or undesirable state. If a resource is marked as tainted, Terraform will recreate it or destroy it during the next application.

This short guide will teach you how to use the Terraform untaint feature to remove taint markers on a resource.

Why Use Terraform Taint?

Although the use of Terraform taint may vary depending on what needs to be done on the specified resources, the common uses include:

  1. Recreating resources, such as a Compute Engine or EC2 instance in case of unwanted modifications.
  2. Rebuilding of resources without destroying them, especially in development.

How to Taint a Resource

The Terraform taint command allows you to tell Terraform that a specific resource/object is damaged or in a tainted state. As mentioned, this will force Terraform to rebuild the resource marked as tainted during the next plan.


The Terraform taint command takes the syntax as shown:

terraform taint [options] address

The address refers to the address of the resource/object to assign the taint marker. You can specify an address of the resource using the format as shown:


You can also pass the following options to the taint command to modify behaviors:

  1. -allow-missing — The allow-missing parameter will force the command to succeed even if the specified resource is missing.
  2. -lock=[bool] — The lock parameter accepts a Boolean true or false. If set to false, it will temporarily disable the Terraform’s read/write lock on the state during the execution.
  3. -lockout-timeout — Forces Terraform to retry and obtain a lock state for a specified period in seconds. This function is null if the -lock is set to false.

The following example shows how to create an EC2 instance and use the taint command to mark it as tainted:

terraform {
    required_providers {
        aws = {
            source = "hashicorp/aws"
            version = "-> 3.27"
    required_version = ">= 0.12"
provider "aws" {
    profile ="default"
    region = "us-east-1"
resource "aws_instance" "database_server" {
    ami = "ami-b7873e35"
    instance_type = "t2.micro"

Mark the resource as tainted:

terraform taint aws_instace.database.server

Once you mark the resource as tainted, execute the Terraform plan command to see the changes that will be applied.

How to Use Terraform Untaint

If you set a resource as tainted, you can revert and remove the taint marker using the Terraform untaint command.

The command takes the resource id as the argument:

terraform untaint [options] address

It accepts similar arguments to the Terraform taint command.

For example, to remove a taint marker from the resource above, use the following command:

terraform untaint aws_instace.database.server
terraform plan

The previous command will remove the taint marker on the resource and show you the changes to be applied on the next Terraform apply


In this guide, you learned the basics of Terraform taint and the process to mark the resource as damaged. In addition, several options were provided to the Terraform taint command to modify behaviors. We hope you found this article helpful. Please check Linux Hint for more tips and information.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list