Online Diff
← Blog

How to Diff Terraform tfvars Files: Catch Drift Before Apply

Compare Terraform variable files between environments and catch config drift before it causes an outage. No software to install.

·6 min read

Terraform variable files (.tfvars) are deceptively easy to let drift. A value bumped in staging never makes it to production. A terraform apply in the wrong environment uses the wrong instance size. A new variable added in dev.tfvars is silently missing from prod.tfvars. A side-by-side diff of your variable files before every apply is one of the cheapest safeguards in infrastructure work.

Why Terraform Variable Files Drift

In most teams, variable files are edited by hand across multiple environments. Unlike application code, there is rarely a strict review process for a one-line value change in a .tfvarsfile. Common drift scenarios:

  • Environment-specific tuning without sync — an engineer changesinstance_type = "t3.medium" to t3.large in staging to debug a memory issue, then forgets to update production.
  • New variables added to one file — a new feature requires a new variable. It gets added to dev.tfvars and staging.tfvars but never toprod.tfvars, causing a plan failure the next time production is touched.
  • Secrets rotated in one place — an API key or database password is updated in one environment's variable file but not mirrored correctly to the others.
  • Whitespace and comment churn — reformatting or reordering lines makes the diff noisy and hides real changes in the visual clutter.

How to Compare Terraform Variable Files Online

Step 1 — Get both variable files

Open the two .tfvars files you want to compare in a text editor. Common pairs:

  • dev.tfvars vs staging.tfvars
  • staging.tfvars vs prod.tfvars
  • The current prod.tfvars vs the version from your last release tag

If your files are in version control, pull the previous version with:

  • git show HEAD~1:infra/prod.tfvars
  • git diff main..release -- infra/prod.tfvars

Step 2 — Paste into the diff tool

Open the Online Text Diff or Code Diff. Paste the first variable file in the left panel and the second in the right panel. Changed lines are highlighted immediately.

Step 3 — Enable HCL syntax highlighting

Select HCL from the language dropdown in the toolbar. This colour-codes variable names, string values, and comments, making it much easier to distinguish a key name change from a value change in a dense variable file.

Step 4 — Use Word diff for value-only changes

A line like instance_type = "t3.medium" changing to "t3.large" shows as a full line replacement by default. Switch to Word diff mode to highlight only the changed token inside the line. Useful for catching a single changed number in a long file.

Step 5 — Ignore whitespace for reformatted files

Running terraform fmt re-aligns assignment operators across a variable file. If you are comparing a formatted file against an unformatted one, enable Ignore whitespaceto suppress alignment-only differences.

Common Scenarios

Promoting variables from staging to production

Before promoting a Terraform change to production, diff staging.tfvars againstprod.tfvars. Any line present in staging but missing from production is a variable that will either need to be added or will fall back to a default — both worth knowing before you apply. Any value that differs intentionally (like a smaller instance size in staging) should be verified rather than blindly copied.

Reviewing a PR that modifies variable files

GitHub's PR diff is often enough for a single file change, but when a PR touches multiple variable files across environments, a side-by-side diff in a dedicated tool is faster to read. Paste the before and after version of the modified file to see exactly which values changed in context.

Auditing variable drift after an incident

After an incident caused by a misconfigured value, compare the production variable file against the version that was live before the last terraform apply. The diff immediately surfaces what changed and who changed it. Use git log --follow -p infra/prod.tfvarsin your terminal, then paste the before/after into the diff tool for a cleaner view.

Comparing Terraform workspaces

Teams using Terraform workspaces often maintain separate variable files per workspace. Diffingterraform.tfvars.dev against terraform.tfvars.prod before a workspace switch shows exactly which values will behave differently across environments.

Diffing Full Terraform Configurations (Not Just Variables)

Variable files are the most common thing to compare, but you can apply the same workflow to any Terraform file:

  • Module versions — compare versions.tf or provider blocks across environments to catch version skew.
  • Terraform plan output — run terraform plan -out=plan.out andterraform show -json plan.out to get a JSON plan, then diff two plan JSON outputs using the JSON Diff tool.
  • Remote state snapshots — pull two versions of your state file withterraform state pull and compare them to understand what changed between applies.

Privacy: Your Infra Variables Stay Private

Terraform variable files often contain sensitive values — database passwords, API keys, CIDR blocks, account IDs. The diff runs entirely in your browser using JavaScript. Nothing is sent to a server, nothing is stored or logged. It is safe to paste production variable files.

Sharing a Terraform Diff with Your Team

Click Share to generate a URL containing the full diff. Paste it into a pull request comment or Jira ticket so your team can review the exact variable changes. For variable files containing secrets, use the Encrypt option to password-protect the link before sharing.

Compare Terraform Variable Files Now

Paste two .tfvars files and see every changed value instantly — with HCL syntax highlighting and word-level diffs. Free, private, no sign-up.

Open Code Diff →

Related Guides