Skip to main content

Command: taint

The tofu taint command informs OpenTofu that a particular object has become degraded or damaged. OpenTofu represents this by marking the object as "tainted" in the OpenTofu state, and OpenTofu will propose to replace it in the next plan you create.

We recommend using the -replace option with tofu apply to force OpenTofu to replace an object even though there are no configuration changes that would require it.

Code Block
$ tofu apply -replace="aws_instance.example[0]"

We recommend the -replace option because the change will be reflected in the OpenTofu plan, letting you understand how it will affect your infrastructure before you take any externally-visible action. When you use tofu taint, other users could create a new plan against your tainted object before you can review the effects.

Usage

Code Block
$ tofu taint [options] <address>

The address argument is the address of the resource to mark as tainted. The address is in the resource address syntax, as shown in the output from other commands, such as:

  • aws_instance.foo
  • aws_instance.bar[1]
  • aws_instance.baz[\"key\"] (quotes in resource addresses must be escaped on the command line, so that they will not be interpreted by your shell)
  • module.foo.module.bar.aws_instance.qux

This command accepts the following options:

  • -allow-missing - If specified, the command will succeed (exit code 0) even if the resource is missing. The command might still return an error for other situations, such as if there is a problem reading or writing the state.

  • -lock=false - Disables OpenTofu's default behavior of attempting to take a read/write lock on the state for the duration of the operation.

  • -lock-timeout=DURATION - Unless locking is disabled with -lock=false, instructs OpenTofu to retry acquiring a lock for a period of time before returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds.

For configurations using the cloud backend or the remote backend only, tofu taint also accepts the option -ignore-remote-version.

For configurations using the local backend only, tofu taint also accepts the legacy options -state, -state-out, and -backup.