The Terraform Feature Everyone’s Been Waiting For

Last Updated on November 26, 2025 by Arnav Sharma

I just checked out of the HashiConf 2025 keynote, and I need to talk about something that’s going to fundamentally change how we work with infrastructure as code.

Forget Stacks for a second. Put Actions on the back burner. HashiCorp just released Terraform Search and the terraform query CLI into public preview, and this is the kind of feature that makes you wonder how we’ve been surviving without it.

The Problem We’ve All Been Ignoring

Here’s a scenario you’ve definitely lived through: It’s 3 PM on a Friday. Someone from finance asks which team owns that mystery VPC eating up budget in account 123456789012. You know it’s managed by Terraform… somewhere. So you start the archaeology.

You grep through repos. You check workspace after workspace. You ping six different teams on Slack. Two hours later, you still don’t have a complete answer.

Or maybe compliance needs a list of every S3 bucket without encryption across production. You could write a script. You could export state files. You could manually click through the console. All of these options are terrible.

We’ve been managing infrastructure at scale without any real way to search it. That changes today.

What Terraform Search Actually Does

Think of it as Google for your entire infrastructure footprint. It’s a real-time search and query engine that indexes every single resource managed by HCP Terraform (with Terraform Enterprise support coming soon).

The system has two main components:

• Terraform Search: A web UI and API that supports both natural language and advanced structured filtering. Available in public preview right now.
• terraform query: A CLI tool that lets you write HCL-native queries directly from your terminal. Ships with Terraform CLI v1.9.5 and later.

Together, they give you something we’ve never had before: complete visibility into every resource you manage, with the ability to slice and dice that data however you need.

Natural Language That Actually Works

The web interface has a new Search tab, and you can literally type things like this:

“RDS instances with engine version less than 15 running in production accounts created before 2025”

Hit enter, and you get a table showing drift status, last modified timestamp, owning workspace or stack, estimated cost, tags, the whole picture. No query language to learn. No API calls to construct. Just ask.

I’ve seen enough “AI-powered search” demos that don’t work in the real world. This one does, because it’s built on structured data that Terraform already knows about. It’s not trying to parse unstructured logs or guess at relationships. It’s querying the actual state graph.

The CLI Is Where Things Get Serious

Here’s where my inner platform engineer gets excited. The terraform query command lets you write precise, programmatic queries:

# Find every unencrypted S3 bucket globally
terraform query '
  aws_s3_bucket where {
    server_side_encryption_configuration == null
  }' --output table

Or maybe you need to track down resources that drifted recently:

# Every resource tagged "owner:team-platform" that drifted in the last 7 days
terraform query '
  * where {
    tags.owner == "team-platform"
    and drift_detected_at > now() - 7d
  }'

The syntax feels natural if you’ve written HCL before. It’s not SQL, it’s not some proprietary DSL. It’s Terraform-native querying.

Bulk Import Just Became Trivial

Remember when I mentioned importing hundreds of existing resources into Terraform? The kind of task that makes you question your career choices?

One command:

# Generate import blocks for 1,237 ALBs across 40 accounts
terraform query 'aws_lb where tags.Environment == "prod"' \
  | terraform import --generate-config=./generated_imports.tf

That’s it. No bash loops. No spreadsheets. No copying and pasting resource IDs for three straight hours.

The demo during the keynote showed this working with over a thousand load balancers. The audience literally gasped. I’m not exaggerating.

Real Queries People Will Actually Run

Let me give you some examples that solve actual business problems:

• Rightsizing clusters: EKS clusters with node group desired_size < 5 helps you find underutilized clusters in seconds instead of hours.
• Shadow IT detection: resources where last_modified_by != "terraform" shows you everything that’s been manually changed outside your workflows. Perfect for those weekly drift reports.
• Compliance reporting: aws_iam_user where last_used > 90 days generates your dormant accounts report instantly. No more custom scripts.
• Chargeback tracking: vpc where tags.cost-center == "marketing" and region == "us-east-1" gives finance exactly what they need without you having to become a data analyst.

Each of these queries replaces hours of manual work or brittle automation scripts with a single line.

Policy as Code Just Got Supercharged

Here’s where this gets really powerful. You can combine queries with Sentinel or OPA for policy enforcement:

import "tfquery"

main = rule {
  tfquery.count('
    aws_security_group where {
      ingress[*].cidr_blocks contains "0.0.0.0/0"
      and ingress[*].from_port <= 22
    }') == 0
}

This policy checks every single security group in your organization in real time. Not a sample. Not a subset. Everything.

Before this, you’d typically check resources as they’re created or modified. Now you can enforce policies across your entire existing estate continuously. That’s a fundamental shift in how we think about governance.

How It Works Behind the Scenes

The system is built on Project Infragraph, the real-time graph database HashiCorp announced last year. When a Terraform run completes, the index updates within seconds. The query language itself is based on Celestial, which HCP has been using internally for years.

For MSPs and large enterprises, there’s support for cross-organization search. You can query across your entire fleet of customer environments or business units from one place.

What’s Not Ready Yet

Being in preview means there are some current limitations worth knowing about:

This is read-only for now. You can query resources but not delete them through the search interface (that’s probably coming later).

It only works with resources managed by HCP Terraform currently. If you have external state files, they won’t show up.

Query results are capped at 100,000 resources with pagination coming soon. That sounds like a lot until you’re managing a truly massive environment.

The CLI query requires a connection to HCP. You can’t run queries offline against local state yet.

None of these are dealbreakers for the preview, but they’re good to know going in.

Why This Matters More Than You Think

Stacks give us better orchestration. Actions improve Day 2 operations. Both are valuable.

But Search and Query give us something more fundamental: visibility at scale.

You can’t automate what you can’t see. You can’t govern what you can’t inventory. You can’t optimize what you can’t measure. For years, we’ve been managing cloud infrastructure with a blindfold on, piecing together partial views from different tools and dashboards.

I’ve talked to platform teams who spend entire sprints just building inventory systems. They maintain separate databases tracking what resources exist where. They write custom scrapers and reconciliation jobs. It’s thousands of hours of undifferentiated heavy lifting.

All of that just became unnecessary.

How to Get Started

If you want to try this today:

1. Go to HCP Terraform, open Organization Settings, and enable “Terraform Search (Preview)”
2. Upgrade your CLI: tfenv install 1.9.5 && tfenv use 1.9.5
3. Work through the tutorial at https://developer.hashicorp.com/terraform/cloud-docs/search
4. Join the #terraform-search-preview Slack channel where everyone’s sharing queries and use cases

The community is already doing creative things with this. Someone’s building a cost optimization dashboard powered entirely by queries. Another team is using it to automate security reviews. The use cases are expanding faster than I expected.

The Bigger Picture

In 2025, the winning platform teams won’t be the ones who can provision infrastructure fastest. Speed matters, but it’s table stakes now.

The winners will be the teams who can answer any question about their infrastructure in under 10 seconds. Who can prove compliance in real time. Who can spot problems before they become incidents. Who can give stakeholders accurate data without breaking their flow.

Terraform Search just made that possible for everyone.

I’m heading back into the conference hall, but I wanted to get this out while the feature is fresh. If you’ve got a gnarly query you’re trying to figure out, drop it in the comments. I’ll help translate it into the new syntax.

Time to go query literally everything.