Skip to main content

Command: untaint

OpenTofu has a marker called "tainted" which it uses to track that an object might be damaged and so a future OpenTofu plan ought to replace it.

OpenTofu automatically marks an object as "tainted" if an error occurs during a multi-step "create" action, because OpenTofu can't be sure that the object was left in a fully-functional state.

You can also manually mark an object as "tainted" using the deprecated command tofu taint, although we no longer recommend that workflow.

If OpenTofu currently considers a particular object as tainted but you've determined that it's actually functioning correctly and need not be replaced, you can use tofu untaint to remove the taint marker from that object.

This command will not modify any real remote objects, but will modify the state in order to remove the tainted status.

If you remove the taint marker from an object but then later discover that it was degraded after all, you can create and apply a plan to replace it without first re-tainting the object, by using a command like the following:

Code Block
tofu apply -replace="aws_instance.example[0]"

Usage

Usage: tofu untaint [options] address

The address argument is a resource address identifying a particular resource instance which is currently tainted.

This command also accepts the following options:

  • -allow-missing - If specified, the command will succeed (exit code 0) even if the resource is missing. The command might still return an error for other situations, such as if there is a problem reading or writing the state.

  • -lock=false - Don't hold a state lock during the operation. This is dangerous if others might concurrently run commands against the same workspace.

  • -lock-timeout=DURATION - Unless locking is disabled with -lock=false, instructs OpenTofu to retry acquiring a lock for a period of time before returning an error. The duration syntax is a number followed by a time unit letter, such as "3s" for three seconds.

  • -no-color - Disables terminal formatting sequences in the output. Use this if you are running OpenTofu in a context where its output will be rendered by a system that cannot interpret terminal formatting.

  • -var 'NAME=VALUE' - Sets a value for a single input variable declared in the root module of the configuration. Use this option multiple times to set more than one variable. Refer to Input Variables on the Command Line for more information.

  • -var-file=FILENAME - Sets values for potentially many input variables declared in the root module of the configuration, using definitions from a "tfvars" file. Use this option multiple times to include values from more than one file.

There are several other ways to set values for input variables in the root module, aside from the -var and -var-file options. Refer to Assigning Values to Root Module Variables for more information.

For configurations using the cloud backend or the remote backend only, tofu untaint also accepts the option -ignore-remote-version.

For configurations using the local backend only, tofu untaint also accepts the legacy options -state, -state-out, and -backup.