Operate · Export

Terraform & CLI export.

Every Axiom execution plan generates downloadable Terraform you can review locally and apply through your own pipeline. CLI commands are also exported as an alternative.

When to export instead of letting Axiom apply

Export is the right choice when you already have a Terraform pipeline you trust (Atlantis, Terraform Cloud, Spacelift, your own CI), or when policy requires changes to go through specific reviewers in your own VCS workflow.

01

What gets exported

An execution plan export contains, per phase:

  • main.tf — primary resource definitions with the proposed changes applied
  • variables.tf — explicit input variables (region, account, tags)
  • terraform.tfvars — values for those variables, sourced from your scan snapshot
  • moved.tfmoved {} blocks if Axiom is renaming or re-addressing resources
  • README.md — phase summary, blast radius, rollback strategy, RTO, verification criteria
  • rollback/ — a separate Terraform directory that reverts the phase if needed

02 · Alternative

CLI command export

For operations that don't need IaC (one-shot fixes, irreversible operations like snapshots), Axiom can emit AWS CLI commands instead:

example · cli export# Phase 1: Pre-flight snapshot
aws ec2 create-snapshot \
  --volume-id vol-0123456789abcdef0 \
  --description "axiom-preflight-2026-05-13"

# Phase 2: Right-size i-0a1b2c
aws ec2 stop-instances --instance-ids i-0a1b2c
aws ec2 modify-instance-attribute \
  --instance-id i-0a1b2c \
  --instance-type m5.xlarge
aws ec2 start-instances --instance-ids i-0a1b2c

# Phase 3: Verify
aws elbv2 describe-target-health \
  --target-group-arn $TG_ARN \
  --targets Id=i-0a1b2c

03 · Review checklist

How to review before applying

1

Read the README.md

Confirms what the phase does, expected impact, rollback strategy, RTO, and verification criteria.

2

Run terraform plan locally

Use your own AWS credentials. Confirm Terraform's diff matches Axiom's reported diff (it should — Axiom's plan is generated from the same snapshot).

3

Verify state alignment

If you use Terraform Cloud / Enterprise / S3 backend, Axiom's export uses a fresh local state. Either run terraform import for the affected resources or merge into your existing module. Don't apply against unaligned state.

4

Run the rollback dry-run

The rollback/ directory has its own plan. Run terraform plan there to confirm rollback can produce the original state.

5

Apply through your pipeline

Push to your VCS, let your CI/CD apply. After apply, return to Axiom and mark the plan item as "applied externally" — Axiom will trigger post-execution verification.

04

Local vs. cloud execution

  • Local export — best for one-off review or pipelines you already own. Available today via the dashboard download button.
  • Cloud execution — Axiom applies on your behalf through the execution role. Available today for AWS.
  • Desktop execution — the upcoming desktop app applies locally from your workstation using your own AWS CLI credentials. Preview on macOS; Windows Q2 2026; Linux Q3 2026. See desktop install.

05

Safety warnings

  • Don't apply Axiom's exported Terraform against state that wasn't in the original scan. Re-scan if your infrastructure has changed since.
  • Don't merge multiple Axiom-exported plans without reviewing for resource conflicts.
  • Rollback Terraform should always be run from the version captured at plan time, not regenerated later.
  • For high-risk plan items (broad blast radius), Axiom recommends cloud execution because the rollback timing is more reliable than human-paced pipelines.

Trust questions

What is being exported?

Phase-by-phase Terraform that matches Axiom's proposed changes, plus rollback Terraform and a README.

Why would I export instead of let Axiom apply?

When you already trust your own pipeline (Atlantis, Terraform Cloud, Spacelift) or policy requires changes to go through your VCS.

Is it safe to run locally?

Yes, against the snapshot from the original scan. Re-scan if your infrastructure has drifted since.

Does Axiom know I applied?

Mark the plan item 'applied externally' in the dashboard — Axiom triggers post-execution verification.

What if my pipeline fails?

Run the rollback/ Terraform from the same export. Same state, same RTO.

Can I see what changed before downloading?

Yes — every plan shows the full Terraform diff in the dashboard before you click export.

Need a human?

Most flows are documented — but we'll help if anything is unclear.

Talk to Vision XIX Labs