Oh right, I see - a comparison between new Terraform source files and pre-existing Terraform state. Yes, that theoretically ought to be possible without talking to the API.
Are you using the -refresh=false flag? Without that, Terraform will attempt to check its state is accurate even when just doing a plan.
Even with that, it’s possible the provider is being overly up-front in its validation and it will still fail. (I don’t use Azure, so I can’t easily check.) If that’s the case, it’s possible figuring out some dummy configuration good enough to placate the validation might be successful.
I tried using the -refresh=false flag, sadly, that did not fix it. Could you elaborate a bit more regarding the dummy configuration? I’m not that familiar with Terraform… yet
I had speculated that it might be enough to fill in some placeholder credentials, that wouldn’t actually be used.
However, playing around with terraform-provider-azurerm a bit, it appears it absolutely insists on contacting the Azure API even to plan a simple addition of a single resource.
So, I guess, with the way the provider is written, what you’re looking for isn’t possible.
Both the plan and apply operations will typically require credentials in most providers, because this can help to ensure Terraform can produce a reliable plan that is more likely to be applyable.
A command you can use “offline” just to check if your configuration passes the validation rules that are built in to the provider is terraform validate, although I see that you are using CDK for Terraform so I’m not sure what is the equivalent cdktf command for validation.
I don’t see a command in the list that seems obviously related to validation, so if there isn’t currently such a command I think the fallback would be to run cdktf synth to generate the cdk.tf.json file and then run terraform validate in the directory which contains that file.