DevOpsTerraform

Terraform

Infrastructure as Code (IaC) with HashiCorp Terraform. HCL syntax, state management, providers, modules, and remote backends.

Declarative

Describe desired state. Terraform figures out the diff and applies changes.

State Management

Tracks real-world resources in a state file for planning and drift detection.

Provider Ecosystem

2000+ providers: AWS, Azure, GCP, Kubernetes, Helm, and more.

HCL

# main.tf — AWS EC2 instance
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_instance" "web" {
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t3.micro"

  tags = {
    Name = "WebServer"
  }
}

Terraform Commands

terraform initInitialize working directory and download providers

terraform planPreview changes without applying

terraform applyCreate or update infrastructure

terraform destroyDestroy managed infrastructure

terraform fmtFormat code to canonical style

terraform validateCheck configuration for validity

terraform state listList resources in state

terraform state show resShow a resource's state details

terraform import res idImport existing resource

terraform outputShow output values

terraform workspace listList workspaces

terraform refreshSync state with real infrastructure

State Backends

local

State stored in terraform.tfstate file (default)

S3 + DynamoDB

Remote state on S3 with DynamoDB locking (recommended)

Terraform Cloud

Managed remote state, VCS integration, Sentinel

AzureRM

State in Azure Storage Account

GCS

State in Google Cloud Storage

Workspaces & Remote Ops

Workspaces: Isolated state for different environments (dev/staging/prod)
Remote Backend: S3 + DynamoDB for team collaboration
Terraform Cloud: Managed runs, VCS integration, Sentinel policies
CI/CD: Run terraform plan in PRs, apply on merge

# backend.tf
terraform {
  backend "s3" {
    bucket         = "my-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
  }
}

Interview Questions

Q1: What is Terraform state and why is it important?

State is Terraform's mapping of real-world infrastructure to configuration. It stores resource attributes, dependencies, and metadata. It enables Terraform to detect drift, plan changes, and delete resources. Remote state with locking prevents concurrent modifications. Never edit state manually.

Q2: Explain the difference between Terraform provisioners and configuration management tools.

Provisioners (file, remote-exec, local-exec) are last-resort mechanisms to perform actions on resources — they are not idempotent and should be avoided. Configuration management tools like Ansible, Chef, or Puppet are designed for ongoing server configuration. Prefer using Ansible after Terraform provisions infrastructure.

Q3: What are Terraform modules and how do you use them?

Modules are reusable Terraform configurations grouped in a directory with inputs (variables) and outputs. They follow the same HCL syntax as root configurations. The root directory calling a module uses `module "name" { source = "./path" }`. Modules promote DRY principles and can be versioned via Git tags or the Terraform Registry.

Q4: How do you manage sensitive data in Terraform?

Never hardcode secrets in .tf files. Use variables marked `sensitive = true`. Store secrets in a Vault provider (Hashicorp Vault, AWS Secrets Manager). Use `.tfvars` files with `.gitignore`. For remote state, enable encryption at rest (S3 SSE, KMS). Terraform Cloud/Enterprise supports variable sets with sensitive classification.