Terraform Interview Questions and Answers

Terraform Interview Questions and Answers

1. What is Terraform?

Terraform is an infrastructure-as-code tool from HashiCorp. It allows teams to define infrastructure using configuration files. These files describe the desired state of resources such as virtual machines, networks, databases, DNS records, IAM policies, and Kubernetes objects.

Terraform then compares the written configuration with the current infrastructure state. It creates, updates, or deletes resources to match the desired setup.

2. What is Infrastructure as Code?

Infrastructure as Code, or IaC, means managing infrastructure through code instead of manual steps. Teams write configuration files, store them in version control, review changes through pull requests, and apply them through automated workflows.

IaC improves consistency. It also reduces manual errors. If an environment needs to be recreated, the same code can be used again.

3. Why is Terraform used?

Terraform is used because it supports many cloud providers and services. It also gives teams a clear workflow for planning and applying infrastructure changes.

The main benefits include repeatable infrastructure, version-controlled changes, reusable modules, multi-cloud support, and better change visibility. Terraform is also useful for compliance because teams can review infrastructure changes before applying them.

4. What are Terraform providers?

Providers are plugins that allow Terraform to interact with APIs. For example, the AWS provider helps Terraform create and manage AWS resources. The Azure provider does the same for Azure. There are also providers for Google Cloud, Kubernetes, GitHub, Datadog, Cloudflare, and many other platforms.

A provider usually needs configuration such as region, credentials, or endpoint details.

5. What are the main Terraform commands?

The most common Terraform commands are:

• terraform init: Initializes the working directory and downloads providers
• terraform plan: Shows the changes Terraform will make
• terraform apply: Applies the planned changes
• terraform destroy: Removes managed infrastructure
• terraform validate: Checks whether the configuration is valid
• terraform fmt: Formats Terraform files
• terraform output: Shows output values
• terraform state: Helps inspect and manage Terraform state

A good candidate should know what each command does and when to use it.

6. What happens during terraform init?

terraform init prepares a Terraform working directory. It downloads the required providers. It also initializes the backend used for state storage.

If modules are used, Terraform init downloads them as well. This command is usually the first command run after cloning a Terraform repository or changing backend or provider settings.

7. What is Terraform state?

Terraform state is a file that records the current known condition of managed infrastructure. It maps Terraform resources in code to real resources in the cloud or another platform.

For example, if the code defines an EC2 instance, the state file stores the link between that Terraform resource and the actual EC2 instance ID. Terraform uses this information to decide what needs to change in future plans and apply it.

8. Why is Terraform state important?

Terraform state is important because Terraform depends on it to track resources. If the state file is lost, corrupted, or changed incorrectly, Terraform may not know which real resources it manages.

In production, the state must be protected. Teams should use a remote backend, enable locking, restrict access, and keep versioning enabled where possible.

9. What is a remote state?

Remote state means storing the Terraform state file in a remote backend rather than on a local machine. Examples include HCP Terraform, Amazon S3, Azure Storage, Google Cloud Storage, or other supported backends.

Remote state is important for teams. It allows multiple users and CI/CD systems to work against the same state source. It also supports better access control and safer collaboration.

10. What is state locking?

State locking prevents two Terraform operations from changing the same state simultaneously. This is important because concurrent changes can corrupt the state or create inconsistent infrastructure.

If the backend supports locking, Terraform locks the state during write operations. If the lock cannot be acquired, Terraform will not continue. In team environments, locking should stay enabled.

Learn 38+ in-demand cloud skills and tools, including Identity and Access Management, VPC Design and Implementation, AWS solution planning, Designing resilient AWS implementations, and AWS implementation optimization with our Cloud Architect Masters Program.

11. What are Terraform modules?

A module is a reusable group of Terraform configuration files. Every Terraform configuration is part of a module. The root module is the current working directory. Child modules are called from other directories or registries.

Modules help teams avoid repeated code. For example, a company can create a reusable VPC module, database module, or Kubernetes cluster module.

12. What is the difference between variables and locals?

Variables are input values. They allow users to pass different values into a Terraform configuration. For example, environment name, region, instance type, or CIDR range can be variables.

Locals are internally named expressions. They help simplify repeated logic inside a configuration. A local value cannot be passed from outside like a variable.

13. What are Terraform outputs?

Outputs expose useful values after Terraform has created the infrastructure. For example, a load balancer DNS name, a database endpoint, an instance IP address, or a VPC ID can be an output.

Outputs are useful for users, automation systems, and other Terraform configurations that consume remote state.

14. What is the difference between count and for_each?

Both count and for_each create multiple resource instances. Use count when the resources are nearly identical and only the number matters.

Use for_each when each resource needs a stable key or different values. For example, if you are creating users from a map of usernames, for_each is safer. It avoids problems caused by changes to list indices.

15. What is a Terraform data source?

A data source allows Terraform to read information from an external system without creating or managing that resource.

For example, a data source can fetch the latest AMI ID, an existing VPC, a secret reference, or account details. Data sources are useful when Terraform needs existing information to build new resources.

16. What is the Terraform dependency graph?

Terraform builds a dependency graph to understand the order in which resources must be created, updated, or destroyed. Some dependencies are automatic because one resource references another.

For example, if a subnet refers to a VPC ID, Terraform knows the VPC must exist first. Explicit dependencies can also be created using depends_on, but they should be used only when needed.

17. What does depends_on used for?

depends_on creates an explicit dependency between resources or modules. It tells Terraform that one object must be handled before another.

It is useful when a dependency exists but is not visible through normal references. However, overusing depends_on can make code harder to maintain. It is better to rely on natural references when possible.

18. What is a backend in Terraform?

A backend defines where Terraform stores its state and how operations are performed. A local backend stores state on the local machine. Remote backends store state in a shared location.

In production, teams usually use remote backends because they support collaboration, locking, access controls, and recovery options.

19. What is .terraform.lock.hcl?

.terraform.lock.hcl is the dependency lock file. It records the selected provider versions used by the configuration.

This file helps teams use consistent provider versions across machines and CI/CD pipelines. It should usually be committed to version control. Without it, different users may install different provider versions that satisfy the same version constraint.

20. What is Terraform drift?

Terraform drift happens when real infrastructure changes outside Terraform. For example, someone may manually change a security group rule in the cloud console. The Terraform code still says one thing, but the actual resource is different.

Drift is risky because Terraform plans may become confusing or unexpected. Teams should detect drift regularly and decide whether to update the code, revert the manual change, or import the new state.

21. How do you detect drift in Terraform?

A common way to detect drift is to run terraform plan. Terraform refreshes the state and compares the real infrastructure with the desired configuration.

For safer review, teams can use refresh-only workflows. A refresh-only operation helps compare infrastructure and state without changing the infrastructure to match the code.

22. How do you handle Terraform drift?

First, identify the drift through a plan or refresh-only plan. Then check whether the drift was intentional.

If the change was valid, update the Terraform code and apply it. If the change was accidental, revert it through Terraform. In mature teams, manual cloud console should be limited. Changes should go through pull requests and approved workflows.

23. How do you import existing infrastructure into Terraform?

To import existing infrastructure, first write the matching Terraform resource block. Then import the real resource into Terraform state using the correct resource address and ID.

Terraform also supports import blocks for managing import operations in configuration. This is useful for repeatable imports and larger migrations.

After import, always run terraform plan. The goal is to make the code, state, and real infrastructure match.

24. What replaced Terraform taint?

Terraform taint is deprecated. The recommended replacement is the -replace option with terraform apply.

For example:

terraform apply -replace=aws_instance.example

This tells Terraform to replace a specific resource during the apply. It is clearer than taint because it is tied to the current operation. It does not leave a tainted marker in the state for a later run.

25. What is the lifecycle block in Terraform?

The lifecycle block customizes how Terraform manages a resource. Common lifecycle settings include:

• prevent_destroy: Stops accidental deletion
• create_before_destroy: Creates a replacement before destroying the old resource
• ignore_changes: Tells Terraform to ignore changes to selected arguments

Lifecycle rules should be used carefully. They can prevent downtime, but they can also hide real configuration issues if used incorrectly.

26. What are provisioners in Terraform?

Provisioners run scripts or commands after a resource is created or before it is destroyed. Examples include local-exec and remote-exec.

Provisioners should be used as a last resort. Terraform is designed to manage infrastructure through provider APIs. Configuration management tools, cloud-init, images, or deployment pipelines are often better choices for software setup.

27. How do you manage secrets in Terraform?

Secrets should not be hardcoded in Terraform files. They should not be committed to version control.

Use secure methods such as environment variables, secret managers, CI/CD secret stores, or HCP Terraform variables. Mark sensitive variables and outputs as sensitive so Terraform redacts them from the CLI output.

Also, remember that the state may contain sensitive values. This is why remote state must be encrypted, access-controlled, and protected.

28. What is the difference between Terraform validate and Terraform plan?

Terraform validate checks whether the configuration syntax and structure are valid. It does not compare the configuration with real infrastructure.

Terraform plan goes further. It checks the current state and shows what Terraform will create, update, or delete. In interviews, this distinction is important because validation does not guarantee that the planned infrastructure change is safe.

29. How do you structure Terraform code for multiple environments?

A common approach is to keep reusable modules separate from environment-specific configurations. For example, teams may have folders for dev, stage, and prod, each calling the same modules with different variables.

Another approach is to use separate workspaces, but they are better suited to similar environments with the same configuration pattern. For production-grade setups, clear folder separation often improves visibility and review.

30. How do you use Terraform in CI/CD?

In CI/CD, Terraform usually runs as part of a controlled workflow. A pull request triggers terraform fmt, terraform validate, security scanning, and terraform plan. The plan is reviewed before approval.

After approval, Terraform apply runs through a secure pipeline. Access to apply should be restricted. State should be remote. Secrets should come from a secure secret store or pipeline variables.

31. What are common Terraform interview mistakes?

Common mistakes include assuming Terraform is only for AWS, ignoring state safety, hardcoding secrets, using local state in teams, overusing provisioners, and failing to understand drift.

Another common mistake is giving command-only answers. Interviewers want to know how you would use Terraform safely in real environments.

32. How would you troubleshoot a failed Terraform apply?

Start by reading the error message carefully. Check whether the issue is related to credentials, permissions, provider version, invalid arguments, API limits, dependency order, or state mismatch.

Then run terraform plan again if needed. Check provider documentation. Review recent code changes. If the issue involves the state, avoid editing the state file manually unless there is no safer option. State operations should be done carefully and usually with team approval.

Looking for one of the most in-demand careers in tech? Learn the cloud skills, certifications, salary potential, and career roadmap that can help you become a Cloud Engineer with this Cloud Engineer Roadmap.

Key Takeaways

• Terraform interview questions and answers for experienced scenario-based in 2026 focus on practical infrastructure management. You need to understand the basic workflow, but that is not enough.
• Strong candidates know how the state works. They understand why remote state and locking matter in teams. They can explain drift, imports, modules, providers, lifecycle rules, secrets, and safe CI/CD practices.
• It is also important to stay updated. For example, Terraform taint is deprecated, and Terraform apply -replace is now the recommended option for replacing a specific resource. Import blocks and lock files are also important topics for modern interviews.
• The best answers are short, clear, and based on real-world use. Show that you can write Terraform code and manage it safely in a production environment.