Portal | Level: L1: Foundations | Topics: Terraform | Domain: DevOps & Tooling

Terraform / Infrastructure as Code - Skill Check

Mental model (bottom-up)

Terraform builds a dependency graph, then compares desired config vs state vs real APIs to create a plan. Your biggest risks are state, drift, and blast radius.

Visual guide (plan/apply)

HCL config + provider schema
   |
   v
Graph -> Refresh (read real) -> Diff -> Plan -> Apply (write) -> Update state

Glossary

• provider - plugin that talks to an API
• resource - managed object created/updated by Terraform
• data source - read-only lookup of existing objects
• state - mapping between config and real resources
• backend - where state is stored; may support locking
• drift - real infra changed outside Terraform
• module - reusable composition of resources

Common failure modes

• Local state + no locking -> state corruption.
• count index churn -> accidental destroys.
• Secrets end up in state -> leak risk.

Roadmap core - IaC concepts (10, easy -> hard)

• What problem does IaC solve?
• Repeatable, reviewable, versioned infrastructure changes.
• Declarative vs imperative?
• Desired state vs step-by-step commands.
• What is "state" and why does it matter?
• Mapping between code and real resources; drift detection and updates.
• Plan vs apply mental model?
• Preview changes vs perform changes.
• Modules: why use them?
• Reuse, standardization, guardrails.
• Variables/outputs: why?
• Parameterize + connect stacks cleanly.
• Drift: what is it?
• Reality changed outside IaC; code/state no longer match.
• Remote state + locking: why?
• Team safety; prevents concurrent corruption.
• Secrets handling rule of thumb?
• Don't hardcode; use secret stores/encrypted vars; least exposure.
• Idempotency and "immutable" patterns?
• Reapply safely; prefer replace-over-mutate for risky changes.

Terraform language & workflow (easy -> hard)

• Provider vs resource vs data source?
• Provider talks API; resource manages; data reads existing.
• terraform init actually does what?
• Downloads providers/modules; configures backend.
• plan vs apply vs destroy?
• Preview vs execute vs delete managed resources.
• What's the dependency graph?
• Terraform orders creates/updates based on references.
• count vs for_each?
• for_each stable keys; count index-based and fragile on reorders.
• lifecycle block purpose?
• Tweak replace behavior (create_before_destroy), ignore changes, etc.
• Why avoid ignore_changes as a default?
• Hides drift; can mask real problems.

State, backends, and locking (easy -> hard)

• What is remote state?
• State stored outside local disk for collaboration and safety.
• What is state locking?
• Backend lock prevents concurrent writes that corrupt state.
• Why is state sensitive?
• It can contain resource attributes (sometimes secrets); restrict access.
• How do you handle drift safely?
• Prefer IaC-only changes; detect with plan; reconcile intentionally.
• When is -lock=false acceptable?
• Rarely; mostly read-only ops in emergencies (and even then: risky).
• State operations danger?
• state rm/mv can orphan resources or break dependencies; use carefully.

Modules (easy -> hard)

• Why version modules?
• Reproducibility and controlled upgrades.
• Inputs/outputs contract?
• Clear interface; validate types; document defaults.
• What's a "composition" pattern?
• Higher-level module calls lower-level modules; avoids duplication.
• How to avoid module spaghetti?
• Keep modules small, purpose-specific; don't over-abstract too early.
• Testing modules?
• terraform validate, plan in CI, and integration tests in a sandbox.

Secrets & safety (easy -> hard)

• sensitive = true does what?
• Redacts display output; does NOT remove from state.
• Best practice for secrets?
• Fetch from secret manager at runtime; state files are unencrypted by default — use backend encryption (S3+KMS, TF Cloud) and avoid plaintext secrets in state.
• Blast radius reduction?
• Separate state per env/component; least privilege IAM.
• Review gate?
• Require plan review and approvals before apply in CI.
• Cleanup/teardown?
• terraform destroy (or delete workspace/state + out-of-band cleanup if drifted).

Key correctness notes

• Backends determine where state is stored and how operations work.
• Many backends support state locking to prevent concurrent state writes.
• Treat state as sensitive: restrict access, because it can contain resource attributes.

Sources

• HashiCorp Terraform official docs (backends, locking, state).
• https://developer.hashicorp.com/terraform/language/state/backends
• https://developer.hashicorp.com/terraform/language/state/locking

---

Wiki Navigation

Related Content

• Case Study: SSH Timeout — MTU Mismatch, Fix Is Terraform Variable (Case Study, L2) — Terraform
• Case Study: Terraform Apply Fails — State Lock Stuck, DynamoDB Throttle (Case Study, L2) — Terraform
• Crossplane (Topic Pack, L2) — Terraform
• Deep Dive: Terraform State Internals (deep_dive, L2) — Terraform
• Mental Models (Core Concepts) (Topic Pack, L0) — Terraform
• OpenTofu & Terraform Ecosystem (Topic Pack, L2) — Terraform
• Pulumi (Topic Pack, L2) — Terraform
• Runbook: Cloud Capacity Limit Hit (Runbook, L2) — Terraform
• Runbook: Terraform Drift Detection Response (Runbook, L2) — Terraform
• Runbook: Terraform State Lock Stuck (Runbook, L2) — Terraform

Pages that link here

• Crossplane
• Crossplane - Primer
• DevOps Tooling Domain
• Infrastructure as Code with Terraform - Primer
• Level 4: Operations & Observability
• OpenTofu & Terraform Ecosystem - Primer
• Opentofu
• Pulumi
• Pulumi - Primer
• Runbook: Cloud Capacity Limit Hit
• Runbook: Terraform Drift Detection Response
• Runbook: Terraform State Lock Stuck
• Symptoms: Terraform Apply Fails, State Lock Stuck, Root Cause Is DynamoDB Throttle
• Terraform Deep Dive
• Terraform Deep Dive - Primer