Terraform

Infrastructure as Code tool for provisioning and managing cloud infrastructure declaratively. Commonly used with AWS, GCP, and Azure.

Consider OpenTofu as an open source alternative (fork after HashiCorp licence change).

Basic Commands

terraform init        # Initialise working directory, download providers
terraform plan        # Preview changes without applying
terraform apply       # Apply changes to infrastructure
terraform destroy     # Destroy all managed infrastructure

terraform fmt --recursive   # Format all .tf files recursively
terraform validate          # Validate configuration syntax
terraform refresh           # Update state to match real infrastructure
terraform output            # Display output values

State

Terraform tracks infrastructure in a state file. This is the source of truth for what Terraform manages.

Backends

Configure where state is stored:

local - Default, stores state in terraform.tfstate file
s3 - AWS S3 bucket (recommended for AWS)
gcs - Google Cloud Storage
azurerm - Azure Blob Storage
remote - Terraform Cloud/Enterprise

Remote backends provide:

Collaboration (shared state)
State locking (prevents concurrent modifications)
Encryption at rest
Versioning/history

State Commands

terraform show                           # Display current state
terraform state list                     # List all resources in state
terraform state show <resource>          # Show details of a resource
terraform state mv <src> <dst>           # Move/rename resource in state
terraform state rm <resource>            # Remove resource from state (doesn't destroy)
terraform import <resource> <id>         # Import existing infrastructure into state
terraform state pull                     # Download and output remote state
terraform state push                     # Upload local state to remote

State Locking

Most remote backends support locking to prevent concurrent operations. If a lock is stuck:

terraform force-unlock <lock_id>

Variables

Input Variables

Define in configuration:

variable "region" {
  type        = string
  default     = "eu-west-2"
  description = "AWS region to deploy to"
  
  validation {
    condition     = can(regex("^eu-", var.region))
    error_message = "Region must be in EU."
  }
}

Set values (in order of precedence, lowest to highest):

Default value in variable block
terraform.tfvars or *.auto.tfvars files (auto-loaded)
-var-file="env.tfvars" flag
-var="region=eu-west-1" flag
TF_VAR_region environment variable

terraform apply -var="gcp_project_id=my-project"
terraform apply -var-file="production.tfvars"

Output Variables

Expose values from your configuration:

output "instance_ip" {
  value       = aws_instance.web.public_ip
  description = "Public IP of the web server"
  sensitive   = false
}

Local Values

Assign names to expressions for reuse:

locals {
  environment = "production"
  common_tags = {
    Environment = local.environment
    ManagedBy   = "Terraform"
  }
}

Loops and Conditionals

count

Create multiple instances of a resource:

resource "aws_instance" "server" {
  count = 3
  ami   = "ami-12345"
  tags = {
    Name = "server-${count.index}"
  }
}

for_each

Iterate over maps or sets:

resource "aws_instance" "server" {
  for_each = toset(["web", "api", "worker"])
  ami      = "ami-12345"
  tags = {
    Name = each.value
    Key  = each.key
  }
}

Prefer for_each over count for resources that may be added/removed - it references by key rather than index, avoiding recreation of resources.

for Expressions

Transform collections:

locals {
  upper_names = [for name in var.names : upper(name)]
  name_map    = { for name in var.names : name => upper(name) }
}

Conditional Expressions

Ternary operator:

resource "aws_instance" "server" {
  instance_type = var.environment == "production" ? "m5.large" : "t3.micro"
}

Conditional resource creation:

resource "aws_instance" "server" {
  count = var.create_instance ? 1 : 0
}

dynamic Blocks

Generate repeated nested blocks:

dynamic "ingress" {
  for_each = var.ports
  content {
    from_port = ingress.value
    to_port   = ingress.value
    protocol  = "tcp"
  }
}

Modules

Modules are reusable, encapsulated Terraform configurations.

Using Modules

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.0.0"
  
  name = "my-vpc"
  cidr = "10.0.0.0/16"
}

Module Sources

Local path: source = "./modules/vpc"
Terraform Registry: source = "hashicorp/consul/aws"
GitHub: source = "github.com/org/repo//modules/vpc"
S3: source = "s3::https://bucket.s3.amazonaws.com/module.zip"
GCS: source = "gcs::https://bucket.storage.googleapis.com/module.zip"

Module Outputs

Access module outputs:

resource "aws_instance" "web" {
  subnet_id = module.vpc.public_subnet_ids[0]
}

Workspaces

Manage multiple environments with the same configuration:

terraform workspace list              # List workspaces
terraform workspace new staging       # Create new workspace
terraform workspace select production # Switch workspace
terraform workspace delete staging    # Delete workspace

Access current workspace in configuration:

locals {
  environment = terraform.workspace
}

Best Practices

File Structure

project/
├── main.tf          # Main resources
├── variables.tf     # Variable declarations
├── outputs.tf       # Output declarations
├── providers.tf     # Provider configuration
├── versions.tf      # Required versions
├── terraform.tfvars # Variable values (don't commit secrets)
└── modules/
    └── vpc/
        ├── main.tf
        ├── variables.tf
        └── outputs.tf

General

Use remote state with locking for team collaboration
Never commit .tfstate files or .tfvars with secrets
Pin provider and module versions
Use terraform plan before apply in CI/CD
Tag all resources consistently
Use data sources to reference existing infrastructure
Keep modules small and focused

.gitignore

*.tfstate
*.tfstate.*
*.tfvars
.terraform/
.terraform.lock.hcl

Rai Notes

Explorer