Terraform Interview Questions - Advanced

How to use these interview questions

🧠 Read each question carefully.

Try answering it yourself before expanding the answer to compare with the ideal response.

Level: Advanced

🔴 Complex Scenarios & Architecture.

Tackle high-level design, production-grade scaling, security, and advanced internals.

Expand all answers

What is State Locking and what happens if the lock fails?

State locking prevents multiple users from running operations (like apply) on the same state file simultaneously, which could corrupt the state. If locking fails (e.g., someone else is running an apply), Terraform will report an error and stop the execution. You can forcibly unlock a stuck lock (e.g., if a process crashed) using terraform force-unlock <LOCK_ID>.

Explain the use of dynamic blocks.

dynamic blocks allow you to generate repeated nested blocks within a resource based on a variable (list or map). It is commonly used for constructing repeated properties like ingress rules in security groups without copy-pasting code.

What is the difference between count and for_each?

• count: Creates ordered instances based on an integer index (0, 1, 2...). Be careful: removing an item from the middle of the list causes all subsequent resources to shift/recreate.
• for_each: Creates instances based on a map or string set. Instances are identified by their map key. Removing an item only affects that specific resource, making it safer for managing lists of resources.

What are 'Workspaces'?

Workspaces allow you to manage distinct state files for the same configuration file. This is useful for managing multiple instances of the same infrastructure (e.g., dev, stage, prod) without duplicating code directories. You switch contexts using terraform workspace select <name>.

How do you import existing infrastructure into Terraform?

Use terraform import <resource_type>.<name> <id>. 1. Write the resource block in your config (initially empty or matching). 2. Run the import command. 3. Run terraform plan to see the diff and adjust your config until it matches the imported state.

What are 'Provisioners' and why should you avoid them?

Provisioners (local-exec, remote-exec) allow executing scripts on the machine. Why avoid: - They break the declarative model (Terraform cannot track what the script did). - They make destroy operations fragile. - They have no state tracking. Alternative: Use user_data (cloud-init) or pre-baked images (Packer).

What is terraform taint (or terraform apply -replace)?

It marks a resource as "tainted", forcing Terraform to destroy and recreate it during the next apply execution. This is useful if a resource exists but is behaving incorrectly or was not fully provisioning. (Note: terraform taint is deprecated in favor of terraform apply -replace=resource).

How do you handle 'Circular Dependencies' in Terraform?

Circular dependencies occur when Resource A depends on B, and B depends on A. Solution: - Use aws_defaut_security_group or independent security group rule resources (aws_security_group_rule) instead of inline rules to break cycles in SGs. - Refactor the architecture to decouple dependencies. - Sometimes, rely on data sources to fetch generated attributes in a separate step.

What is checkov or tfsec?

They are static analysis tools (SAST) for Infrastructure as Code. They scan Terraform code for security misconfigurations (e.g., open S3 buckets, unencrypted databases, wide-open security groups) before deployment.

What is the difference between 'Implicit' and 'Explicit' dependency?

• Implicit: Terraform infers dependency when you reference attributes (e.g. subnet_id = aws_subnet.main.id).
• Explicit: You manually define depends_on = [...]. This is only needed when there is a hidden dependency that Terraform cannot see (e.g., an application inside an EC2 instance needing an S3 bucket policy to be active first).

What is the .terraform.lock.hcl file?

Introduced in Terraform 0.14, it locks the exact version and checksums of the providers used for a project. It ensures that everyone working on the project uses the exact same provider binaries, preventing "it works on my machine" issues due to minor plugin upgrades.

How do you use Provider Aliases?

Provider aliases allow you to use multiple instances of the same provider definition, often for multi-region deployments.

provider "aws" {
  alias  = "west"
  region = "us-west-2"
}
resource "aws_instance" "foo" {
  provider = aws.west
  ...
}

What is terraform console?

It provides an interactive REPL (Read-Eval-Print Loop) for evaluating Terraform expressions. It allows you to test variables, locals, and built-in functions (cidrsubnet, split, etc.) against the current state.

What are moved blocks?

Introduced in Terraform 1.1, they allow you to declare that a resource or module has been renamed or moved within the configuration. Terraform uses this to automatically migrate the state during the next apply, avoiding the need for manual terraform state mv commands.

How can you cache provider plugins?

By using the plugin_cache_dir in the CLI configuration file (.terraformrc or terraform.rc). This prevents re-downloading large provider binaries for every separate project, saving bandwidth and disk space.

What is state 'drift'?

Drift is the discrepancy between the real-world infrastructure and the Terraform state file. It happens when someone manually modifies resources (e.g., via AWS Console) bypassing Terraform. terraform plan detects this drift.

How do you effectively structure a large Terraform project?

• Monorepo: Directory per environment (dev, prod) calling shared modules.
• Terragrunt: A wrapper tool to keep configurations DRY and manage dependency hierarchy.
• Workspaces: Simple environment separation.
• Data-driven: Using YAML/JSON maps to generate resources via for_each.

How do you test Terraform code?

• Static Analysis: terraform validate, tflint.
• Unit Tests: Testing module logic (rare but possible).
• Integration Tests: Terratest (Go library) or Kitchen-Terraform. These tools spin up real infrastructure, run assertions (e.g., HTTP check on an instance), and destroy it.

What is 'Sentinel' (in Terraform Enterprise/Cloud)?

It is a Policy-as-Code framework. It runs before the apply phase to enforce compliance rules (e.g., "All S3 buckets must have tags", "No security groups allowing 0.0.0.0/0"). If the policy fails, the apply is blocked.

How do you handle secrets without them leaking into state?

This is tricky because Terraform state is plain text. - Use remote state with encryption (e.g., S3 + KMS). - Don't pass secrets as variables if possible; look them up via data sources (e.g. aws_secretsmanager_secret_version). - If creating secrets (like RDS password), use random_password provider but be aware it ends up in state. The only true way to avoid state is generating secrets outside terraform and injecting them at runtime.

---

📬 DevopsPilot Weekly — Learn DevOps, Cloud & Gen AI the simple way.
👉 Subscribe here