50 terraform interview questions Practice Questions: Question Bank 2025

Your team currently provisions cloud resources manually and wants to adopt Infrastructure as Code (IaC). Which IaC benefit most directly helps reduce configuration drift over time?

You need to restrict users from running Terraform against production unless their changes have been reviewed. Which workflow best supports this requirement?

What is Terraform's primary purpose when managing infrastructure across multiple providers (for example, AWS and GitHub)?

You run `terraform plan` and Terraform reports that it will create a new resource that already exists in the cloud environment. What is the most likely reason?

A module input variable is defined as `variable "subnet_ids" { type = list(string) }`. A teammate sets `subnet_ids = "subnet-123"` and `terraform validate` fails. How should they fix the value?

Your `terraform plan` output shows: `~ update in-place` for a resource. What does this indicate?

A team wants to reuse a standard VPC configuration across many environments. They also want to pin to a tested release of that module. Which approach best meets this goal?

You are troubleshooting why Terraform is proposing many unexpected changes. Which command helps you update the state with real-world values without proposing infrastructure changes?

A resource address changed because you refactored configuration to use `for_each` instead of a single resource. You want to avoid destroying and recreating the real infrastructure. What is the best Terraform-native approach?

You are designing a Terraform workflow for a team where multiple engineers will run Terraform against the same environment. Which backend-related design choice best helps prevent state corruption and conflicting applies?

You run `terraform plan` and it fails with an error indicating the remote backend cannot be reached. You still want to inspect configuration for syntax issues and validate it without contacting the backend. Which command should you use?

Your team wants Terraform runs to be reproducible across developer machines and CI. Which practice best helps ensure the same provider version is used everywhere?

You have created reusable Terraform code and want other teams to consume it with minimal duplication. What is the recommended mechanism in Terraform to package and reuse this infrastructure code?

A root module calls a child module. You want to pass a value that should not be displayed in CLI output when possible and should be treated as sensitive across module boundaries. What is the best approach?

A teammate accidentally deleted a resource outside of Terraform. You want Terraform to recreate it on the next apply without manually tainting anything. Which workflow is most appropriate?

You need to rename a resource block from `aws_security_group.web` to `aws_security_group.frontend` without forcing Terraform to destroy and recreate the security group. What should you do?

You are consuming a published module. You want to pin to a stable release series while allowing patch updates, but avoid unexpected breaking changes from major releases. Which source/versioning approach best meets this goal?

A CI job runs `terraform apply` against a remote backend used by the whole team. Another apply is already running and holding the lock. What is the best practice?

You want to run `terraform plan` in automation and fail the pipeline if the plan includes changes, but still succeed if there are no changes. Which CLI option is designed for this use case?

A resource uses `count` and is currently addressed as `aws_instance.app[0]`, `aws_instance.app[1]`, etc. You change the configuration to use `for_each` with keys based on instance names. You want to avoid destroying and recreating the existing instances. What should you do?

You run `terraform plan` and see that a resource will be replaced because a particular argument is marked as `ForceNew`. You want Terraform to ignore changes to that argument because it is managed outside Terraform. What is the best solution?

You want a Terraform configuration to accept an input variable `region` but fall back to a sensible default when users do not provide it. Which approach is recommended?

A teammate says, "Terraform is declarative." What does this mean in practice when writing Terraform configurations?

A module outputs a list of subnet IDs: `output "subnet_ids" { value = [...] }`. In the root module you must create one resource per subnet ID. Which construct is the most appropriate?

You have a remote backend configured for state. An engineer wants to generate and review a plan in CI, then apply exactly that same plan later after approval. What is the correct approach?

You are debugging why a resource is being replaced. Which Terraform CLI command shows the current state values of a specific resource instance as Terraform knows them?

A module expects a variable `tags` of type `map(string)`. In the root module you currently have a list of objects like: `[{ key = "env", value = "dev" }, { key = "team", value = "app" }]`. How can you transform this to pass the expected `map(string)`?

Your organization requires that only approved module versions can be used. Teams currently reference modules using a VCS branch name, which can change over time. What is the best practice to make module usage reproducible?

Two separate Terraform configurations must manage different resources but share a single networking output (for example, a VPC ID) from a "foundation" configuration. You want the application configuration to read that output without directly accessing the foundation state file. Which approach is generally recommended?

You renamed a resource in configuration from `aws_instance.web` to `aws_instance.app` without changing the underlying infrastructure. You want Terraform to treat this as a rename (no destroy/create). What should you do?

You are reviewing a Terraform configuration used by multiple teams. The code uses a mix of manual changes in the cloud console and Terraform runs. Which statement best explains why this is a problem in an Infrastructure as Code workflow?

A team wants to provision identical infrastructure stacks for multiple environments (dev, staging, prod) while keeping settings like instance size and CIDR blocks different per environment. Which approach is the best practice?

You run `terraform plan` and want to save the exact plan output so it can be applied later after approval. Which command is most appropriate?

In Terraform, what is the primary purpose of a provider?

A configuration contains `resource "aws_instance" "web" { count = 3 }`. You need the private IP address of the second instance for use in another resource. Which expression correctly references it?

You call a module from the Terraform Registry. You want to ensure every run uses the same tested module version across your team. What should you do?

Your CI pipeline runs `terraform fmt -check` and fails. Developers claim nothing is wrong because `terraform validate` passes locally. What is the most accurate explanation?

You refactor a resource from the root module into a child module, but you want to keep the existing infrastructure without recreating it. Which workflow is most appropriate?

A resource uses `for_each = var.subnets` where `var.subnets` is a map. Someone changes the map keys (e.g., renaming "private-a" to "priv-a") without changing the underlying subnet values. What is the most likely impact on the next plan?

Your team uses a remote backend with state locking. During an apply, the pipeline job is abruptly terminated. Subsequent runs fail due to an existing lock. What is the safest next step?

You want to prevent a Terraform configuration from accidentally using a provider plugin that is too old or too new. Which feature should you use to enforce this across environments?

A teammate runs terraform apply and Terraform prompts for values for several variables, causing non-interactive CI runs to hang. What is the recommended way to avoid interactive prompts in CI while keeping configurations reusable?

You are evaluating Infrastructure as Code approaches. Which statement best describes a benefit of IaC over manual configuration for infrastructure?

A root module calls a child module that creates multiple resources. You need the root module to use an ID generated inside the child module. What is the recommended way to expose that value?

A new engineer reports that terraform plan shows no changes, but terraform apply fails with an error that a required provider plugin cannot be installed due to network restrictions. What is a practical remediation for restricted environments?

You need to create the same infrastructure in two regions with minimal code duplication. The only difference is the provider configuration (region) and a few variable values. Which approach is recommended?

After running terraform apply, an operator manually deletes a cloud resource outside Terraform. What will Terraform do on the next terraform plan with default settings, and why?

You want to use a community module but need to make sure future changes do not unexpectedly alter your infrastructure. Which practice best reduces the risk of unintended changes from module updates?

A team uses a remote backend with state locking. During a failed CI run, the lock remains and blocks subsequent runs. What is the safest next step to restore progress while minimizing the risk of state corruption?

You are authoring a reusable module. Some inputs must be provided by callers (no sensible defaults), and you want Terraform to fail early with a clear message when a caller passes an invalid value (e.g., an unsupported environment name). What is the best approach?