18 Terraform Interview Questions for DevOps Engineers

Introduction

Terraform has become the gold standard for infrastructure as code in modern DevOps teams. Whether you are applying for a junior cloud engineer role or a senior DevOps position, interviewers will almost certainly ask Terraform questions. Why? Because it proves you can provision, version, and manage infrastructure the same way developers manage application code. This comprehensive guide walks you through 18 real-world Terraform interview questions that appear again and again in 2025. Each comes with a clear, beginner-friendly explanation so you understand not just the answer, but the reasoning behind it. By the end, you will be ready to explain how Terraform fits into a DevOps workflow and handle even the toughest follow-ups with confidence.

Getting Started with Terraform Basics

Every strong interview starts with the fundamentals. These questions separate candidates who have only watched tutorials from those who truly understand the tool.

What exactly is Terraform and why do companies love it?

Terraform is an open-source tool created by HashiCorp that lets you define and manage infrastructure using simple, human-readable configuration files written in HCL (HashiCorp Configuration Language). Instead of clicking buttons in the AWS console, you write code that describes what you want: servers, networks, databases, etc. Terraform then talks to cloud APIs and makes it happen. Companies love it because it brings version control, code reviews, and automation to infrastructure, making environments consistent, repeatable, and auditable.

How is Terraform different from configuration management tools like Ansible?

Terraform is for provisioning (creating resources), while Ansible is for configuration (installing software and settings on existing servers). Think of it this way: Terraform builds the house, Ansible decorates and furnishes it. They are complementary. Many teams use Terraform first to create VMs, then Ansible to install Nginx and configure it.

What are providers in Terraform?

Providers are plugins that allow Terraform to communicate with different platforms: AWS, Azure, Google Cloud, Kubernetes, Datadog, even on-prem tools like VMware. You declare a provider block at the top of your configuration, and Terraform downloads the correct plugin automatically.

Understanding Terraform State – The Most Important Concept

The state file is where most Terraform confusion (and interview questions) happens. Get this right, and you instantly stand out.

• Terraform records every resource it manages in a JSON file called terraform.tfstate
• It maps your code to real-world objects using unique IDs
• Without state, Terraform would recreate everything on every run
• Local state works for learning, but teams must use remote state
• Remote backends like S3 + DynamoDB provide locking and versioning
• Never commit tfstate to Git; it often contains secrets and IDs

Why is remote state with locking critical for teams?

When multiple engineers work together, two people running terraform apply at the same time can corrupt the state file. Remote backends with locking (like S3 + DynamoDB) ensure only one operation runs at once. They also keep a history of state versions for rollback.

Working with Modules and Reusability

Good Terraform code is modular. Interviewers want to know you write clean, reusable configurations.

What are Terraform modules and why should you use them?

A module is a folder of Terraform files that can be reused. Instead of copying a VPC configuration ten times, you create a VPC module and call it with different inputs. The Terraform Registry has thousands of pre-built, tested modules for common patterns like EKS clusters or RDS databases.

How do variables, outputs, and locals work together?

Variables let you customize a module (region, instance size). Locals are named expressions used internally. Outputs expose useful values (like a load balancer URL) so parent modules or humans can consume them. Together they make modules flexible and powerful.

Advanced Terraform Features You Will Be Asked About

• count and for_each create multiple identical or different resources
• data sources read information without managing the resource
• workspaces isolate state for dev/staging/prod
• lifecycle blocks prevent accidental destruction of databases
• depends_on forces explicit ordering when needed
• provisioners are a last resort for running scripts

When would you use for_each instead of count?

Use for_each when resources need unique identifiers from a map or set (e.g., creating users with known usernames). Count is simpler when you just need “three of the same thing”. For_each survives removals in the middle of the list without recreating everything.

Terraform in CI/CD and GitOps Workflows

Modern teams do not run terraform apply from their laptops. They automate it safely.

How do you run Terraform safely in a pipeline?

Typical flow: on pull request, run terraform plan and comment the output. On merge to main, run terraform apply with human approval for production. Tools like Atlantis, Terraform Cloud, or GitHub Actions with OIDC make this smooth and secure.

What is the relationship between Terraform and GitOps?

GitOps says Git is the single source of truth. Terraform fits perfectly: your desired infrastructure lives in Git, a controller (like ArgoCD) can watch for drift and reconcile, or you simply trigger Terraform from Git events. Many teams combine both approaches.

Security, Secrets, and Best Practices

Interviewers always probe security knowledge. These answers show maturity.

• Never hardcode secrets; use variables or external secret stores
• Integrate HashiCorp Vault or AWS Secrets Manager
• Mark sensitive variables and outputs as sensitive
• Enable state file encryption at rest
• Use least-privilege IAM roles for CI/CD runners
• Run terraform validate and tflint in pre-commit hooks

How do you protect secrets in Terraform?

Store secrets outside Terraform (Vault, AWS Parameter Store). Reference them dynamically using data sources. Mark variables as sensitive so they never appear in logs or plan output.

Troubleshooting and Real-World Scenarios

These questions separate people who have only read docs from those who have fought fires.

Your terraform apply failed halfway. What now?

Terraform is designed for this. Simply fix the error and run terraform apply again. It will pick up where it left off because operations are idempotent. In rare cases, use -target or state manipulation, but that is advanced.

How do you handle infrastructure drift?

Someone changed a security group outside Terraform. Run terraform plan; it will show the difference. Either revert the manual change or import the new configuration. Schedule regular plans in CI to catch drift early.

Terraform Comparison Table – Key Concepts at a Glance

Conclusion

Terraform is no longer just another tool; it is the foundation of modern cloud engineering. The 18 questions and concepts in this guide represent what hiring managers actually ask in 2025. Master the state file, embrace modules, automate with CI/CD, and treat security as non-negotiable. Combine that knowledge with hands-on projects and you will not only pass interviews, you will become the engineer teams fight to hire. Start practicing today: build a multi-environment setup with remote state and GitOps. The future of infrastructure is code, and you now have the roadmap to own it.

Frequently Asked Questions

What is the difference between terraform plan and terraform apply?

Plan shows what will change without touching anything. Apply actually creates, modifies, or deletes resources.

Can I use Terraform with Kubernetes?

Yes, via the Kubernetes and Helm providers, or alongside GitOps tools.

How do I version Terraform configurations?

Store them in Git like application code. Use semantic versioning for modules.

What happens if I lose my state file?

You lose the mapping to real resources. Always back up remote state.

Is Terraform Cloud worth the cost?

For teams, yes: it adds governance, private module registry, and cost estimation.

How do I import existing resources?

Use terraform import, then write or generate matching configuration.

What is the recommended folder structure?

Live (environments), modules, and library (shared configs) is a popular pattern.

Should I use Terraform or CloudFormation for AWS?

Terraform for multi-cloud or complex setups; CloudFormation if staying AWS-only.

What does terraform refresh do?

Updates state with current real-world values without changing infrastructure.

How do I prevent accidental destruction of production?

Use lifecycle prevent_destroy = true on critical resources.

Can Terraform manage databases and DNS?

Yes, with providers for RDS, MySQL, Route53, Cloudflare, etc.

What is a null_resource?

A way to run local scripts or external commands when other options fail.

How do I pass secrets securely in CI/CD?

Use OIDC with cloud providers or encrypted variables in your pipeline.

What is drift detection?

When real infrastructure no longer matches your Terraform configuration.

Where can I find good learning resources?

HashiCorp Learn, Terraform Up & Running book, and the official documentation are excellent.