30 Most Asked Terraform Interview Questions & Answers (With Scenarios + Cheat Sheet)

Master Terraform interviews with this complete guide: 30 essential Q&A, real-world scenarios, and best practices. Covers Terraform state, modules, workspaces, drift, and multi-cloud deployment

Sep 30, 2025

20 Terraform Interview Q&A

1. What is Terraform and why is it used?

Terraform is an Infrastructure as Code (IaC) tool that lets you define, provision, and manage infrastructure across cloud providers (AWS, Azure, GCP, etc.) using a declarative configuration language (HCL).
✅ Companies prefer it because it ensures consistency, repeatability, and automation of infra.

2. Terraform vs Ansible vs CloudFormation?

Terraform → Infrastructure provisioning (multi-cloud).
Ansible → Configuration management (installing software).
CloudFormation → AWS-only IaC solution.
👉 Terraform stands out for multi-cloud + immutable infra.

3. What is Terraform State and why is it important?

Terraform maintains a state file (terraform.tfstate) to track resources it manages.
It helps Terraform map real infrastructure → config files.
Without state, Terraform wouldn’t know if a resource already exists.
⚠️ Key interview point: Store state remotely (e.g., S3 + DynamoDB for locking).

4. What are Terraform Providers?

Providers are plugins that allow Terraform to interact with APIs (AWS, Azure, GCP, GitHub, Kubernetes, etc.).
Example:

provider “aws” {
  region = “us-east-1”
}

👉 Terraform downloads providers automatically from the registry.

5. What is the difference between `terraform plan` and `terraform apply`?

terraform plan → Preview of changes (dry-run).
terraform apply → Executes changes and modifies infra.
👉 In interviews, emphasize using plan in CI/CD for approvals.

6. What is `terraform init` and why is it required?

terraform init initializes a working directory:

Downloads providers
Sets up backend
Prepares modules
💡 It’s always the first step before plan/apply.

7. What is a Terraform Module?

A module is a reusable container for Terraform resources.
Example:

module “vpc” {
  source = “terraform-aws-modules/vpc/aws”
  version = “5.0”
}

👉 Companies ask this to see if you know how to structure DRY, reusable infra code.

8. What is the difference between local and remote backends?

Local backend → state stored in local .tfstate.
Remote backend → state stored in cloud (S3, GCS, Terraform Cloud).
✅ Remote is recommended for teams (ensures locking + collaboration).

9. How do you manage sensitive data in Terraform?

Use Terraform variables with sensitive = true.
Store secrets in Vault, SSM, or Secret Manager.
Never commit .tfstate to Git (it can contain secrets!).

10. What is the difference between `count` and `for_each`?

count → Simple way to create multiple instances.
for_each → Key-value based, better for managing unique resources.
Example:

resource “aws_instance” “server” {
  for_each = toset([”dev”, “qa”, “prod”])
  ami = “ami-12345”
  instance_type = “t2.micro”
}

11. What is Terraform Drift?

Drift = when infra changes outside Terraform (e.g., manually changed in AWS console).
👉 terraform plan detects drift.
👉 terraform apply reconciles differences.

12. What is the use of `terraform import`?

Used to bring existing resources under Terraform management.
Example:

terraform import aws_instance.myserver i-1234567890

⚠️ Import updates state only, not config. You must write HCL afterward.

13. What are Workspaces in Terraform?

Workspaces let you manage multiple environments (dev, stage, prod) in the same config.
Commands:

terraform workspace new dev
terraform workspace select prod
👉 Useful in CI/CD pipelines.

14. What are Terraform Provisioners?

Provisioners let you run scripts (remote-exec, local-exec) after resource creation.
⚠️ Best practice: Avoid unless absolutely necessary (use Ansible instead).
Example:

provisioner “remote-exec” {
  inline = [”sudo apt update”, “sudo apt install nginx -y”]
}

15. What happens if the state file is lost?

Terraform loses track of resources.
You can rebuild state using terraform import.
👉 Critical scenario interviewers check to see if you mention remote state storage.

16. What is the difference between `terraform taint` and `terraform destroy`?

terraform taint <resource> → Marks resource for recreation.
terraform destroy → Destroys all resources.
👉 Taint is used when only one resource is corrupted.

17. How do you manage multi-cloud deployments with Terraform?

Define multiple providers in the same config.
Example: Deploy EC2 on AWS + VM on Azure together.
👉 Companies like to check if you know Terraform is cloud-agnostic.

18. What is the difference between `terraform fmt`, `validate`, and `refresh`?

terraform fmt → Formats code.
terraform validate → Syntax + logical errors.
terraform refresh → Updates state with real infra.

19. How do you handle versioning in Terraform?

Lock provider versions in required_providers.
Lock Terraform version in required_version.
Example:

terraform {
  required_version = “>= 1.6.0”
  required_providers {
    aws = {
      source  = “hashicorp/aws”
      version = “~> 5.0”
    }
  }
}

20. What are some Terraform Best Practices companies expect?

Store state remotely (S3, GCS, Terraform Cloud).
Use modules for reusability.
Use terraform plan before apply.
Use version control (GitOps).
Don’t store secrets in .tfstate.
Implement CI/CD with Terraform.

These 20 Q&A notes are the kind of practical, scenario-based questions companies love to ask.

10 Scenario-Based Terraform Interview Q&A

21. Scenario: Two developers apply Terraform at the same time. What happens?

If state is local → race condition → state corruption.
If state is remote with locking (e.g., S3 + DynamoDB lock) → one apply waits, the other fails.
✅ Best practice: Always enable state locking.

22. Scenario: Your S3 bucket was manually deleted but Terraform state still has it. What happens when you run `terraform apply`?

Terraform sees resource missing in real infra but present in state.
It will recreate the bucket.
👉 Drift reconciliation in action.

23. Scenario: You changed a variable value, but `terraform apply` didn’t recreate the resource. Why?

Some arguments are mutable (can be updated in-place).
Example: Changing tags in AWS → updates resource in place.
Only force-new attributes (like subnet_id in EC2) trigger recreation.

24. Scenario: You ran `terraform destroy` by mistake in prod. How do you prevent this?

Use -target to destroy specific resources only.
Add lifecycle prevent_destroy = true to critical resources:

resource “aws_s3_bucket” “logs” {
  bucket = “prod-logs”
  lifecycle {
    prevent_destroy = true
  }
}

25. Scenario: How do you roll back a Terraform deployment?

Terraform doesn’t have native rollback. Options:

Restore a previous state file from backup.
Use Git to revert config + reapply.
For critical infra, use blue-green strategy.

26. Scenario: You want to create 10 EC2 instances, but each needs a unique tag. How do you do it?

Use for_each with a map:

resource “aws_instance” “servers” {
  for_each = {
    server1 = “web”
    server2 = “db”
  }
  ami           = “ami-12345”
  instance_type = “t2.micro”
  tags = {
    Name = each.value
  }
}

27. Scenario: You deleted a resource from config but don’t want Terraform to delete it in cloud. How?

Use lifecycle ignore_changes:

resource “aws_instance” “app” {
  ami           = “ami-12345”
  instance_type = “t2.micro”
  lifecycle {
    ignore_changes = all
  }
}

👉 Or remove it from state with:

terraform state rm aws_instance.app

28. Scenario: You want to share Terraform modules across multiple teams. How do you do it?

Store modules in:
- Terraform Registry (private/public)
- Git repo with version tags
- Artifactory/S3 bucket
  ✅ Companies check if you know about module versioning & reuse.

29. Scenario: Terraform apply fails halfway (some resources created, others failed). What do you do?

Terraform keeps updated state after partial success.
Fix issue → rerun terraform apply.
If rollback is needed → terraform destroy → reapply.
👉 Shows understanding of Terraform’s idempotency.

30. Scenario: You want to create infra in multiple AWS accounts with same config. How do you do it?

Use provider aliasing:

provider “aws” {
  alias  = “dev”
  region = “us-east-1”
  profile = “dev”
}

provider “aws” {
  alias  = “prod”
  region = “us-east-1”
  profile = “prod”
}

resource “aws_s3_bucket” “dev_bucket” {
  provider = aws.dev
  bucket   = “dev-bucket”
}

resource “aws_s3_bucket” “prod_bucket” {
  provider = aws.prod
  bucket   = “prod-bucket”
}

These 10 scenario-based Q&As (21–30) reflect exactly what companies ask to test if you can handle real-world Terraform challenges.

The Modern Stack by Amit

Discussion about this post

Ready for more?