Terraform Interview Questions [Senior level - S2E2]

December 20, 2024

Terraform Interview Questions for Senior Level (Season 2, Episode 2)

1. How would you design Terraform configurations for a multi-region, multi-environment setup?

Scenario:
Your company has applications running in us-east-1 and eu-west-1 for dev, staging, and prod environments. Each region must have independent resources.
Answer:

  • Use modules for reusability.

  • Define variables for regions and environments.

  • Use workspaces or separate state files for different environments.

  • Implement remote state backends with DynamoDB locking for consistency.

  • Example file structure: 

    ├── modules/
│   ├── vpc/
│   ├── ecs/
├── environments/
    ├── dev/
    ├── staging/
    ├── prod/

2. How do you ensure high availability of critical resources in Terraform?

Scenario:
You’re asked to create an auto-scaling group (ASG) for an application that must remain highly available.
Answer:

  • Use multiple Availability Zones (AZs) for resources like ASGs, ALBs, or RDS.

  • For ASG: 

    availability_zones = ["us-east-1a", "us-east-1b"]
min_size           = 2
max_size           = 5

  • For RDS: Set multi_az = true.

  • Mention testing HA during failure simulations.

3. How would you implement Terraform in a CI/CD pipeline?

Scenario:
A team needs automated deployments with Terraform.
Answer:

  • Integrate tools like Jenkins, GitHub Actions, or GitLab CI/CD.

  • Use stages like terraform init, terraform validate, terraform plan, and terraform apply.

  • Store sensitive data in secure vaults (e.g., HashiCorp Vault).

  • Use Terraform Cloud or remote state to prevent state conflicts.

  • Example YAML pipeline (GitHub Actions): 

    jobs:
  terraform:
    steps:
      - name: Terraform Init
        run: terraform init
      - name: Terraform Plan
        run: terraform plan -out=plan.out
      - name: Terraform Apply
        run: terraform apply plan.out

4. Explain how to manage Terraform state file for cross-team collaboration.

Scenario:
Multiple teams are working on the same Terraform project, and state conflicts arise.
Answer:

  • Use remote state backends (e.g., S3 with DynamoDB locking).

  • Enable encryption (bucket_key_enabled = true in S3).

  • Split state files for logical groupings (e.g., network, application).

  • Lock state with DynamoDB to prevent race conditions.

  • Avoid manual edits to the state file.

5. How do you debug errors during terraform apply?

Scenario:
terraform apply fails with an error related to missing resources.
Answer:

  • Run terraform plan to identify the changes causing the issue.

  • Use TF_LOG=DEBUG to get detailed logs.

  • Verify the resource existence using CLI/API tools (e.g., AWS CLI for AWS resources).

  • Ensure dependencies are correct (depends_on or resource relationships).

  • Manually refresh the state (terraform refresh) if resources exist but are out of sync.

6. What are count and for_each, and when would you use them?

Scenario:
You need to create multiple EC2 instances for different applications with different configurations.
Answer:

  • Use count for identical resources: 

    resource "aws_instance" "example" {
  count = 3
  ami   = "ami-12345"
  instance_type = "t2.micro"
}

  • Use for_each for distinct configurations: 

    resource "aws_instance" "example" {
  for_each = var.instances
  ami      = each.value.ami
  instance_type = each.value.type
}

7. How would you handle resource drift in Terraform-managed infrastructure?

Scenario:
Someone manually modified a resource in the AWS console, causing it to drift from Terraform's state.
Answer:

  • Run terraform plan to detect drift.

  • Use terraform apply to bring the resource back in sync.

  • Enable guardrails to prevent manual changes (e.g., IAM policies).

  • For sensitive resources, use lifecycle { prevent_destroy = true }.

8. How do you handle cross-account resource management in Terraform?

Scenario:
You need to provision resources in multiple AWS accounts using the same configuration.
Answer:

  • Use provider aliases: 

    provider "aws" {
  alias  = "account1"
  region = "us-east-1"
  profile = "account1-profile"
}
provider "aws" {
  alias  = "account2"
  region = "us-west-1"
  profile = "account2-profile"
}

  • Reference aliases in resources: 

    resource "aws_s3_bucket" "example" {
  provider = aws.account1
  bucket   = "account1-bucket"
}

9. What is the difference between a module and a resource in Terraform?

Scenario:
A junior teammate asks why modules are used when you can directly declare resources.
Answer:

  • A resource is a single entity (e.g., an EC2 instance).

  • A module is a collection of resources grouped for reusability and simplicity.

  • Example: A VPC module might create subnets, route tables, and security groups, while individual resources would require duplicating the configuration.

10. How would you manage Terraform state file encryption for security compliance?

Scenario:
Your company requires all infrastructure state files to be encrypted at rest and in transit.
Answer:

  • Use S3 backend with server-side encryption (AES-256 or KMS): 

    backend "s3" {
  bucket         = "my-terraform-state"
  key            = "prod/terraform.tfstate"
  region         = "us-east-1"
  encrypt        = true
  kms_key_id     = "alias/my-key"
}

  • Enable encryption in transit by forcing HTTPS.

  • For Terraform Cloud, ensure workspace-level encryption settings are enabled.

These questions aim to test deep technical knowledge and problem-solving skills, focusing on real-world scenarios you might encounter as a senior Terraform practitioner.