Terraform Reading
resource blocks, depends_on, variable vs locals, data sources, tfvars — reading Terraform HCL in plain English
Terraform HCL vocabulary
- resource "type" "name" — declares infrastructure to create; referenced as
type.name.attribute - data "type" "name" — reads existing infrastructure; does not create anything
- variable — external input (overridable via tfvars, CLI, env); locals — internal computed values
- depends_on — explicit ordering when implicit attribute references are not sufficient
- terraform.tfvars — auto-loaded variable values; overrides defaults; keep secrets out of version control
Question 0 of 5
Read this Terraform resource block. What instance type is being provisioned?resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.medium"
subnet_id = var.public_subnet_id
tags = {
Name = "web-server"
Environment = "production"
}
}
- resource "aws_instance" "web" — declares an EC2 resource; first string is the resource type, second is the local name used to reference it
- ami — Amazon Machine Image ID; defines the OS and pre-installed software (e.g., Ubuntu, Amazon Linux)
- instance_type — the EC2 instance family and size (t3.micro, t3.medium, m5.large, etc.)
- var.public_subnet_id — references an input variable; actual value comes from tfvars or CLI
- tags — key-value metadata applied to the AWS resource for cost allocation and identification
What does depends_on mean in this Terraform configuration?resource "aws_iam_role_policy_attachment" "ecs_task" {
role = aws_iam_role.ecs_task_role.name
policy_arn = aws_iam_policy.app_policy.arn
depends_on = [
aws_iam_role.ecs_task_role,
aws_iam_policy.app_policy
]
}
- Implicit dependencies — Terraform automatically detects ordering when you reference another resource's attribute (e.g.,
aws_iam_role.ecs_task_role.name) — these references already create a dependency - depends_on — used for side-effect dependencies that aren't expressed through attribute references (e.g., waiting for a policy to be attached before creating something that needs the permissions)
- When to use it — when a resource depends on another's behavior, not just its attributes
depends_on is redundant but sometimes added for clarity.Read these two Terraform blocks. What is the difference between variable and locals?variable "environment" {
type = string
description = "Deployment environment"
default = "staging"
}
locals {
app_name = "myapp"
full_name = "${local.app_name}-${var.environment}"
common_tags = {
App = local.app_name
Env = var.environment
}
}
- variable block — declares an input parameter; callers set values via
-var,.tfvarsfiles, or environment variables (TF_VAR_name) - locals block — defines computed values by combining variables, resource attributes, or expressions; only accessible within the module
- var.name — references a variable; local.name — references a local value
- Use case — use locals to avoid repeating complex expressions; use variables to accept configuration from outside
full_name here would evaluate to "myapp-staging" with the default value.Read this Terraform data source block. What is it fetching?data "aws_ami" "ubuntu" {
most_recent = true
owners = ["099720109477"]
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-*-22.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
}
- data block — reads existing infrastructure or external data; does NOT create or modify resources
- most_recent = true — if multiple AMIs match, return the newest one
- owners = ["099720109477"] — Canonical's AWS account ID; filters to only AMIs published by Ubuntu's maker
- filter blocks — narrow down results; equivalent to AWS console search filters
- Referencing — use
data.aws_ami.ubuntu.idin a resource block instead of hardcoding an AMI ID
What does a terraform.tfvars file override, and when is it applied?# terraform.tfvars
environment = "production"
region = "eu-west-1"
instance_count = 3
db_password = "s3cr3t-p@ssword"
- default value in the variable block — lowest priority
- terraform.tfvars — auto-loaded if present in working directory
- *.auto.tfvars — also auto-loaded, alphabetical order
- -var-file=filename.tfvars — explicitly passed file
- -var="key=value" — CLI flag, highest priority
terraform.tfvars often contains secrets like db_password — add it to .gitignore and never commit it. Use environment variables (TF_VAR_db_password) or a secrets manager in CI/CD instead.