Infrastructure as Code Engineer Interview Questions
5 exercises — choose the best-structured answer to common IaC Engineer interview questions covering Terraform, Pulumi, CDK, state management, and secrets handling.
Structure for IaC interview answers
Name the concept precisely: define before comparing (immutable vs mutable, remote vs local state)
Describe failure modes: what breaks without the best practice and why
Name concrete tools and patterns: S3+DynamoDB, Terragrunt, Sentinel/OPA, OIDC federation
Give decision criteria: when to use Terraform vs Pulumi vs CDK — with conditions, not preferences
0 / 5 completed
1 / 5
The interviewer asks: "Explain the difference between mutable and immutable infrastructure, and how IaC supports immutable patterns." Which answer best demonstrates architectural understanding?
Option B is the strongest: it defines both concepts precisely (mutable = in-place changes with drift; immutable = replace-not-modify), explains the mechanism (versioned images, traffic routing), connects IaC specifically to immutability (codified provisioning process, desired end-state), and names concrete benefits (no drift, trivial rollbacks, environment parity). Option C conflates immutability with containers — not wrong but incomplete and imprecise. Option D confuses immutability with statelessness. Senior IaC answer structure: define both terms precisely → explain the operational consequence of each → name how IaC enforces immutability → state the business benefit.
2 / 5
The interviewer asks: "How do you manage IaC state in a team environment, and what problems does poor state management cause?" Choose the most complete answer.
Option B is the strongest: it explains what state is technically, names the failure mode in detail (stale local state → destroy or failure), names the solution (remote backend + locking), then gives three operational practices with a clear rationale for each (remote-only, locking, module-level state splitting for blast radius). It also addresses security (sensitive outputs, IAM). Option A is correct but shallow. Option C names a tool but doesn't explain the underlying problem. Option D sidesteps the question by suggesting a different tool. Key structure: explain what state is → describe the failure mode → name the solution → add blast-radius and security considerations.
3 / 5
The interviewer asks: "Walk me through how you would structure a Terraform codebase for a medium-sized organisation with 5 teams and 3 environments." Which answer shows the most mature architecture thinking?
Option B is the strongest: it provides a concrete directory structure, explains the rationale for versioned module sources (to prevent accidental cross-team impact), mentions a DRY tool (Terragrunt/workspaces), addresses policy enforcement (Sentinel/OPA for tagging and constraints), and describes the CI/CD strategy (plan on PR, apply after approval, environment-tiered pipelines). Option A describes the most basic structure with no module reuse strategy. Option C is a valid alternative (multi-repo) but doesn't explain the rationale. Option D switches to CDK. Structure for architecture questions: name the directory layout → explain module versioning strategy → describe policy enforcement → explain CI/CD flow.
4 / 5
The interviewer asks: "How do you handle secrets in IaC? What are the anti-patterns you actively avoid?" Which answer demonstrates security depth?
Option B is the strongest: it names three specific anti-patterns with the precise reason each is dangerous, then describes a positive approach with two layers (Terraform creates the secret container; a separate rotation mechanism injects the value), explains how provider credentials are handled without static keys (IAM roles, OIDC), and addresses state encryption. Option A is correct but thin. Option C describes environment variable injection — valid but misses the deeper issues with state and provider credentials. Option D advocates manual secret management, which does not scale. Senior answer structure: name the anti-patterns → explain why each is dangerous → describe the positive approach → address provider credentials separately → mention state encryption.
5 / 5
The interviewer asks: "Compare Terraform, Pulumi, and AWS CDK. When would you choose each?" Which answer demonstrates the most balanced and practical judgement?
Option B is the strongest: it characterises each tool along consistent dimensions (language model, ecosystem, ideal use case, limitation), gives three concrete decision criteria with the specific condition for each, and adds the organisational reality check (existing expertise). Option A is the minimum viable answer but lacks decision criteria. Option C is a personal preference disguised as reasoning. Option D avoids making a recommendation, which is unhelpful in an interview. Comparison question structure: characterise each option on consistent dimensions → name when each is the right choice → give decision criteria → acknowledge organisational context.