Terraform & Infrastructure as Code
Terraform fundamentals: resources, state, modules, workspaces, plan/apply, and drift detection.
- resource block /rɪˈzɔːs blɒk/
Terraform configuration stanza declaring a piece of infrastructure to create and manage: resource "aws_s3_bucket" "my_bucket" {}.
"Each resource block represents one real infrastructure object — Terraform tracks its lifecycle from creation through any updates to eventual destruction."
- data source /ˈdeɪtə sɔːs/
Read-only configuration that fetches attributes from existing infrastructure without managing it: data "aws_ami" "latest" {}.
"We use a data source to look up the latest approved AMI ID so the EC2 resource always uses the most recent hardened image without hardcoding the ID."
- variable /ˈveəriəbl/
Input parameter making Terraform configurations reusable across environments; defined with variable {} blocks and passed via .tfvars files or environment variables.
"The region variable defaults to eu-west-1 but the production workspace overrides it with us-east-1 via a terraform.tfvars file."
- output /ˈaʊtpʊt/
Value exposed after terraform apply; used to pass resource attributes like IPs and ARNs to other modules or external tools.
"The VPC module outputs the subnet IDs so the ECS module can reference them without needing to know how the VPC was built."
- local value /ˈləʊkəl ˈvæljuː/
Intermediate computed value within a configuration defined in a locals {} block; reduces repetition and keeps expressions readable.
"A local computes the full resource name: locals { name = "${var.prefix}-${var.env}" } so every resource references local.name consistently."
- provider /prəˈvaɪdər/
Plugin that connects Terraform to a cloud or service API; each provider is configured with credentials and region.
"We configure the AWS provider with a region and assume a cross-account role — every resource in the configuration is created in that account."
- state file /steɪt faɪl/
terraform.tfstate; JSON file recording all managed infrastructure and their attributes. Must be stored remotely and kept secure as it may contain secrets.
"Never commit the state file to git — it contains sensitive resource attributes. We store it in an encrypted S3 bucket with DynamoDB state locking."
- remote state /rɪˈməʊt steɪt/
Storing the state file in a shared backend (S3, GCS, Terraform Cloud) so teams access and lock a single authoritative copy.
"Remote state with S3 and DynamoDB locking prevents two engineers from running terraform apply simultaneously and corrupting the state file."
- workspace /ˈwɜːkspeɪs/
Isolated state namespace within a Terraform configuration; multiple workspaces allow one configuration to manage dev, staging, and production environments.
"We run terraform workspace select production before apply to ensure changes go to the correct environment's state file."
- module /ˈmɒdjuːl/
Reusable configuration block encapsulating related resources; called with module "name" { source = "./modules/vpc" } and parameterised via variables.
"The shared VPC module is called by every environment configuration — updating the module once propagates the change everywhere after plan and apply."
- terraform plan /ˈterəfɔːm plæn/
Dry-run command that compares the desired configuration against the current state and shows exactly what will be created, updated, or destroyed without making changes.
"We always review the terraform plan output in a pull request before merging — no infrastructure changes happen without a human approving the diff."
- terraform apply /ˈterəfɔːm əˈplaɪ/
Command that executes the planned changes and updates real infrastructure; shows the plan and requires confirmation unless -auto-approve is passed.
"The CI pipeline runs terraform plan on every PR and terraform apply on merge to main — apply requires a GitHub Actions approval step for production."
- drift detection /drɪft dɪˈtekʃən/
Comparing the Terraform state file against real infrastructure to find resources that were changed outside Terraform (e.g. via the console).
"Our weekly drift detection job runs terraform plan and alerts if it shows unexpected changes — indicating someone modified infrastructure manually."
- import /ˈɪmpɔːt/
Command to bring existing infrastructure under Terraform management without recreating it: terraform import aws_instance.web i-1234567890abcdef0.
"We used terraform import to adopt the manually created RDS instance — after import, all future changes go through code review and the plan/apply cycle."
- count vs for_each /kaʊnt vɜːsəs fɔːr iːtʃ/
count creates N identical resources indexed by number; for_each creates one resource per map or set item with a stable string identity, making additions and removals safer.
"We replaced count with for_each on the IAM role resources — with count, inserting a role in the middle renumbered all subsequent resources, triggering destructive replacements."
Quick Quiz — Terraform & Infrastructure as Code
Test yourself on these 15 terms. You'll answer 10 multiple-choice questions — each shows a term, you pick the correct definition.
What does this term mean?