𧱠Terraform β 20 Advanced Interview Questions (Detailed Answers)
β Q1 β How does Terraform build and use the dependency graph?
Terraform builds a dependency graph from resource references and implicit links between attributes. If resource A references Bβs attribute, B is created first automatically. The graph is used to parallelize safe operations. You can override with depends_on when dependency is logical but not referenced in code.
β
Q2 β What really happens during terraform plan internally?
Terraform refreshes state by querying provider APIs, compares config vs state vs real infra, and computes an execution plan. It does not change anything β only simulates actions. It also evaluates variables, locals, and expressions. Plan output is based on current state snapshot.
β Q3 β Explain Terraform refresh and when it runs.
Refresh updates state with real provider data. It runs automatically during plan/apply unless disabled. It detects drift and external changes. Skipping refresh can speed up runs but risks incorrect plans.
β Q4 β What is lifecycle block and when do you use it?
Lifecycle block changes resource behavior β like prevent_destroy, ignore_changes, create_before_destroy. Itβs used when provider defaults are unsafe for production. Example: ignore auto-added tags or prevent DB deletion. It should be used carefully β not as a band-aid.
β
Q5 β When is ignore_changes dangerous?
It can hide real drift and config mistakes. Terraform will stop managing that attribute. Overuse leads to config/state mismatch. Use only for externally managed fields like timestamps or autoscaling values.
β Q6 β How does Terraform handle partial failures?
Terraform stops and records completed resources in state. Next apply resumes from that state. It does not roll back automatically. Thatβs why idempotent config and safe lifecycle settings matter.
β Q7 β What is provider alias and real use case?
Provider alias allows multiple configurations of same provider. Example: manage resources in two AWS regions or accounts. Each resource explicitly chooses provider alias. Useful in multi-region or cross-account setups.
β Q8 β Difference between data source and resource?
Resource creates or manages infrastructure. Data source only reads existing infrastructure data. Data sources are read-only. Example: lookup existing VPC ID.
β Q9 β Terraform module versioning best practice?
Always pin module versions using git tags or registry versions. Never use βlatestβ in production. Version pinning ensures reproducibility. Breaking module changes wonβt silently affect infra.
β Q10 β What causes βresource replaced instead of updatedβ?
Some attributes are immutable at provider level. Changing them forces recreation. Terraform marks them as ForceNew fields. Example: subnet CIDR, RDS storage type sometimes.
β Q11 β How does Terraform handle secrets in state?
Secrets stored in resource attributes are stored in state file. Even if marked sensitive, they exist in state. Thatβs why backend encryption and restricted access are critical. Never expose state publicly.
β Q12 β State file security best practices?
Use remote backend with encryption enabled. Restrict IAM access. Enable versioning. Use locking. Never commit state to Git.
β
Q13 β What is taint and when used?
terraform taint marks a resource for forced recreation on next apply. Used when resource is broken but not detected as drift. Itβs manual override for replacement.
β Q14 β Difference between taint and replace flag?
Taint updates state marking. -replace is apply-time override. Replace is safer and more explicit now. Taint is older approach.
β Q15 β How do you split Terraform for very large infrastructure?
Use multiple state stacks by domain β network, compute, data, platform. Connect using remote state outputs. Avoid mega-state with thousands of resources. Smaller states reduce blast radius.
β Q16 β Terraform workspaces β when good vs bad?
Workspaces allow multiple state instances for same config. Good for simple env separation. Bad for complex environments β can become confusing. Many teams prefer folder-per-env instead.
β
Q17 β What is for_each key stability rule?
Keys must be stable identifiers. If keys change, Terraform destroys and recreates resources. Never use computed or random keys for for_each. Use names or IDs.
β Q18 β Why does Terraform sometimes show βknown after applyβ?
Because value depends on resource created during apply β like generated IDs or ARNs. Terraform cannot know before creation. This affects dependent expressions.
β Q19 β How do you safely refactor Terraform modules?
Move resources using state mv. Introduce module gradually. Run plan frequently. Never refactor and apply blindly. Refactor is state operation, not just code move.
β Q20 β Biggest real-world Terraform mistake teams make?
Single giant state + no locking + no module versioning. This leads to race conditions, unsafe applies, and refactor nightmares. Terraform scales only when state architecture is designed properly.