Top 10 Terraform Interview Mistakes

What to say instead

Say: "The key difference is the execution model. CloudFormation is a managed service that runs deployments on your behalf with built-in rollback and stack drift detection. Terraform is a local tool - you own the state file, you run the apply, and failed applies leave partial changes that you must resolve. CloudFormation is simpler for AWS-only infrastructure. Terraform's provider ecosystem and plan/apply workflow give more control and work across cloud providers."

What to say instead

Say: "State is what allows Terraform to know that aws_instance.web in config maps to i-0abc123 in AWS. I always store state in S3 with DynamoDB locking for team use - DynamoDB prevents concurrent applies from corrupting state. State is never committed to Git because it can contain sensitive values. Before any destructive operation I take a state backup. Drift - where real infrastructure diverges from state - is one of the most common production Terraform issues and is resolved with terraform refresh or targeted imports."

What to say instead

Say: "For any resource I cannot recreate without data loss - RDS databases, S3 buckets with data, Elasticsearch domains - I always set lifecycle { prevent_destroy = true }. This makes Terraform throw an error if anything attempts to destroy the resource. A developer must explicitly remove that flag and re-plan before the resource can be deleted. I combine this with RDS deletion protection at the AWS API level as a second independent layer. I also require terraform plan output review in CI so any destroy actions need a human approval."

What to say instead

Say: "I use for_each when creating named resources where each one has an identity - a map of S3 buckets, a set of IAM roles, multiple subnets by AZ name. for_each indexes by key so removing one item does not affect the others. I use count for simple toggles (count = var.enable_feature ? 1 : 0) or when I genuinely want N identical, interchangeable resources. The rule of thumb: if removing one item from the collection should not affect the others, use for_each."

What to say instead

Say: "I only use -target as a last resort during recovery - for example, when one resource failed mid-apply and I need to create it in isolation before retrying the full apply. For normal workflows, if I want to update a single resource I refactor the configuration so that resource is in its own module or workspace. Any -target usage gets documented in the PR with a plan to follow up with a clean full apply as soon as possible."

What to say instead

Say: "Secrets should not pass through Terraform variables or live in state. I provision the secret resource in Terraform (aws_secretsmanager_secret or aws_ssm_parameter of SecureString type) and populate the actual value separately, outside Terraform, via the AWS console or a secrets management pipeline. The application fetches the secret at runtime. If Terraform must set a password at creation time, I use the random_password resource and store it directly into Secrets Manager in the same apply - but I treat that state file as sensitive and ensure the S3 backend has encryption and strict access controls."

What to say instead

Say: "Terraform does not roll back on failure - successfully created resources remain and state reflects what was applied before the error. On the next apply, Terraform picks up from where it left off. I check the error, fix the root cause, and run apply again. If the state is unrecoverable I use terraform state rm to remove the broken resource from state and let Terraform recreate it, or use terraform import to bring an existing resource back under management. I never assume a failed apply cleaned up after itself."

What to say instead

Say: "I always pin provider versions with a pessimistic constraint: ~> 5.0 allows patch updates within 5.x but not a jump to 6.0. The .terraform.lock.hcl file is committed to Git so every engineer and CI run uses identical provider checksums. When I want to upgrade a provider I run terraform init -upgrade, review the plan output carefully for unexpected changes, and commit the updated lock file as a deliberate decision."

What to say instead

Say: "Variables are for external inputs - values you do not know at code-write time like environment name or instance type. Locals are for internal derivation - local.name_prefix = format('%s-%s', var.project, var.environment). Outputs are for sharing values with callers - output 'vpc_id' exports the VPC ID so another module can reference it. A clean module has variables at the boundary, locals for internal composition, and outputs for everything a caller might need."

What to say instead

Say: "I structure Terraform as root modules per environment (dev, staging, prod) that call reusable child modules (vpc, eks-cluster, rds, security-groups). Each child module has a documented interface: typed variables with descriptions and defaults, and outputs for everything a caller might use. Root modules are thin - they mostly wire variables into child modules and connect outputs. This way a change to the VPC module can be tested in dev before being applied to prod, and the same module is reused across every environment."