Terraform Expert Engineer Skill
This skill provides a comprehensive guide for Terraform development.
- Terraform CLI Basic Commands
1.1. Initialization and Planning
Initialize workspace (download providers)
terraform init
Initialize with backend config
terraform init -backend-config="bucket=my-terraform-state"
Check execution plan
terraform plan
Save execution plan to file
terraform plan -out=tfplan
Plan specific resource only
terraform plan -target=aws_instance.example
1.2. Apply and Destroy
WARNING: These commands modify infrastructure. Always run terraform plan first and ask user permission.
Apply changes
terraform apply
Apply saved plan
terraform apply tfplan
Auto-approve apply (for CI/CD)
terraform apply -auto-approve
Destroy resources
terraform destroy
Destroy specific resource only
terraform destroy -target=aws_instance.example
1.3. State Management
Check state
terraform state list
Show resource details
terraform state show aws_instance.example
Move resource (for refactoring)
terraform state mv aws_instance.old aws_instance.new
Import existing resource
terraform import aws_instance.example i-1234567890abcdef0
Remove resource from state (keeps actual resource)
terraform state rm aws_instance.example
1.4. Other Useful Commands
Validate configuration
terraform validate
Format
terraform fmt
Format recursively
terraform fmt -recursive
Check outputs
terraform output
Output in JSON format
terraform output -json
Interactive console (for testing expressions)
terraform console
Lock providers
terraform providers lock -platform=linux_amd64 -platform=darwin_amd64
- Resource Management
2.1. Basic Resource Block Structure
resource "aws_instance" "example" { ami = "ami-0c55b159cbfafe1f0" instance_type = "t2.micro"
tags = { Name = "example-instance" } }
2.2. Meta-arguments
-
depends_on : Explicit dependencies
-
count : Resource replication (index-based)
-
for_each : Resource replication (key-based)
-
provider : Specify alternate provider
-
lifecycle : Lifecycle control
2.3. Lifecycle Settings
resource "aws_instance" "example" {
...
lifecycle { create_before_destroy = true # Create new first on replacement prevent_destroy = true # Prevent deletion ignore_changes = [tags] # Attributes to ignore changes replace_triggered_by = [null_resource.trigger.id] } }
- Module Design
3.1. Module Invocation
module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.0.0"
name = "my-vpc" cidr = "10.0.0.0/16" }
3.2. Module Source Types
-
Local path: ./modules/vpc
-
Terraform Registry: hashicorp/consul/aws
-
GitHub: github.com/hashicorp/example
-
S3: s3::https://s3-eu-west-1.amazonaws.com/bucket/module.zip
3.3. Module Best Practices
-
Standard file structure: main.tf , variables.tf , outputs.tf
-
Document with README.md
-
Set meaningful default values
-
Validate inputs with validation blocks
- State Management
4.1. Remote Backend Configuration
terraform { backend "s3" { bucket = "my-terraform-state" key = "prod/terraform.tfstate" region = "ap-northeast-1" encrypt = true dynamodb_table = "terraform-locks" } }
4.2. State Management Best Practices
-
Use remote backend (required for team development)
-
Enable state locking (prevent concurrent execution)
-
Enable encryption
-
Do not directly edit state file (use terraform state commands)
-
Separate state files per environment
- Variables and Outputs
5.1. Input Variables
variable "instance_type" { type = string description = "EC2 instance type" default = "t2.micro"
validation { condition = contains(["t2.micro", "t2.small", "t2.medium"], var.instance_type) error_message = "Please specify an allowed instance type" } }
5.2. Variable Setting Methods (Priority Order)
-
Command line -var , -var-file
-
*.auto.tfvars files
-
terraform.tfvars.json
-
terraform.tfvars
-
Environment variables TF_VAR_*
-
Default values
5.3. Sensitive Data Handling
variable "db_password" { type = string sensitive = true # Mask in output }
output "connection_string" { value = "postgres://user:${var.db_password}@host/db" sensitive = true # Output contains sensitive data }
Note: Sensitive data is stored in plaintext in state files. Remote backend encryption or HCP Terraform recommended.
- Providers
6.1. Provider Declaration
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } }
provider "aws" { region = "ap-northeast-1" }
6.2. Multiple Providers
provider "aws" { alias = "us_east" region = "us-east-1" }
provider "aws" { alias = "ap_northeast" region = "ap-northeast-1" }
resource "aws_instance" "us" { provider = aws.us_east
...
}
- Built-in Functions
7.1. Common Functions
String operations
join("-", ["foo", "bar"]) # "foo-bar" split(",", "a,b,c") # ["a", "b", "c"] format("Hello, %s!", "World") # "Hello, World!"
Collection operations
length(["a", "b", "c"]) # 3 lookup(map, key, default) # Get value from map merge(map1, map2) # Merge maps flatten([["a"], ["b", "c"]]) # ["a", "b", "c"]
Type conversions
tostring(123) # "123" tolist(set) # Set to list tomap(object) # Object to map
Conditional expressions
coalesce("", "default") # "default" (first non-empty value) try(expression, fallback) # Fallback on error
- HCP Terraform / Terraform Cloud
8.1. Key Features
-
Remote state management (encryption, versioning)
-
Team collaboration
-
Policy enforcement (Sentinel)
-
Private module registry
-
VCS integration (GitHub, GitLab, etc.)
-
Cost estimation
8.2. Workspace Configuration
terraform { cloud { organization = "my-org"
workspaces {
name = "my-workspace"
}
} }
- Security Best Practices
9.1. Credential Management
-
Do not hardcode
-
Use environment variables or auth files
-
IAM roles / service accounts recommended
-
HashiCorp Vault integration
9.2. State File Security
-
Use encrypted backend
-
Set appropriate access controls
-
Add .terraform/ to .gitignore
-
Add *.tfvars to .gitignore (if contains sensitive info)
- Reference Links
-
Official docs: https://developer.hashicorp.com/terraform/docs
-
Language reference: https://developer.hashicorp.com/terraform/language
-
CLI reference: https://developer.hashicorp.com/terraform/cli
-
Provider registry: https://registry.terraform.io/
-
Module registry: https://registry.terraform.io/browse/modules
-
HCP Terraform: https://developer.hashicorp.com/terraform/cloud-docs