Terraform Infrastructure as Code
Introduction
Terraform is the leading infrastructure as code tool for provisioning cloud resources. This guide covers Terraform basics, providers, modules, state management, workspaces, and production best practices for AWS, Azure, and GCP.
1. Terraform Basics
# Install Terraform
# macOS
brew install terraform
# Linux
wget https://releases.hashicorp.com/terraform/1.7.0/terraform_1.7.0_linux_amd64.zip
unzip terraform_1.7.0_linux_amd64.zip
sudo mv terraform /usr/local/bin/
# Verify
terraform version
# Basic Terraform workflow
terraform init # Initialize directory
terraform plan # Preview changes
terraform apply # Apply changes
terraform destroy # Destroy infrastructure
terraform fmt # Format code
terraform validate # Validate configuration
# main.tf - Basic example
terraform {
required_version = ">= 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
tags = {
Name = "WebServer"
}
}2. Variables & Outputs
# variables.tf
variable "instance_type" {
description = "EC2 instance type"
type = string
default = "t3.micro"
}
variable "environment" {
description = "Environment name"
type = string
validation {
condition = can(regex("^(dev|staging|prod)$", var.environment))
error_message = "Environment must be dev, staging, or prod"
}
}
variable "tags" {
description = "Common tags"
type = map(string)
default = {
Terraform = "true"
}
}
variable "allowed_ips" {
description = "Allowed IP addresses"
type = list(string)
default = ["0.0.0.0/0"]
}
# Use variables
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = var.instance_type
tags = merge(
var.tags,
{
Name = "${var.environment}-web-server"
}
)
}
# outputs.tf
output "instance_id" {
description = "ID of the EC2 instance"
value = aws_instance.web.id
}
output "public_ip" {
description = "Public IP address"
value = aws_instance.web.public_ip
}
output "private_ip" {
description = "Private IP address"
value = aws_instance.web.private_ip
sensitive = false
}
# terraform.tfvars
instance_type = "t3.small"
environment = "production"
tags = {
Project = "MyApp"
Team = "DevOps"
}
# Apply with variables
terraform apply -var="instance_type=t3.medium"
terraform apply -var-file="production.tfvars"3. Data Sources
# Fetch existing resources
data "aws_ami" "ubuntu" {
most_recent = true
owners = ["099720109477"] # Canonical
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]
}
}
data "aws_vpc" "default" {
default = true
}
data "aws_subnets" "default" {
filter {
name = "vpc-id"
values = [data.aws_vpc.default.id]
}
}
# Use data sources
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
subnet_id = tolist(data.aws_subnets.default.ids)[0]
instance_type = "t3.micro"
}
# Remote state data source
data "terraform_remote_state" "network" {
backend = "s3"
config = {
bucket = "my-terraform-state"
key = "network/terraform.tfstate"
region = "us-east-1"
}
}
# Use remote state outputs
resource "aws_instance" "app" {
subnet_id = data.terraform_remote_state.network.outputs.private_subnet_id
security_groups = [data.terraform_remote_state.network.outputs.app_sg_id]
instance_type = "t3.micro"
}4. Modules
# modules/ec2-instance/main.tf
variable "name" {
type = string
}
variable "instance_type" {
type = string
default = "t3.micro"
}
variable "subnet_id" {
type = string
}
resource "aws_instance" "this" {
ami = data.aws_ami.ubuntu.id
instance_type = var.instance_type
subnet_id = var.subnet_id
tags = {
Name = var.name
}
}
output "id" {
value = aws_instance.this.id
}
output "public_ip" {
value = aws_instance.this.public_ip
}
# Use module
module "web_server" {
source = "./modules/ec2-instance"
name = "web-server"
instance_type = "t3.small"
subnet_id = aws_subnet.public.id
}
# Access module outputs
output "web_server_ip" {
value = module.web_server.public_ip
}
# Public module from Terraform Registry
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.0.0"
name = "my-vpc"
cidr = "10.0.0.0/16"
azs = ["us-east-1a", "us-east-1b"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
enable_nat_gateway = true
enable_vpn_gateway = false
tags = {
Terraform = "true"
Environment = "dev"
}
}5. State Management
# Local state (default)
# terraform.tfstate in current directory
# Remote state with S3
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-locks"
}
}
# Create S3 bucket for state
resource "aws_s3_bucket" "terraform_state" {
bucket = "my-terraform-state"
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_versioning" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
bucket = aws_s3_bucket.terraform_state.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
# DynamoDB table for state locking
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
# State commands
terraform state list # List resources
terraform state show aws_instance.web # Show resource
terraform state mv aws_instance.web aws_instance.web_server # Rename
terraform state rm aws_instance.web # Remove from state
terraform state pull > backup.tfstate # Backup state
terraform import aws_instance.web i-1234567890 # Import existing6. Workspaces
# Create and use workspaces
terraform workspace list
terraform workspace new dev
terraform workspace new staging
terraform workspace new prod
terraform workspace select dev
terraform workspace show
# Use workspace in configuration
resource "aws_instance" "web" {
ami = data.aws_ami.ubuntu.id
instance_type = terraform.workspace == "prod" ? "t3.large" : "t3.micro"
tags = {
Name = "${terraform.workspace}-web-server"
Environment = terraform.workspace
}
}
# Workspace-specific variables
locals {
env_config = {
dev = {
instance_type = "t3.micro"
instance_count = 1
}
staging = {
instance_type = "t3.small"
instance_count = 2
}
prod = {
instance_type = "t3.large"
instance_count = 5
}
}
current_config = local.env_config[terraform.workspace]
}
resource "aws_instance" "web" {
count = local.current_config.instance_count
instance_type = local.current_config.instance_type
ami = data.aws_ami.ubuntu.id
}7. Complete AWS Infrastructure
# Complete VPC setup with EC2, RDS, and ALB
# VPC
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "${var.environment}-vpc"
}
}
# Subnets
resource "aws_subnet" "public" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 1}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "${var.environment}-public-${count.index + 1}"
}
}
resource "aws_subnet" "private" {
count = 2
vpc_id = aws_vpc.main.id
cidr_block = "10.0.${count.index + 10}.0/24"
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.environment}-private-${count.index + 1}"
}
}
# Internet Gateway
resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "${var.environment}-igw"
}
}
# Route table
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = {
Name = "${var.environment}-public-rt"
}
}
resource "aws_route_table_association" "public" {
count = 2
subnet_id = aws_subnet.public[count.index].id
route_table_id = aws_route_table.public.id
}
# Security Groups
resource "aws_security_group" "alb" {
name = "${var.environment}-alb-sg"
description = "ALB security group"
vpc_id = aws_vpc.main.id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "web" {
name = "${var.environment}-web-sg"
description = "Web server security group"
vpc_id = aws_vpc.main.id
ingress {
from_port = 3000
to_port = 3000
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
# Launch Template
resource "aws_launch_template" "web" {
name_prefix = "${var.environment}-web-"
image_id = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
vpc_security_group_ids = [aws_security_group.web.id]
user_data = base64encode(<<-EOF
#!/bin/bash
apt-get update
apt-get install -y docker.io
systemctl start docker
docker run -d -p 3000:3000 myapp:latest
EOF
)
}
# Auto Scaling Group
resource "aws_autoscaling_group" "web" {
name = "${var.environment}-web-asg"
vpc_zone_identifier = aws_subnet.private[*].id
target_group_arns = [aws_lb_target_group.web.arn]
health_check_type = "ELB"
min_size = 2
max_size = 10
desired_capacity = 3
launch_template {
id = aws_launch_template.web.id
version = "$Latest"
}
tag {
key = "Name"
value = "${var.environment}-web-server"
propagate_at_launch = true
}
}
# Application Load Balancer
resource "aws_lb" "web" {
name = "${var.environment}-web-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb.id]
subnets = aws_subnet.public[*].id
}
resource "aws_lb_target_group" "web" {
name = "${var.environment}-web-tg"
port = 3000
protocol = "HTTP"
vpc_id = aws_vpc.main.id
health_check {
path = "/health"
healthy_threshold = 2
unhealthy_threshold = 10
}
}
resource "aws_lb_listener" "web" {
load_balancer_arn = aws_lb.web.arn
port = "80"
protocol = "HTTP"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.web.arn
}
}
# RDS Database
resource "aws_db_subnet_group" "main" {
name = "${var.environment}-db-subnet"
subnet_ids = aws_subnet.private[*].id
}
resource "aws_security_group" "db" {
name = "${var.environment}-db-sg"
description = "Database security group"
vpc_id = aws_vpc.main.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.web.id]
}
}
resource "aws_db_instance" "main" {
identifier = "${var.environment}-db"
engine = "postgres"
engine_version = "15.3"
instance_class = "db.t3.micro"
allocated_storage = 20
storage_type = "gp3"
db_name = "myapp"
username = "admin"
password = var.db_password
db_subnet_group_name = aws_db_subnet_group.main.name
vpc_security_group_ids = [aws_security_group.db.id]
skip_final_snapshot = var.environment != "prod"
multi_az = var.environment == "prod"
backup_retention_period = 7
backup_window = "03:00-04:00"
maintenance_window = "mon:04:00-mon:05:00"
}8. Best Practices
✓ Terraform Best Practices:
- ✓ Use remote state with locking (S3 + DynamoDB)
- ✓ Never commit tfstate files to git
- ✓ Use modules for reusable infrastructure
- ✓ Pin provider versions
- ✓ Use variables for all configurable values
- ✓ Implement proper tagging strategy
- ✓ Use workspaces or separate directories for environments
- ✓ Run terraform fmt before committing
- ✓ Use terraform validate in CI/CD
- ✓ Enable state encryption
- ✓ Use data sources instead of hardcoded values
- ✓ Implement lifecycle rules for critical resources
- ✓ Use depends_on only when necessary
- ✓ Document modules with README and examples
- ✓ Use terraform plan before apply
Conclusion
Terraform enables infrastructure as code for reproducible, version-controlled deployments. Master providers, modules, and state management for production-ready infrastructure. Always use remote state, implement proper security, and follow IaC best practices.
💡 Pro Tip: Use Terraform Cloud or Atlantis for collaborative infrastructure management. They provide automated terraform plan on pull requests, state management, policy as code, and audit logs. Essential for teams managing infrastructure at scale.