Terraform Important Questions

with Answers for Review

26th June 2024

Saleh Miri

Linkedin.com/in/salehmiri [email protected]

Youtube.com/salehmiri90 Github.com/salehmiri90
This document is including below titles:

Terraform Backend Questions

Terraform State Management
Terraform State Locking

Disclaimer

Please note that this document is intended as a guide, not a reference, for creating a standby system.
The author is not accountable for any losses or damage resulting from the application of this article.
There's no assurance that the advice provided is error-free. It is recommended to use this guide at
your own risk and conduct thorough testing in your specific environment.

If you identify any inaccuracies in the information presented, please reach out to me for corrections.
Your input is appreciated for continual improvement.
Terraform Important Questions with Answers for Review
Terraform Backend

Q1. What is a Terraform backend and why is it important?

Answer:
A Terraform backend is a component responsible for storing and retrieving the Terraform state. The
Terraform state is a critical piece of information that tracks the resources Terraform manages and their
current configuration.
Backends are important for several reasons:
• Remote State Storage
• State Locking
• Durability and Consistency
• Security

Q2. How do you configure a remote backend in Terraform?

Answer:
To configure a remote backend in Terraform, you can use the backend block within the terraform block
in your configuration file. Here are the general steps:
Choose a Backend Type:
• Local: Stores the state file on the local filesystem. This is suitable for testing and development.
• Remote: Stores the state file in a remote service, such as a cloud storage service or a managed
backend like Terraform Cloud.

Q3. What are some common types of backends supported by Terraform?

Answer:
Terraform supports several types of backends, including:
• Local Backend: Stores the state file on the local filesystem. This is suitable for development
and testing but not recommended for production use due to state management and locking
issues.
• Standard Backend: Stores the state file in a remote location, such as AWS S3, Azure Storage,
or GCP Cloud Storage. These backends do not execute commands like terraform plan or
terraform apply but provide state locking and versioning.
• Enhanced Backend: Supports both local and remote state storage and can execute commands
like terraform plan and terraform apply. Examples include Terraform Cloud.
• Remote Backend: Stores the state file in a remote location and supports state locking and
versioning. Examples include Terraform Cloud and other managed backends

Q4. Explain the process of migrating a local backend to a remote backend?

Answer:
Migrating a local Terraform backend to a remote backend involves several steps:
A. Configure the Remote Backend
• Choose a remote backend type (AWS S3, Azure Storage, Terraform Cloud).

Page 1 of 9
Terraform Important Questions with Answers for Review
• Set up the necessary configuration for the chosen backend (e.g., create an S3 bucket,
configure DynamoDB table, set up Terraform Cloud).
B. Initialize Terraform with the New Backend
• Run terraform init with the new backend configuration.
• Terraform will prompt you to migrate the existing state to the new backend. Confirm the
migration.
C. Migrate the State
• If the local state file was previously locked, remove the lock using terraform state lock -
force.
• Run terraform init -migrate-state to migrate the state to the new backend.
• Confirm the changes.
D. Update Configuration File
• Update the terraform block in your configuration file to use the new remote backend.
E. Verify the Migration
• Run terraform plan to ensure that the migration was successful and there are no changes
needed.
F. Monitor and Manage State
• Use the new remote backend to manage and monitor your Terraform state, ensuring that
it is secure, scalable, and accessible for team collaboration.

Q5. How does Terraform handle backend authentication and access control?
Answer:
Terraform handles backend authentication and access control in several ways:
• Use environment variables like AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and
AWS_REGION to provide credentials.
• Use the shared_config_files and shared_credentials_files arguments to reference the AWS
configuration and credentials files.
• Use the assume_role block to assume an IAM role and provide temporary credentials with
additional privileges.
• Use the use_azuread_auth variable to authenticate using an Azure AD principal.
• Use a SAS token to authenticate directly.
• Avoid hardcoding credentials in the backend configuration. Instead, use environment variables
or credentials files to provide access credentials.
• Use remote backends like Terraform Cloud, which provide secure and managed state storage
with features like state locking and versioning.
• Use environment variables like TF_USERNAME and TF_PASSWORD to authenticate with the
GitLab Terraform backend.

Q6. Can you use multiple backends in a single Terraform configuration? Explain?
Answer:
Yes, it is possible to use multiple backends in a single Terraform configuration. This can be useful when
managing infrastructure across different environments or when separating concerns within a larger
infrastructure.

Page 2 of 9
Terraform Important Questions with Answers for Review
However, it's important to note that using multiple backends can also add complexity to your
Terraform workflow, so it's important to carefully consider the trade-offs and choose the approach
that best fits your specific use case.

Q7. What are the benefits of using a remote backend over a local backend?

Answer:
The key benefits of using a remote backend are improved collaboration, state management, security,
scalability, and the ability to better organize and isolate your infrastructure across different
environments. These advantages make remote backends the recommended approach, especially for
team-based infrastructure management.

Q8. How do you manage backend configurations securely in a team environment?

Answer:
There are several best practices:
• Use environment variables to pass sensitive data
• Use separate configuration files for different environments, such as development, testing,
and production.
• Implement access control mechanisms like IAM roles or Azure Active Directory to manage
permissions and ensure that only authorized personnel can access and modify backend
configurations
• Use encryption for sensitive data stored in backends, such as state files or other data.
• Store backend configurations securely, using services which provide robust security
features like access control, encryption, and versioning
• Use versioning for backend configurations to track changes and ensure that previous
versions can be easily restored if needed.
• Regularly update backend configurations to ensure that they are secure and up-to-date.
• Monitor backend configurations and state files for any unauthorized changes or access.

Q9. What happens if the backend service is unavailable when running `terraform apply`?
Answer:
By default, terraform will wait for the backend service to become available before proceeding with the
operation. However, you can configure Terraform to use different strategies for handling unavailable
backend services, such as retrying the operation or terminating it if the service remains unavailable for
too long.

Q10. Describe how to use environment variables to configure backends in Terraform?

Answer:
• Terraform supports using environment variables to configure the backend, similar to how it
handles variables for provider configuration.
• The environment variable naming convention is TF_BACKEND_CONFIG_<VARIABLE_NAME>,
where <VARIABLE_NAME> is the name of the backend configuration parameter you want to
set.

Page 3 of 9
Terraform Important Questions with Answers for Review
• For example, to set the S3 bucket name for an AWS backend, you can use the environment
variable TF_BACKEND_CONFIG_bucket=my-bucket.

Terraform State Management

Q11. What is Terraform state and what role does it play in infrastructure management?
Answer:
Terraform state is a critical component that enables Terraform to manage infrastructure effectively. It
provides the mapping between configuration and real-world resources, improves performance,
facilitates collaboration, stores necessary metadata, and enables versioning and rollback capabilities.
Properly managing the Terraform state is essential for successful infrastructure management.

Q12. How does Terraform determine the current state of your infrastructure?

Answer:
Terraform determines the current state of your infrastructure through a process called "refresh." Before
any operation (apply, plan, destroy), Terraform performs a refresh to update the state with the real-
world state of infrastructure resources. This ensures that the state is accurate and reflects the actual
state of the infrastructure.

Q13. Explain the difference between `terraform plan` and `terraform apply` in the context of state?
Answer:
In summary, terraform plan provides a preview of the changes that will be made, while terraform apply
executes those changes. This ensures that you can review and validate the changes before they are
applied to your infrastructure.

Q14. What is the purpose of the `.terraform` directory?

Answer:
The .terraform directory is considered an internal Terraform directory and should not be manually
modified or deleted, as it can lead to issues with the Terraform workflow. Terraform manages the
contents of this directory automatically, and it is generally recommended to leave it untouched.
In summary, the .terraform directory is a critical component of the Terraform infrastructure
management process, as it stores essential information required for Terraform to function correctly
and efficiently.

Q15. How do you handle state file conflicts in a team environment?

Answer:
Handling state file conflicts in a team environment involves several strategies include:
• Store the state file in a remote backend
• Implement state locking mechanisms like DynamoDB for Amazon S3 or Azure Blob Storage to
prevent concurrent modifications.
• Use workspaces to isolate changes made by different users. Each workspace can have its own
state file, which is synced to the remote state storage.

Page 4 of 9
Terraform Important Questions with Answers for Review
• Use Terraform Cloud to manage state files. It provides automatic locking and ensures that only
one user can modify the state file at a time

Q16. What are the best practices for managing Terraform state files securely?
Answer:
• Store state files in a remote backend like Amazon S3, Azure Blob Storage, or HashiCorp Consul.
• Enable state locking mechanisms provided by remote backends to prevent concurrent
modifications and data corruption.
• Avoid storing sensitive information directly in Terraform state files. Use environment variables,
secrets management systems, or parameter stores instead.
• Separate state files for different components or projects to minimize the blast radius in case of
failures or rollbacks.
• Implement automation workflows to streamline state file management tasks, such as
initialization, updates, and backups.
• Consider techniques like state file pruning, partial state files, or state snapshots to optimize the
size and performance of state files.
• Implement monitoring and alerting mechanisms to detect anomalies or inconsistencies in
Terraform state files.
• Develop backup and recovery strategies for Terraform state files to mitigate the risk of data
loss or corruption.
• Never manually change the state file. Use the Terraform CLI for any necessary modifications.
• Ensure that your team uses a consistent version of Terraform to avoid discrepancies in state
management.
• Use commands like terraform state mv to safely move resources within or between state files
if restructuring is needed.
• Use the terraform destroy command judiciously, preferably in non-production environments,
to avoid unintended consequences.

Q17. How can you inspect and modify the Terraform state file manually?
Answer:
• Use terraform state pull to download the state file from the remote backend.
• Use terraform state list to show the resource addresses for every resource Terraform knows
about in a configuration.
• Use terraform state show to display detailed state data about one resource.
• Use terraform state mv to move resources within or between state files.
• Use terraform state rm to remove resources from the state file.
• Use terraform state add to add resources to the state file.
• Use terraform state push to upload the modified state file to the remote backend.
• Use terraform state lock to lock the deployment, preventing concurrent modifications.
• Use terraform state unlock to unlock the deployment after modifications are complete.

Q18. What are state file locks and why are they important?
Answer:

Page 5 of 9
Terraform Important Questions with Answers for Review
State file locks are a crucial mechanism used by Terraform to prevent multiple processes from
modifying the state file simultaneously. This ensures that the state file remains consistent and prevents
conflicts or race conditions that could lead to incorrect provisioning or updates.
By preventing multiple processes from modifying the state file simultaneously, state file locks ensure
that the state remains consistent and prevents conflicts or race conditions that could lead to incorrect
provisioning or updates.

Q19. Explain how to use the `terraform state` command to manage state files?
Answer:
The terraform state command is used for advanced state management in Terraform. It allows you to
inspect, modify, and manage the state files that Terraform uses to track the resources it manages.

Q20. How do you handle sensitive information stored in the Terraform state file?
Answer:
To handle sensitive information stored in the Terraform state file, several techniques can be employed:
• Use Sensitive Variables: Terraform provides a sensitive flag for input variables. This flag
redacts the values in console output and log messages, reducing the risk of accidental
disclosure.
• Store Secrets Outside Terraform Code: Instead of storing secrets directly in Terraform files,
use external secret management systems like HashiCorp Vault, AWS Secrets Manager, or Azure
Key Vault. These tools provide secure storage and retrieval of secrets, which Terraform can
access during runtime.
• Store State Remotely: Store the Terraform state file remotely rather than locally. Remote state
backends like Terraform Cloud or S3 support encryption at rest, providing better security for
sensitive data. Additionally, remote state backends offer access controls, auditing, and
versioning capabilities.
• Encrypt Sensitive Data: For sensitive data stored in the .tfstate file, encrypt the file itself. By
configuring the backend to use encryption, you ensure that sensitive information remains
protected.
• Avoid Plain Text Secrets: Store secrets securely using techniques like environment variables,
encrypted files (KMS, PGP, SOPS), or secret stores (Vault) to manage and provide secrets to
Terraform.
• Secure Access to State: Apply proper access controls to the remote state, ensuring only
authorized users or roles have access to the state data. Use IAM policies or similar mechanisms
provided by your chosen remote state backend to restrict access and track activity.
• Use Hashicorp Vault: Hashicorp Vault can be integrated with Terraform to inject secrets in
resource definitions, allowing you to connect your project with your existing Vault workflow.
• Store State in a Centralized AWS Account: Store the Terraform state file in a centralized AWS
account where you operate Secrets Manager. Configure policies that restrict access to the state
file, and use an Amazon DynamoDB table to keep the file locked.
• Use Git-Crypt: If you need to store sensitive files in version control, consider using tools like
Git-Crypt to encrypt sensitive files in your repositories.

Page 6 of 9
Terraform Important Questions with Answers for Review
• Protect State Files: Lock down state files to a reasonable level by storing them in isolated
resource groups or subscriptions and granting only managed identities of pipeline agents
access to them.

Terraform State Locking

Q21. What is state locking in Terraform and why is it necessary?

Answer:
As explained, State locking in Terraform is a mechanism that prevents concurrent access to the same
Terraform state file from multiple users or automation processes. This ensures that only one user or
process can make changes to the state at a given time, thereby preventing potential conflicts and
ensuring data integrity.
Terraform automatically acquires a lock when starting an operation that modifies the state. If another
operation is in progress, terraform will wait or fail, depending on the configuration. This ensures that
changes are applied safely without conflicts.

Q22. How does Terraform implement state locking with AWS S3 and DynamoDB?
Answer:
Terraform implements state locking with AWS S3 and DynamoDB by using a combination of these
services to manage and secure the state file.

Q23. What are the potential issues that can arise without state locking?
Answer:
The primary issues that can arise without state locking are data corruption, inconsistent infrastructure,
performance degradation, synchronization problems, unintended consequences, and difficulty
troubleshooting. Proper state locking is essential to maintain the integrity and consistency of the
Terraform-managed infrastructure.

Q24. How do you configure state locking for a remote backend like Azure Storage?
Answer:
To configure state locking for a remote backend like Azure Storage, you need to set up the backend
configuration, leverage Azure's native state locking capabilities, encrypt the state data, and secure
access to the state file. This ensures data integrity, consistency, and security for your Terraform-
managed infrastructure.

Q25. Can you disable state locking in Terraform, Why or why not?
Answer:
Yes, disabling state locking in Terraform is possible but not recommended. Disabling state locking can
lead to data corruption and unintended consequences.

Q26. Explain how Terraform handles state locking conflicts and resolutions?
Answer:
• Terraform handles state locking conflicts through automatic locking and error messages.

Page 7 of 9
Terraform Important Questions with Answers for Review
• Manual intervention with the force-unlock command can be used to resolve conflicts.
• Best practices include coordination and verification after unlocking.
• The state file backend and state file locking mechanisms are critical components in resolving
conflicts.

Q27. Describe a scenario where state locking prevented a critical issue in infrastructure management?
Answer:
Scenario:
In my current company, "Hamrahe Aval" uses Terraform to manage its cloud infrastructure on
Kubernetes. Our company has a team of DevOps engineers who work on different projects, each with
its own Terraform configuration. The team uses a remote backend for state locking to ensure that only
one user can modify the state at a time.
Issue:
One day, two DevOps engineers, Saleh and Sahar, are working on different projects. Saleh is updating
the company's database configuration, while Sahar is deploying a new web application. Both engineers
are using the same Terraform configuration file, which is stored in a shared repository.
Conflict:
When Saleh tries to apply the changes to the database configuration, terraform detects that the state
file is already locked by Sahar, who is still deploying the web application. Terraform automatically waits
for the lock to be released before proceeding. However, if Saleh were to force the lock, it could lead
to inconsistent state and potential data corruption.
Resolution:
Saleh waits for Sahar to release the lock, and once she does, Saleh can safely apply the changes to the
database configuration. This ensures that the state remains consistent and that no data is lost or
corrupted.

Q28. What are the benefits of using DynamoDB for state locking in AWS?
Answer:
By leveraging DynamoDB for state locking, you can ensure that your Terraform workflows are robust,
secure, and scalable, while also providing a consistent and reliable infrastructure management
experience.

Q29. How can you manually unlock a state file if a lock is not released properly?
Answer:
you can use the terraform force-unlock command. This command removes the lock on the state file
for the current configuration.

Q30. What strategies can you use to minimize the impact of state locking on deployment times?
Answer:
• Implement retry logic: Add retry functionality to your Terraform commands, such as terraform
apply and terraform plan, to automatically retry the operation if it fails due to a state lock. This
can help mitigate the impact of temporary lock contention and reduce the need for manual
intervention.

Page 8 of 9
Terraform Important Questions with Answers for Review
• Use a lock timeout: Configure a lock timeout value in your Terraform configuration, which
specifies the maximum amount of time a lock can be held before it is automatically released. This
can help prevent long-running locks from blocking other deployments.
• Isolate state files: Organize your Terraform configuration into multiple, isolated state files for
different parts of your infrastructure. This can reduce the "blast radius" of a state lock, as changes
to one part of the infrastructure will not affect the others.
• Leverage Terraform Automation and Collaboration tools: Use some tools which provide
advanced state management features, such as automatic state locking, state file versioning, and
secure state storage. These tools can help streamline your Terraform workflows and minimize the
impact of state locking.

Page 9 of 9