Terraform is easy to run and dangerous to run carelessly. These questions check whether a candidate understands state, modules and safe change management.
Hiring a Terraform developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.
Junior Terraform interview questions
0–2 years
Core concepts.
What is infrastructure as code and why use it?
Defining infrastructure declaratively in version-controlled files for reproducible, reviewable, automatable provisioning.
Clicks resources together in a console with no record.
What is the difference between plan and apply?
plan previews the changes Terraform will make; apply executes them. Always review the plan first.
Runs apply without reading the plan.
What is Terraform state?
A file mapping your configuration to real resources; Terraform uses it to know what exists and what to change.
Deletes or ignores state and gets duplicate resources.
What are providers?
Plugins that let Terraform manage a platform’s resources (AWS, GCP, etc.) through its API.
Doesn’t know how Terraform talks to a cloud.
What are resources and data sources?
Resources are things Terraform creates and manages; data sources read existing information without managing it.
Recreates existing resources instead of referencing them.
What are variables and outputs?
Variables parameterise configuration; outputs expose values for humans or other modules.
Hardcodes values everywhere.
Why is idempotency important in Terraform?
Re-running with no config change should make no changes; the desired-state model enables this.
Expects each apply to recreate everything.
Why should the state file be handled carefully?
It can contain secrets and is the source of truth; it belongs in secure remote storage, not committed to git.
Commits terraform.tfstate to the repo.
Mid-level Terraform interview questions
2–5 years
State and modules.
What is remote state and why use it?
State stored in a shared backend (S3, etc.) so teams collaborate safely, with locking to prevent concurrent corruption.
Keeps state locally and overwrites teammates’ changes.
What is state locking?
A mechanism preventing simultaneous applies from corrupting state, provided by backends like S3+DynamoDB.
Two engineers apply at once and corrupt state.
What are modules and why use them?
Reusable, parameterised groups of resources that keep configuration DRY and consistent across environments.
Copy-pastes the same resources per environment.
How do you manage multiple environments?
Separate state per environment via workspaces or directory structure with shared modules, avoiding cross-environment blast radius.
Shares one state across prod and dev.
What is terraform import for?
Bringing existing, manually-created resources under Terraform management by adding them to state.
Recreates existing infra instead of importing it.
What is a provisioner and why avoid overusing it?
A hook to run scripts on resources; it’s a last resort because it’s imperative and brittle compared to declarative config.
Uses provisioners for everything.
How do count and for_each differ?
Both create multiple instances; for_each keys by a map/set so adding/removing items doesn’t shuffle others like count can.
Uses count where removing an item re-indexes and destroys the wrong resources.
How do you handle secrets in Terraform?
Reference a secrets manager and mark variables sensitive; never hardcode secrets, and remember state may store them.
Puts plaintext secrets in .tf files.
Senior Terraform interview questions
5+ years
Operations and safety.
What is state drift and how do you handle it?
When real infrastructure diverges from state (manual changes); plan detects it and you reconcile via import or re-apply.
Unaware that console changes cause drift.
How do you make Terraform changes safely in production?
Reviewed plans in CI, small blast radius, targeted applies where needed, and understanding destroy-and-recreate behaviour.
Applies sweeping changes that silently destroy resources.
How do you structure Terraform for a large organisation?
Layered state by lifecycle/ownership, reusable modules, a module registry, and clear boundaries to limit blast radius.
One giant state file for the whole company.
How do you integrate Terraform into CI/CD?
Automated plan on PRs, gated apply on merge, remote state with locking, and policy checks (OPA/Sentinel).
Applies from laptops with no review.
How do you avoid destroying stateful resources by accident?
Lifecycle rules like prevent_destroy, careful review of plans, and understanding which changes force replacement.
Ignores “forces replacement” in the plan and drops a database.
How do you test and validate infrastructure code?
validate/fmt, policy-as-code, plan review, and tools like Terratest for module testing.
Ships modules with no validation.
How do you manage provider and module versions?
Pin versions and use a lockfile so applies are reproducible and upgrades are deliberate.
Uses unpinned versions and gets surprise changes.
When is Terraform the wrong tool or approach?
For imperative one-off tasks, application deployment, or where a platform’s native tooling fits better; IaC isn’t always the answer.
Forces everything, including app config, through Terraform.
Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.