Day 71 of 90 Days of DevOps Challenge: Terraform Interview Questions

Preparing for interview questions on Terraform can help you solidify your understanding of its concepts and capabilities. Here are answers to the questions you provided:

1. What is Terraform and how is it different from other IaC tools?

   • Terraform is an open-source Infrastructure as Code (IaC) tool developed by HashiCorp that allows you to define, provision, and manage cloud infrastructure using a declarative configuration language (HCL - HashiCorp Configuration Language).

   • Differences from other IaC tools:

     • Declarative vs. Imperative: Terraform uses a declarative approach, meaning you specify what the desired state of the infrastructure should be, while other tools (like Ansible) may use an imperative approach that requires you to specify how to achieve that state.

     • State Management: Terraform maintains a state file that keeps track of the current state of the infrastructure, enabling it to plan and apply changes intelligently. Other tools may not manage state as explicitly.

     • Provider Ecosystem: Terraform has a broad ecosystem of providers that support multiple cloud platforms, while some other tools may be limited to specific vendors.

2. How do you call a main.tf module?

   • To call a module defined in main.tf, you can use the module block in your configuration file. For example:

       module "my_module" {
         source = "./path/to/module"
         variable1 = "value1"
         variable2 = "value2"
       }
     

3. What exactly is Sentinel? Can you provide a few examples where we can use Sentinel policies?

   • Sentinel is a policy as code framework integrated with HashiCorp’s enterprise products (like Terraform Enterprise). It allows you to enforce fine-grained, logic-based policies to manage infrastructure compliance.

   • Examples of Sentinel policies:

     • Restricting resource types: Preventing the creation of specific types of resources (e.g., not allowing the deployment of EC2 instances without tagging).

     • Cost control: Enforcing policies that limit the total cost of infrastructure (e.g., capping the total number of EC2 instances).

     • Security compliance: Ensuring that all S3 buckets have versioning enabled or are configured to block public access.

4. You have a Terraform configuration file that defines an infrastructure deployment. However, there are multiple instances of the same resource that need to be created. How would you modify the configuration file to achieve this?

   • You can use the count or for_each meta-arguments in the resource block. For example, using count:

       resource "aws_instance" "web_server" {
         count = 3
         ami = "ami-xxxx"
         instance_type = "t2.micro"
       }
     

     Or using for_each:

       resource "aws_instance" "web_server" {
         for_each = toset(["instance1", "instance2", "instance3"])
         ami = "ami-xxxx"
         instance_type = "t2.micro"
         tags = {
           Name = each.key
         }
       }
     

5. You want to know from which paths Terraform is loading providers referenced in your Terraform configuration (*.tf files). You need to enable debug messages to find this out. Which of the following would achieve this?

   • A. Set the environment variable TF_LOG=TRACE: This setting enables detailed logging and will show the paths Terraform is using to load providers.

6. Below command will destroy everything that is being created in the infrastructure. Tell us how you would save any particular resource while destroying the complete infrastructure.

   • You can use the -target option with the terraform destroy command to specify which resource to exclude from destruction. For example:

       terraform destroy -target=aws_instance.my_instance
     

   • This command will destroy all resources except for aws_instance.my_instance.

7. Which module is used to store the .tfstate file in S3?

   • The terraform backend block is used to configure where Terraform stores its state file. To store the state file in an S3 bucket, you would use the following configuration:

       terraform {
         backend "s3" {
           bucket         = "my-tfstate-bucket"
           key            = "terraform/state"
           region         = "us-east-1"
         }
       }
     

8. How do you manage sensitive data in Terraform, such as API keys or passwords?

   • Sensitive data can be managed in Terraform using:

     • Terraform Variables: Define sensitive variables with sensitive = true to prevent them from being displayed in the console output.

     • Environment Variables: Set environment variables to pass sensitive data to Terraform without hardcoding them in the configuration.

     • Secret Management Tools: Use tools like AWS Secrets Manager or HashiCorp Vault to store sensitive information and access it in Terraform.

9. You are working on a Terraform project that needs to provision an S3 bucket and a user with read and write access to the bucket. What resources would you use to accomplish this, and how would you configure them?

   • You would use the following resources:

       resource "aws_s3_bucket" "my_bucket" {
         bucket = "my-unique-bucket-name"
       }
     
       resource "aws_iam_user" "my_user" {
         name = "my_user"
       }
     
       resource "aws_iam_policy" "my_policy" {
         name        = "S3ReadWritePolicy"
         description = "A policy to allow read and write access to the S3 bucket"
         policy      = jsonencode({
           Version = "2012-10-17"
           Statement = [
             {
               Action = [
                 "s3:PutObject",
                 "s3:GetObject",
                 "s3:DeleteObject",
                 "s3:ListBucket",
               ]
               Effect   = "Allow"
               Resource = [
                 aws_s3_bucket.my_bucket.arn,
                 "${aws_s3_bucket.my_bucket.arn}/*",
               ]
             }
           ]
         })
       }
     
       resource "aws_iam_user_policy_attachment" "attach_policy" {
         user       = aws_iam_user.my_user.name
         policy_arn = aws_iam_policy.my_policy.arn
       }
     

10. Who maintains Terraform providers?

    • Terraform providers are maintained by both HashiCorp and the open-source community. HashiCorp develops and maintains the official providers available in the Terraform Registry, while community contributors can create and maintain their own providers, which can also be published in the registry.

11. How can we export data from one module to another?

    • To export data from one module to another, you can use outputs in the source module and then reference those outputs in the calling module. For example: In the child module:

        output "instance_id" {
          value = aws_instance.my_instance.id
        }
      

      In the root module:

        module "my_child_module" {
          source = "./path/to/child_module"
        }
      
        resource "aws_instance" "another_instance" {
          instance_id = module.my_child_module.instance_id
        }
      

---

These questions and answers cover a range of topics related to Terraform, showcasing its functionality and how to effectively manage infrastructure as code. Preparing for these questions can help you demonstrate your knowledge during interviews. Good luck!