Day 71 — Terraform Interview Questions

As part of our comprehensive 90-day DevOps Challenge, today marks the 71st day and we have came to end of terraform series. This article has learnings which we saw in previous articles of terraform to prepare you for interview.

Questions:

1. What is Terraform and how it is different from other IaaC tools?

Terraform is an open-source infrastructure as code (IaaC) software tool created by HashiCorp. It allows users to define and provision a data center infrastructure using a declarative configuration language. With Terraform, you can manage infrastructure efficiently and effectively across various cloud providers, as well as on-premises.

Here are some key points that differentiate Terraform from other Infrastructure as Code tools:

1. Multi-Cloud Support: Terraform supports multiple cloud providers such as AWS, Azure, Google Cloud, and others, allowing you to manage your infrastructure across different clouds from a single configuration.
2. Declarative Configuration: Terraform allows you to define the desired state of your infrastructure in a declarative configuration file. It helps in creating a blueprint of your infrastructure that can be versioned and shared, ensuring consistency in deployments.
3. Resource Graph: Terraform builds a dependency graph of all the resources, which helps in understanding the relationships and dependencies between various resources. This enables Terraform to create, modify, and delete resources in the correct order to achieve the desired state.
4. Plan and Apply Workflow: Terraform has a unique “plan and apply” workflow. It first generates an execution plan that describes what it will do to reach the desired state and then executes the plan to make the actual changes.
5. State Management: Terraform keeps track of the state of the infrastructure it manages. This state is stored in a file that helps Terraform to understand the resources it manages and to map real-world resources to your configuration.

2. How do you call a main.tf module?

In Terraform, you can call a main.tf module by referencing it in your root configuration file. If you have a module defined in the directory, you can include it in your root configuration by using the module block, like this:

module "example" {
  source = "./path/to/module/directory"
}

Here, "example" is the name you're giving to the module instance, and "./path/to/module/directory" is the relative or absolute path to the directory containing the module.

3. What exactly is Sentinel? Can you provide few examples where we can use for Sentinel policies?

Sentinel is a policy as code framework created by HashiCorp. It provides the ability to define, implement, and enforce policies across all stages of the software delivery lifecycle. It allows users to define policies that govern how certain operations are carried out within infrastructure provisioning tools such as Terraform, as well as other HashiCorp tools like Consul and Vault.

Some common use cases for Sentinel policies include:

1. Regulatory Compliance: Enforcing policies to ensure that infrastructure provisioning adheres to specific regulatory requirements, such as data protection laws (e.g., GDPR) or industry-specific standards.
2. Security Policies: Implementing security policies to ensure that only approved configurations are used, such as ensuring that resources are provisioned in secure environments or that encryption is enabled for sensitive data.
3. Naming Conventions: Enforcing policies related to resource naming conventions, ensuring that resources are named consistently and follow specific naming patterns.
4. Resource Tagging: Enforcing policies to ensure that resources are properly tagged for cost allocation, resource management, and organizational purposes.
5. Budget Management: Implementing policies to manage and control costs, such as preventing the provisioning of expensive resource types or ensuring that resources are provisioned within specific cost limits.

4. You have a Terraform configuration file that defines an infrastructure deployment. However, there are multiple instances of the same resource that need to be created. How would you modify the configuration file to achieve this?

n Terraform, if you need to create multiple instances of the same resource, you can utilize the count or for_each meta-arguments within the resource block to achieve this. The choice between count and for_each depends on your specific use case and requirements. Here's how you can use each of these approaches:

Using count:

resource "aws_instance" "example" {
  count         = 3
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
}

In this example, three instances of AWS EC2 are created, as specified by the count argument. The instances will be indexed from 0 to 2, and you can access each instance with the index. For example, the first instance's ID can be accessed using aws_instance.example[0].id.

Using for_each:

variable "instance_names" {
  type = set(string)
  default = ["instance1", "instance2", "instance3"]
}

resource "aws_instance" "example" {
  for_each      = var.instance_names
  ami           = "ami-0c55b159cbfafe1f0"
  instance_type = "t2.micro"
  tags = {
    Name = each.value
  }
}

In this example, you can define a set of instance names in a variable, and each instance will be created based on the values in the instance_names variable. You can access each instance using aws_instance.example["instance1"], aws_instance.example["instance2"], and so on, based on the values in the instance_names set.

5. You want to know from which paths Terraform is loading providers referenced in your Terraform configuration (*.tf files). You need to enable debug messages to find this out. Which of the following would achieve this?

A. Set the environment variable TF_LOG=TRACE

B. Set verbose logging for each provider in your Terraform configuration

C. Set the environment variable TF_VAR_log=TRACE

D. Set the environment variable TF_LOG_PATH

A. Set the environment variable TF_LOG=TRACE

A) Setting the environment variable TF_LOG=TRACE will enable debug logging for Terraform. This will provide detailed logs, including the paths from which Terraform is loading providers referenced in your Terraform configuration (*.tf files).

Example:

export TF_LOG=TRACE

B. Set verbose logging for each provider in your Terraform configuration

You can set the provider’s TF_LOG configuration to TRACE in your Terraform configuration file. This will enable detailed logging for that specific provider.

Example:

provider "aws" {
  region = "us-west-2"
  version = "~> 2.0"
  # Setting verbose logging for the AWS provider
  TF_LOG = "TRACE"
}

C. Set the environment variable TF_VAR_log=TRACE

Setting the environment variable TF_VAR_log=TRACE will not achieve the desired result. It is used for setting Terraform variables and not for enabling debug messages.

D. Set the environment variable TF_LOG_PATH

Setting the environment variable TF_LOG_PATH will not enable debug messages. It is used to specify a file where the Terraform logs will be written. It does not affect the log level or enable debug messages.

6. Below command will destroy everything that is being created in the infrastructure. Tell us how would you save any particular resource while destroying the complete infrastructure.

“terraform destroy”

When running the terraform destroy command, it will remove all the resources that are created by the Terraform configuration. If you want to save or keep a particular resource while destroying the rest of the infrastructure, you can use the terraform state command to manage the Terraform state.

To save a particular resource, you can perform the following steps:

1. Identify the resource you want to keep.
2. Run the terraform state command to remove the resource from the Terraform state without destroying it in the actual infrastructure.

Here is an example of how you can save a resource by removing it from the Terraform state:

# Identify the resource you want to save by getting its resource ID
terraform state list
# Remove the resource from the Terraform state to prevent it from being destroyed
terraform state rm <resource_type>.<resource_name>

After removing the resource from the Terraform state, you can run terraform destroy to destroy the remaining resources without affecting the one you removed from the state.

7. Which module is used to store .tfstate file in S3?

The module used to store the .tfstate file in an S3 bucket is called terraform-backend-s3. It is a separate Terraform configuration that sets up the backend configuration to store the state file in an S3 bucket.

8. How do you manage sensitive data in Terraform, such as API keys or passwords?

Sensitive data in Terraform can be managed using Terraform Vault Integration or environment variables. Vault Integration allows you to store and retrieve sensitive data securely, while environment variables keep sensitive information out of Terraform configuration files.

9. You are working on a Terraform project that needs to provision an S3 bucket, and a user with read and write access to the bucket. What resources would you use to accomplish this, and how would you configure them?

To provision an S3 bucket and a user with read and write access, you can use the following Terraform resources:

resource "aws_s3_bucket" "example" {
  bucket = "my-example-bucket"
  acl    = "private"
}
resource "aws_iam_user" "example" {
  name = "example-user"
}
resource "aws_iam_access_key" "example" {
  user = aws_iam_user.example.name
}
resource "aws_iam_policy" "example" {
  name        = "example-policy"
  description = "Example policy for S3 access"
  policy      = <<-EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": ["arn:aws:s3:::my-example-bucket/*"]
    }
  ]
}
  EOT
}
resource "aws_iam_policy_attachment" "example" {
  policy_arn = aws_iam_policy.example.arn
  users      = [aws_iam_user.example.name]
}

10. Who maintains Terraform providers?

Terraform providers are maintained by the respective cloud service providers or organizations. For example, AWS maintains the AWS provider, and Google maintains the Google Cloud provider. The providers are typically open source, and the community and contributors also play a role in maintaining them.

11. How can we export data from one module to another?

To export data from one module to another in Terraform, you can use output values. In the source module, define an output block, and in the calling module, reference that output using the module syntax. Here's an example:

In the source module (module1):

output "example_output" {
  value = "This is an example output."
}

In the calling module (module2):

module "module1" {
  source = "./module1"
}

# Access the output from module1
output "module1_output" {
  value = module.module1.example_output
}

In this example, module2 can access the output value of module1 using module.module1.example_output.