Terraform

## State Management - Local state gets corrupted/lost — use remote backend (S3, GCS, Terraform Cloud) - Multiple people running simultaneously — enable state locking with DynamoDB or equivalent - Never edit state manually — use `terraform state mv`, `rm`, `import` - State contains secrets in plain text — encrypt at rest, restrict access ## Count vs for_each - `count` uses index — removing item 0 shifts all indices, forces recreation - `for_each` uses keys — stable, removing one doesn't affect others - Can't use both on same resource — choose one - `for_each` requires set or map — `toset()` to convert list ## Lifecycle Rules - `prevent_destroy = true` — blocks accidental deletion, must be removed to destroy - `create_before_destroy = true` — new resource created before old destroyed, for zero downtime - `ignore_changes` for external modifications — `ignore_changes = [tags]` ignores drift - `replace_triggered_by` to force recreation — when dependency changes ## Dependencies - Implicit via reference — `aws_instance.foo.id` creates automatic dependency - `depends_on` for hidden dependencies — when reference isn't in config - `depends_on` accepts list — `depends_on = [aws_iam_role.x, aws_iam_policy.y]` - Data sources run during plan — may fail if resource doesn't exist yet ## Data Sources - Data sources read existing resources — don't create - Runs at plan time — dependency must exist before plan - Use `depends_on` if implicit dependency not clear — or plan fails - Consider using resource output instead — more explicit ## Modules - Pin module versions — `source = "org/name/aws?version=1.2.3"` - `terraform init -upgrade` to update — doesn't auto-update - Module outputs must be explicitly defined — can't access internal resources from outside - Nested modules: output must bubble up — each layer needs to export ## Variables - No type = any — explicit `type = string`, `list(string)`, `map(object({...}))` - `sensitive = true` hides from output — but still in state file - `validation` block for constraints — custom error message - `nullable = false` to reject null — default is nullable ## Common Mistakes - `terraform destroy` is permanent — no undo, use `-target` carefully - Plan succeeded ≠ apply succeeds — API errors, quotas, permissions discovered at apply - Renaming resource = delete + create — use `moved` block or `terraform state mv` - Workspaces not for environments — use separate state files/backends per env - Provisioners are last resort — use cloud-init, user_data, or config management instead ## Import - `terraform import aws_instance.foo i-1234` — imports existing resource to state - Doesn't generate config — must write matching resource block manually - `import` block (TF 1.5+) — declarative import in config - Plan after import to verify — should show no changes if config matches