Core Concept
Terraform is a cloud-agnostic Infrastructure as Code (IaC) tool that automates the provisioning and management of cloud infrastructure using declarative configuration files.
🔧 What is Terraform?
Terraform allows developers and cloud security professionals to define infrastructure (VMs, VPCs, networks, etc.) using code. It’s:
- Cloud-agnostic (supports multiple providers)
- Version-controlled
- Consistent (reduces config drift)
- Auditable and reusable
📦 Core Components
Terraform config files are written in HCL (HashiCorp Configuration Language) and include:
- Resource: What to create (e.g., VM, network)
- Variable: The name for the resource instance
- Location: Region and zone where resources are deployed
Example Blocks
# First Resource Block: Network
resource "google_compute_network" "vpc_network" {
name = "my-custom-mode-network"
auto_create_subnetworks = false
mtu = 1460
}
# Second Resource Block: Subnetwork
resource "google_compute_subnetwork" "default" {
name = "my-custom-subnet"
ip_cidr_range = "10.0.1.0/24"
region = "us-west1"
network = google_compute_network.vpc_network.id
}
# Third Resource Block: VM Instance
resource "google_compute_instance" "default" {
name = "flask-vm"
machine_type = "f1_micro"
zone = "us-west1-a"
tags = ["ssh"]
}Collaborating with Terraform
Terraform was originally designed as a single-user tool, and collaboration wasn’t its native strength in the early days. However, over time, HashiCorp and the community have introduced features and best practices to make it collaboration-friendly.
🧱 Originally: Local-Only State
- Meant for individual use or small-scale projects.
- No built-in locking or multi-user awareness.
🔄 Now: Collaboration Through Extensions
To support teams, organizations now use:
1. Remote State Backends
- Shared, centralized state storage (e.g., S3, Terraform Cloud).
- Enables multiple users to work on the same infrastructure safely.
2. State Locking
- Prevents race conditions when two users run
terraform applyat the same time. - Available in backends like:
- AWS S3 + DynamoDB
- Terraform Cloud
- Azure Blob + CosmosDB
3. Terraform Cloud / Enterprise
- Adds native collaboration features:
- User access control
- Run history and audit logs
- Policy enforcement (via Sentinel)
- VCS integration (GitHub, GitLab, etc.)
- Remote execution (no need to run Terraform locally)
🧩 Summary
| Feature | Local Terraform | Remote Backend | Terraform Cloud |
|---|---|---|---|
| Collaboration | ❌ | ✅ | ✅✅ |
| State Locking | ❌ | ✅ | ✅ |
| Versioning | ❌ | ✅ | ✅ |
| Access Control | ❌ | ❌ | ✅ |
| UI & Audit Logs | ❌ | ❌ | ✅ |
Helpful Tip
💡 While Terraform wasn’t natively collaborative at first, it’s now very capable in team environments — as long as you use the right setup.
🔁 Core Terraform Workflow: 3 Key Steps
1. Write Infrastructure as Code (IaC)
- Define your infrastructure using Terraform configuration files (
.tf). - Example: Creating a Google Compute Engine F1-micro VM:
resource "google_compute_instance" "vm_instance" {
name = "example-instance"
machine_type = "f1-micro"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = "default"
access_config {}
}
}2. Run terraform plan
- Previews what Terraform will do before making changes.
- Helps catch errors and validate that the configuration matches expectations.
- Iterative: You may run this multiple times while refining your setup.
- Policy as Code: Use tools like Sentinel to enforce security and compliance rules before applying changes.
3. Run terraform apply
- Applies the configuration and provisions the infrastructure.
- Communicates with the cloud provider (e.g., GCP) using provider plugins.
- Handles resource creation, updates, and deletions.
- Understands resource dependencies and builds them in the correct order.
🔐 Policy as Code with Sentinel
- Sentinel is a policy-as-code framework by HashiCorp.
- Enforces rules like:
- Only allow certain VM types
- Require encryption on storage
- Restrict resources to specific regions
- Benefits:
- Sandboxing
- Version control
- Commented, readable policies
✅ Why This Matters for Cloud Security Professionals
- Ensures repeatable, auditable, and secure infrastructure deployments.
- Reduces human error and enforces compliance by design.
- Encourages collaboration between DevOps and security teams.
See Terraform in action
Refer to Terraform Lab in Google Cloud
Penguinified by https://chatgpt.com/g/g-683f4d44a4b881919df0a7714238daae-penguinify