search

advance

Excellent follow-up, Pavan — you're absolutely right to push deeper here. There are several important Terraform concepts, commands, behaviors, and real-world scenarios that weren't fully covered yet, especially those like drift, state locking, partial apply, and dependency handling — all of which Amazon interviewers love to dig into at the Senior DevOps level.

Here's a list of advanced and often-missed Terraform concepts with when to use them, including the one you mentioned: drift.

hashtag
✅ Missed & Advanced Terraform Concepts (with When to Use)

hashtag
1. Drift Detection

  • What: When real infrastructure changes outside of Terraform.

  • Detect via: terraform plan

  • Fix via:

    • terraform apply (reconciles)

    • terraform refresh (syncs state without apply)

  • Use When:

    • Resources are manually updated (e.g., EC2 type changed via console)

    • External scripts or autoscaling mutate infrastructure

hashtag
2. State Locking

  • What: Prevents simultaneous terraform apply operations.

  • Use When:

    • Team collaboration — multiple users or CI pipelines

  • How:

    • Enabled by default in remote backends like:

      • S3 + DynamoDB (AWS)

      • Terraform Cloud

  • Error Example: Error acquiring the state lock

hashtag
3. Partial Apply

  • What: Applying only a subset of planned changes.

  • How:

    • Manually select changes during interactive terraform apply

    • Or apply with -target

  • Use When:

    • You want to deploy risky resources manually

    • Need staged rollouts

hashtag
4. Targeted Operations (-target)

  • What: Deploy specific resource(s) only.

  • Use When:

    • Faster iteration during dev

    • Safe rollout of individual pieces

  • Example:

hashtag
5. Remote Backends

  • What: Store state remotely (S3, Terraform Cloud, Consul).

  • Use When:

    • Team collaboration

    • Production infra

  • Bonus: Can also enable remote operations (e.g., Terraform Cloud runs)

hashtag
6. Custom Conditions (Pre/Post)

  • What: Prevent invalid configurations at runtime

  • Use When:

    • Business rules (e.g., block public S3 in prod)

  • Example:

hashtag
7. Terraform Cloud / Terraform Enterprise

  • What: HashiCorp’s SaaS for Terraform management

  • Use When:

    • You need remote apply, policy enforcement (Sentinel), audit logging

hashtag
8. Sentinel Policies

  • What: Policy as Code engine in Terraform Enterprise

  • Use When:

    • Enforce org-wide policies (e.g., enforce tags, block public SGs)

hashtag
9. State File Manipulation (terraform state)

  • Use When:

    • You need to:

      • Move resources between modules

      • Remove orphaned resources

      • Rename address in state

  • Examples:

hashtag
10. Tainting Resources

  • Use When:

    • A resource is corrupted, but Terraform doesn't detect it as changed.

  • Commands:

hashtag
11. Plan and Apply Separation

  • Use When:

    • You want manual approval, especially in CI/CD.

  • Typical Flow:

    • terraform plan -out=tfplan

    • Review plan

    • terraform apply tfplan

hashtag
12. Custom Providers / Third-Party Providers

  • Use When:

    • You manage infra not officially supported (e.g., custom APIs, SaaS services)

hashtag
13. Resource Meta-Arguments

Meta-Arg
Purpose
Use When

depends_on

Force dependency beyond reference

Resources are implicitly parallel

lifecycle

Manage deletion, creation timing

Prevent destroy or force replace

provider override

Use different providers in the same config

Multi-account/multi-region setups

hashtag
14. Dynamic Blocks

  • Use When:

    • You have variable sets of nested blocks like IAM statement or SG ingress.

hashtag
15. Expressions & Functions

  • Key Examples:

    • join(), lookup(), merge(), compact(), length(), contains()

  • Use When:

    • You’re dynamically generating values or defaults

hashtag
16. Terraform Refresh (Deprecated in CLI v1.6+)

  • What: Syncs state with real infra without changing infra

  • Use When:

    • You want to inspect drift but not apply changes

hashtag
17. Workspaces vs. Separate State

  • Workspaces:

    • Lightweight env management (terraform workspace)

  • Separate State Files:

    • Preferred for prod-grade isolation (via different backends or directories)

  • Use When:

    • You want true separation of dev, stage, prod

hashtag
18. State Versioning (e.g., S3)

  • Use When:

    • You need to rollback state due to corruption or bad apply

  • Tip:

    • Enable versioning on S3 bucket storing state

hashtag
19. Tags and Naming Standards

  • Use When:

    • You want cost tracking, compliance, automated scripts

  • How:

hashtag
20. Concurrency in CI/CD

  • Use When:

    • You want to avoid apply collisions

  • Tip:

    • Use state locking via DynamoDB

    • Serialize pipelines with mutex locks (e.g., terragrunt run-all with locking)

hashtag
✅ Summary

Feature
When to Use

Drift Detection

Identify and fix config drift between state and real infra

State Locking

Prevent concurrent applies

Targeted Apply

Apply specific resources safely

Partial Apply

Apply selected changes interactively

Taint/Untaint

Force recreation without config change

Remote Backend

Store state safely in S3, Terraform Cloud

State Versioning

Recover from state corruption or misapplies

Custom Conditions

Enforce infra rules at runtime

Dynamic Blocks

Handle variable nested blocks cleanly

Plan/Apply Split

Safer CI/CD with approval gates

Depends_on

Enforce critical resource ordering

Terragrunt

DRY, orchestrate multi-environment deployments

Would you like a Markdown/PDF cheat sheet with all these?

Or maybe a diagram of Terraform architecture in a CI/CD flow, showing modules, remote state, drift detection, etc.?

PreviousIaCNextmaintenance

Last updated