What Terraform interview questions should I expect in 2026?

Expect three buckets. Core mechanics (45-55% of questions) test state, plan and apply, providers, modules, and variables. Failure modes (20-30%) test drift, state locking, partial applies, and how you recover a broken state file. Design trade-offs (15-25%) test workspaces vs separate directories, module structure, and Terraform vs other infrastructure-as-code tools. Entry-level loops lean heavier on core mechanics. Platform and DevOps loops lean heavier on the failure modes, because that is where real teams lose hours.

Do Terraform interviewers expect production experience from CS new grads?

No, but they expect you to have actually run terraform init, plan, and apply against a real cloud account, even a free-tier one. Writing a config that provisions three or four resources, then changing it and reading the plan diff, is the floor. The honest framing if you are a new grad: 'I have provisioned real resources with Terraform on a personal project, but I have not managed shared state across a team.' That keeps the interviewer engaged. Claiming team experience you do not have gets exposed on the first state-locking follow-up.

What is Terraform state and why does it matter in an interview?

Terraform state is a JSON file that maps the resources in your configuration to the real resources that exist in your cloud provider. It is how Terraform knows that the EC2 instance in your code is the same one already running, so it can plan a change instead of creating a duplicate. State matters in interviews because almost every hard Terraform question traces back to it: remote state, state locking, drift, and importing existing resources are all state questions. If you understand state deeply, most of the rest of the interview follows.

What is the difference between terraform plan and terraform apply?

terraform plan computes the difference between your configuration and the current state, then prints what it would create, change, or destroy without touching anything. terraform apply executes that plan and makes the real changes. The interview-relevant detail is that plan is a dry run you can review and even save to a file, and apply can consume that saved plan so the change that runs is exactly the change you reviewed. In a real pipeline, plan runs on every pull request and apply runs only after a human approves.

What is a Terraform module and when should you create one?

A module is a reusable, parameterized group of Terraform resources that you call with inputs and read outputs from. The root module is your top-level configuration; child modules are the ones it calls. You create a module when the same set of resources gets stamped out more than twice, for example a standard VPC layout or a service deployment pattern. The interview trap is over-modularizing: wrapping a single resource in a module adds indirection without payoff. Modularize patterns, not individual resources.

What is drift in Terraform and how do you detect it?

Drift is when the real infrastructure no longer matches what Terraform's state and configuration say it should be, usually because someone changed a resource by hand in the cloud console. You detect it by running terraform plan, which compares state and config against the live resources and shows any out-of-band changes as a diff. The fix is either to re-apply so Terraform restores the intended state, or to update the configuration to match the manual change if it was intentional. Repeated drift is a process smell: it means people are bypassing the pipeline.

What is the difference between Terraform workspaces and separate directories?

Workspaces let one configuration keep multiple independent state files, switched with terraform workspace select. Separate directories give each environment its own configuration files and its own backend. Workspaces are lightweight but share the same code, so they suit ephemeral or near-identical environments. Separate directories are more verbose but give hard isolation and let production differ from staging safely. Most teams in 2026 use separate directories for prod versus staging and reserve workspaces for short-lived per-developer or per-branch stacks.

How is Terraform different from other infrastructure-as-code tools?

Terraform is declarative and cloud-agnostic: you describe the desired end state in its own configuration language, and a provider plugin reconciles reality to match across many clouds. Cloud-native tools are tied to one provider but ship support for new services first. Imperative or general-purpose-language tools let you write infrastructure in a language you already know, trading the simple declarative model for more flexibility. The interview point is matching the tool to the team: one cloud and tight vendor integration favors the native tool, multi-cloud or a strong module ecosystem favors a declarative cloud-agnostic tool.

What is idempotency and why does it matter for Terraform?

Idempotency means running the same operation repeatedly produces the same end state. Terraform is built on it: applying the same unchanged configuration twice makes no changes the second time, because the desired state already matches reality. It matters because it makes infrastructure changes safe to re-run after a failure and makes plans trustworthy. The interview follow-up often probes the edge: resources or provisioners that are not naturally idempotent, where you have to lean on lifecycle rules or avoid imperative provisioners entirely.

What does a remote backend do in Terraform?

A remote backend stores the state file in a shared location instead of on one laptop, and usually adds locking and encryption. It is what makes a team able to collaborate safely: everyone reads and writes the same state, locking serializes concurrent applies, and the state is not lost when a laptop dies. The interview signal is knowing that local state is fine for a solo learning project but a non-starter for a team, and that the backend is configured in the terraform block, not in a provider.

How do you import existing infrastructure into Terraform?

You write the resource block to match the existing resource, then run terraform import to bind that block to the real resource's ID, which writes it into state. After importing you run plan and expect no changes if your configuration matched reality. Newer Terraform also supports declarative import blocks that you commit to code and apply, which scales better than the one-by-one command. The interview point is that import only populates state; it does not generate your configuration for you, so the config still has to be written to match.

Terraform Interview Questions for 2026: 40+ Questions on State, Modules, Providers, Drift, and the Scenarios Interviewers Actually Ask

Terraform interview questions in 2026 cluster into three buckets: core mechanics (state, plan/apply, providers, modules), the failure modes that bite teams in production (drift, state locking, partial applies), and the design trade-offs (workspaces vs directories, Terraform vs other infrastructure-as-code). The new-grad gap is that you can write a basic config but have never untangled a corrupted state file or argued module structure on a real team. This guide gives 40+ questions across those buckets, the answer outlines that pass, and the honest framing when you have not run Terraform in production.

By Sam K., Founder, InterviewChamp.AI · Last updated 2026-06-02

23 min read

What Terraform interview questions actually test in 2026

Terraform interview questions in 2026 test three things in roughly this order: whether you understand state well enough that the rest of the tool makes sense, whether you can talk through the failure modes that cost real teams hours (drift, stuck locks, partial applies), and whether you reason about design trade-offs like module structure and workspaces instead of reciting commands. State is the spine. Almost every hard question is a state question wearing a costume. The candidate who internalizes that walks in calm; the one who memorized a command list freezes on the first follow-up.

The 2025-2026 hiring cycle tightened the infrastructure-adjacent market the same way it tightened everything else. Platform Engineer, DevOps, Cloud Engineer, and Site Reliability roles are still hiring entry-level talent at a higher rate than pure application-engineering roles, but the bar moved. Hiring managers now expect a candidate to have actually run terraform apply against a live account, not just read a tutorial. A new grad who can describe what a module is but has never seen a real plan diff reads as someone who studied for the interview without doing the work. That gap is the single biggest filter at the entry-level Terraform round.

Distribution of question types most new-grad candidates report from their Terraform loops:

45-55% core mechanics (state, plan and apply, providers, modules, variables, outputs)
20-30% failure modes (drift, state locking, partial applies, importing existing resources, recovery)
15-25% design trade-offs (workspaces vs directories, module structure, Terraform vs other infrastructure-as-code)
5-10% ecosystem and workflow (CI pipelines, remote backends, secrets handling)

The failure-mode slice is the one most candidates underprepare, and it disproportionately decides the outcome. Anyone can recite "state maps config to reality." Far fewer can walk through recovering a stuck lock after a crashed pipeline run without making things worse. That walkthrough is the senior signal even at the entry level.

What Terraform interviews test in 2026

Beyond the question split, interviewers are calibrating for a specific mental model. Terraform is a declarative infrastructure-as-code tool: you describe the desired end state of your infrastructure in configuration files, and Terraform figures out the create, update, and destroy operations needed to make reality match. The whole loop hangs on three artifacts working together: your configuration (what you want), the state (what Terraform believes exists), and the live provider resources (what actually exists in the cloud). Every interview question is poking at one of those three or the relationships between them.

The named tools and concepts you are expected to recognize without hesitation as of 2026: a provider plugin (the bridge to a specific platform like AWS, Google Cloud, or Azure), a remote backend (shared state storage with locking), a module (reusable grouped resources), HCL (the HashiCorp Configuration Language the configs are written in), and the terraform CLI verbs init, plan, apply, and destroy. If any of those terms make you pause, that is the gap to close first, because the interviewer will assume them as table stakes and build harder questions on top.

The other thing being tested is judgment under ambiguity. An interviewer who asks "how would you structure Terraform for three environments" is not looking for one right answer. They are watching whether you ask about team size, blast-radius tolerance, and how different prod needs to be from staging before you commit to workspaces or separate directories. That instinct, requirements before architecture, is what separates a hire from a no-hire at the margin.

Key terms

State: A JSON file mapping the resources in your configuration to the real resources in your provider, so Terraform can plan changes instead of recreating things. It is the single most important concept in the tool and the root of most hard interview questions.
Remote backend: A shared location that stores state off your laptop and typically adds locking and encryption, which is what makes safe team collaboration possible. Local state is fine solo; a remote backend is mandatory for a team.
Provider: A plugin that teaches Terraform how to talk to a specific platform's API (a cloud, a DNS service, a database). Providers are versioned and pinned, and one configuration can use several at once.
Module: A reusable, parameterized group of resources called with input variables and read via outputs. The root module is your top-level config; child modules are the ones it calls.
Drift: When live infrastructure no longer matches state and configuration, usually because someone changed a resource by hand. Detected with a plan and corrected by re-applying or by updating the config to match.
State locking: A mechanism that stops two applies from writing the same state at once. A remote backend acquires the lock before writing and releases it after, preventing concurrent runs from corrupting state.
Idempotency: The property that running the same operation repeatedly yields the same end state. Applying an unchanged configuration twice makes zero changes the second time.

Three more worth defining inline, because interviewers use them in follow-ups and assume you will keep up. A plan is the computed diff between your configuration and current state, printed before anything changes, and savable to a file so the apply runs exactly what you reviewed. A workspace is one of several named, isolated state files backed by a single configuration, switched with a CLI command. An import is the operation that binds an already-existing cloud resource to a resource block in your code by writing it into state, without generating the configuration for you.

Terraform state and remote state questions (6 Q)

State is the spine of the interview. Get fluent here and most other questions answer themselves.

Q1. What is Terraform state and why does it exist?

State is a JSON file mapping each resource in your configuration to the real resource that exists in your provider. It exists because Terraform is declarative: to compute a plan, it has to know which real resources correspond to your code so it can decide what to create, change, or destroy instead of duplicating things. Without state, every apply would try to create everything from scratch. The interview signal is connecting state to the plan: state is what makes a meaningful diff possible.

Q2. What is remote state and why use it over local state?

Remote state stores the state file in a shared backend instead of on one laptop. Use it the moment more than one person or pipeline touches the infrastructure. It gives everyone a single shared source of truth, enables locking so concurrent applies cannot corrupt state, keeps state safe if a laptop dies, and usually encrypts state at rest. Local state is acceptable for a solo learning project and a non-starter for a team. The follow-up trap: the backend is configured in the terraform block, not inside a provider block.

Q3. Why should you never edit the state file by hand?

Because the state file is structured, internally consistent, and the source of truth Terraform trusts completely. Hand-editing risks breaking that consistency in ways that surface as confusing plans or destroyed resources later. The supported path for surgical changes is the state subcommands: terraform state mv to rename or move a resource in state, terraform state rm to forget a resource without destroying it, and terraform import to bind an existing resource. The senior answer names those subcommands instead of reaching for a text editor.

Q4. What is sensitive data exposure in state and how do you handle it?

State can contain secrets in plaintext, because some resources store generated passwords or keys as attributes that land in state. You handle it by using a remote backend that encrypts state at rest, locking down who can read the backend, and avoiding piping state to logs or untrusted tooling. The interview point is awareness: a candidate who knows state can leak secrets, and treats the backend access as a security boundary, signals real operational maturity.

Q5. How do you split state, and why would you?

You split state by giving different parts of your infrastructure their own backends or workspaces, often per environment or per service. You do it to shrink blast radius (a bad apply touches less), to speed up plans (smaller state plans faster), and to let teams own their slice independently. The trade-off is that cross-state references get harder; you read another state's outputs through a remote-state data source, which couples the two. The judgment call is granularity: too coarse and every plan is slow and risky, too fine and you drown in cross-state wiring.

Q6. What is a remote-state data source?

It is a read-only way for one configuration to consume the outputs of another configuration's state. A networking stack might output a VPC ID, and an application stack reads that output through a remote-state data source instead of hardcoding it. The interview-relevant trade-off: it creates an explicit dependency between two state files, so a change to the producing stack's outputs can break the consuming stack. Some teams prefer passing values through variables in CI to keep the coupling looser.

Terraform plan and apply questions (5 Q)

The core workflow loop. Interviewers probe whether you understand what each verb actually does, not just the order you type them in.

Q7. Walk me through the init, plan, apply lifecycle.

terraform init initializes the working directory: it downloads provider plugins, configures the backend, and installs modules. terraform plan computes the diff between your configuration and current state and prints what it would create, change, or destroy, touching nothing. terraform apply executes that change. terraform destroy tears it all down. The signal is knowing that init is the prerequisite (nothing else works until providers and backend are set up) and that plan is a safe, reviewable dry run.

Q8. What is the difference between plan and apply?

plan is a dry run that computes and prints the diff without changing anything. apply makes the real changes. The detail that separates strong answers: you can save a plan to a file with the -out flag and feed that exact file to apply, guaranteeing the change that executes is precisely the one a reviewer approved. In a real pipeline, plan runs automatically on every pull request and apply runs only after a human approval gate.

Q9. What is a partial apply and how do you recover from one?

A partial apply happens when apply fails midway: some resources got created or changed, others did not, and the run aborts. Terraform records what succeeded in state, so the recovery is usually to fix the underlying cause (a bad credential, a quota limit, a dependency that was not ready) and run apply again, which only acts on what is still outstanding because of idempotency. The wrong move is to assume nothing happened and start over blindly; you read the state and the error first.

Q10. What does terraform refresh do and why is it sometimes risky?

refresh reconciles state with the real-world resources by querying the provider and updating state to match, without changing your configuration. It is how Terraform learns about drift. Modern Terraform folds a refresh into plan by default. The risk historically was running a standalone refresh that silently rewrote state to match manual changes, masking drift you actually wanted to see and correct. The senior answer is to let plan surface drift as a visible diff rather than silently absorbing it.

Q11. How do you target a single resource, and why is it discouraged?

You pass the -target flag to limit a plan or apply to one resource and its dependencies. It is discouraged as a routine practice because it bypasses Terraform's full dependency graph, which can leave state and reality subtly inconsistent if you forget a dependency. It is a legitimate break-glass tool for recovering from a specific failure, but if a team is reaching for -target regularly, that is a sign the configuration is too tightly coupled and should be split.

Terraform module and provider questions (7 Q)

Modules and providers are where structure and reuse get tested. This is the densest section because it covers two of the required topics.

Q12. What is a module and what is the root module?

A module is a reusable group of resources called with input variables and read through outputs. Every configuration has a root module: the top-level directory where you run commands. Child modules are the ones the root calls. The interview point is the relationship: inputs flow down from caller to module, outputs flow back up, and the module hides its internal resources behind that interface.

Q13. When should you create a module, and when should you not?

Create one when the same pattern of resources gets stamped out more than twice, for example a standard network layout or a service-deployment bundle. Do not wrap a single resource in a module; that adds a layer of indirection with no reuse payoff and makes the code harder to read. The signal interviewers want: modularize patterns, not individual resources, and resist the urge to abstract before you have seen the repetition.

Q14. How do you version and source modules?

Modules can be sourced from a local path, a version-control repository, or a module registry. For anything shared across teams, you pin a version so an upstream change cannot silently alter your infrastructure on the next init. The interview-relevant practice: local-path modules for code that lives in the same repo, versioned registry or git modules for reusable building blocks, and always pin the version on shared modules to keep applies reproducible.

Q15. What is a provider and how is it configured?

A provider is a plugin that translates Terraform's resource operations into a specific platform's API calls. You configure it in a provider block (region, credentials, and so on) and declare its version constraints in the required_providers section of the terraform block. The signal is knowing that one configuration can use multiple providers at once, and that provider credentials should come from the environment or a secrets system, never hardcoded into the config.

Q16. How do you pin provider versions and why does it matter?

You set version constraints in required_providers, and terraform init writes a dependency lock file that records the exact versions resolved. It matters because providers ship breaking changes, and an unpinned provider can change behavior between two applies that ran the same code. The lock file is committed to version control so every teammate and the CI pipeline resolve identical provider versions. A candidate who knows the lock file exists and gets committed is signaling real workflow experience.

Q17. What are provider aliases and when do you need them?

An alias lets you configure the same provider more than once, for example one AWS provider for us-east-1 and another aliased for eu-west-1, then point specific resources at the aliased one. You need aliases for multi-region deployments or for managing resources across multiple accounts from one configuration. The interview point is recognizing the multi-region or multi-account scenario as the trigger for aliases, rather than trying to manage each region in a separate apply.

Q18. How do modules pass data, and what is the difference between input variables and outputs?

Input variables are the parameters a module accepts; the caller sets them. Outputs are the values a module exposes back to its caller. Data flows down as inputs and back up as outputs, and that interface is the contract of the module. The senior signal is treating that interface deliberately: a well-designed module has a small, stable set of inputs and outputs, so callers are insulated from the internal resources changing.

Idempotency and Terraform-vs-other-IaC questions (5 Q)

Two of the required topics live here: idempotency as a property, and the comparison to other infrastructure-as-code approaches.

Q19. What does idempotency mean for Terraform specifically?

It means applying the same unchanged configuration produces the same end state every time, so the second apply makes zero changes because reality already matches. This is what makes Terraform safe to re-run after a failure and makes plans trustworthy. The interview follow-up usually pushes on the edge cases: provisioners that run scripts are not naturally idempotent, so relying on them undermines the guarantee. The clean answer is to keep infrastructure declarative and push imperative steps out of Terraform where possible.

Q20. Where does idempotency break, and how do you handle it?

It breaks with imperative escape hatches: local-exec and remote-exec provisioners that run arbitrary commands, and resources whose providers do not model every attribute. You handle it by avoiding provisioners for anything that has a proper resource, using null_resource with triggers only when you truly must, and leaning on lifecycle rules (like ignore_changes) to tell Terraform to stop fighting an externally managed attribute. The signal is treating provisioners as a last resort, not a default.

Q21. How is Terraform different from a cloud-native infrastructure-as-code tool?

A cloud-native tool is tied to one provider and often supports that provider's newest services first, with deep integration into that ecosystem. Terraform is cloud-agnostic: one declarative model and configuration language spans many providers through plugins. The trade-off, framed for an interviewer: if you are committed to a single cloud and want the tightest vendor integration plus day-one support for new services, the native tool can win. If you span multiple clouds or want a large shared module ecosystem and a consistent workflow across them, the cloud-agnostic declarative tool wins.

Q22. How is declarative infrastructure-as-code different from an imperative or general-purpose-language approach?

In the declarative model you describe the desired end state and the tool computes the steps to reach it. In an imperative or general-purpose-language approach, you write infrastructure in a familiar programming language with loops, conditionals, and functions, and you get more expressive power at the cost of the simple "describe the end state" mental model. The interview point is the trade-off: declarative configs are easier to read and reason about for most teams, while a general-purpose language suits teams that need heavy programmatic generation and already think in that language.

Q23. When would you choose Terraform over the alternatives, and when not?

Choose it when you want a declarative, cloud-agnostic tool with a mature provider and module ecosystem and a consistent plan/apply workflow across environments. Lean away from it when your team is all-in on a single cloud and values that vendor's native tooling and immediate new-service support, or when you genuinely need the full power of a general-purpose programming language to generate infrastructure. The strongest answer refuses to declare a universal winner and instead names the team and constraint that tips the decision.

Terraform failure-mode questions: locking, drift, workspaces (8 Q)

This is the section that separates candidates. State locking, drift, and workspaces are all required topics, and they are where real teams lose hours.

Q24. What is state locking and what goes wrong without it?

State locking stops two applies from writing the same state at the same time. A remote backend acquires a lock before it writes and releases it after. Without locking, two concurrent runs can interleave their writes and corrupt the state file, leaving Terraform's view out of sync with reality, which can lead to duplicated or destroyed resources. The interview signal is connecting locking to the team scenario: the moment a pipeline and a human can both apply, you need locking.

Q25. A pipeline crashed mid-apply and the state lock is stuck. What do you do?

First, confirm that no apply is genuinely still running anywhere, because force-unlocking a live apply is how you corrupt state. Check the pipeline, check with teammates. Once you are certain the holder is dead, run terraform force-unlock with the lock ID from the error message to release it, then run a plan to see the true current state before re-applying. The order matters: verify nobody is applying, then unlock, then re-plan. Rushing to force-unlock without confirming is the wrong-answer trap.

Q26. What is drift and how do you detect and correct it?

Drift is when live infrastructure no longer matches state and configuration, usually from a manual console change. You detect it by running plan, which compares config and state against live resources and shows the out-of-band change as a diff. You correct it two ways: re-apply to have Terraform restore the intended state, or update the configuration to match if the manual change was deliberate and should be kept. Repeated drift is a process smell that means people are routing around the pipeline.

Q27. How do you prevent drift in the first place?

Reduce who has write access to the cloud console so changes have to go through Terraform, run plan on a schedule to catch drift early, and treat any detected drift as a signal to fix the process, not just the resource. Some teams gate console access entirely for production. The senior framing: drift is rarely a Terraform problem, it is a discipline problem, and the durable fix is making the pipeline the only sanctioned path to change.

Q28. What are workspaces and what are they good for?

Workspaces let one configuration maintain multiple independent state files, selected with terraform workspace select. They are good for short-lived, near-identical environments: a per-developer sandbox, a per-branch preview stack, or ephemeral test environments that come and go. Because all workspaces share the same code, they are lightweight to spin up. The signal is naming a concrete good use, not just defining the feature.

Q29. When should you NOT use workspaces, and what do you use instead?

Do not use workspaces to separate production from staging when those environments meaningfully differ or need hard isolation, because they share the same configuration and a mistake can leak across them. Use separate directories with separate backends instead, so each environment has its own code and its own state and the blast radius is contained. This workspaces-versus-directories trade-off is one of the most-asked Terraform questions in 2026, and a vague answer signals book knowledge without real use.

Q30. How do you handle secrets in Terraform?

Keep secrets out of the configuration and out of version control. Source them from environment variables, a dedicated secrets manager read through a data source, or your CI system's secret store, and remember that some secrets still land in state, so the backend must be encrypted and access-controlled. The interview point is treating state as sensitive: even if your config has no plaintext secrets, the state file can, so the backend is part of your security perimeter.

Q31. How do you roll back a bad Terraform change?

There is no single "undo" button, so rollback means applying a known-good configuration. You revert the configuration in version control to the previous commit and run apply, which moves infrastructure back toward that prior desired state. The honest caveat that scores points: some operations are not cleanly reversible (a destroyed database with no backup is gone), so the real protection is reviewing the plan before apply and protecting critical resources with lifecycle prevent_destroy. Rollback is a plan-review discipline first and a revert-and-apply mechanic second.

How Terraform questions scale by role and seniority

The same Terraform surface area gets weighted very differently depending on the role. Here is how the emphasis shifts across the infrastructure-adjacent roles hiring new grads in the 2025-2026 cycle, with a concrete prep recommendation for each.

Scenario / role	Where the questions concentrate	What trips candidates up	What to over-prepare
DevOps Engineer (new grad)	Plan/apply in CI, remote backends, secrets handling	Explaining the PR-plan / approval-apply pipeline out loud	The stuck-lock recovery walkthrough
Platform Engineer (new grad)	Module design, state splitting, multi-environment structure	Over-modularizing single resources; vague workspaces answer	Workspaces vs separate directories trade-off
Cloud Engineer (new grad)	Providers, provider aliases, multi-region, multi-account	Hardcoding credentials; missing when aliases are needed	Provider versioning and the lock file
Site Reliability Engineer	Drift detection, blast radius, rollback, prevent_destroy	Rushing force-unlock without confirming nobody is applying	Drift-as-process-smell framing
SWE touching infrastructure	Core mechanics only: state, plan/apply, basic modules	Treating Terraform like an imperative script	The declarative end-state mental model

Two patterns to notice. First, every infrastructure-adjacent role tests the core mechanics floor: state, plan/apply, and basic modules are universal, so there is no role where you can skip them. Second, the failure-mode questions weight more heavily the closer the role sits to running production. An SRE loop will spend real time on drift and rollback; a SWE-touching-infra loop may never leave the core mechanics. Calibrate the prep mix to the role tier, and the difference shows in the room.

How to prepare for Terraform interview questions

A focused prep plan, calibrated for a CS new grad whose Terraform is at the "wrote a tutorial config once, never ran it on a team" starting point. Adjust if you are further along.

Run the full init / plan / apply loop against a real account. Install Terraform, point it at a free-tier cloud account, and provision three or four real resources from one configuration. Run terraform init, read the plan output, then apply. Change one attribute, run plan again, and study the diff so you can describe what plan computes versus what apply executes. Destroy everything at the end. This is the boring hour that makes every later answer credible.
Break and recover state on purpose. Move to a remote backend so you have real locking, then manufacture the situations interviewers ask about: change a resource by hand in the console and watch plan surface the drift, kill a run mid-apply and recover the stuck lock with force-unlock after confirming nothing is still running, and use terraform import to pull an existing resource into state. These three drills cover the most-asked failure-mode questions, and you can only answer them convincingly if your hands have done them.
Build one reusable module and call it twice. Wrap a pattern (a standard network layout works well) in a child module with input variables and outputs, then call it from a root module twice with different inputs. This makes the root-versus-child relationship and the inputs-flow-down, outputs-flow-up model concrete, and it gives you an artifact to point to in the interview.
Practice the workspaces-versus-directories trade-off out loud. Set up one configuration with two workspaces, then refactor the same setup into two separate directories with their own backends, and feel the difference. Rehearse a 60-second answer on when you would pick each. This question is nearly guaranteed, and most candidates give a vague answer that signals they only read about it.
Drill the core question bank out loud. Work through the state, plan/apply, providers, modules, idempotency, locking, drift, and Terraform-versus-other-IaC banks in this guide. Say each answer in your own words, not memorized verbatim, at roughly two minutes per answer so you are complete without rambling. If you want to hear a question, answer out loud, and get a quiet model outline to react to, run a mock Terraform round in the live interview assistant before the real one.
Run two timed mock interviews. Forty-five minutes each. First mock: core mechanics, 20 questions across state, plan/apply, providers, modules, and variables. Second mock: failure modes plus one design trade-off, narrated out loud as if walking a teammate through a recovery. Use a peer, a paid mock service, or an AI-driven tool. The first run will expose which failure-mode answers are still shaky; close those before the real round.

The non-negotiable step is the first one. Interviewers can tell within a minute or two whether you have actually run apply and read a real plan diff or only read about it. There is no shortcut for that calibration, and a weekend of hands-on time closes most of the gap.

Common Terraform interview mistakes for new grads

The mistakes below show up over and over in new-grad Terraform interview feedback from the 2025-2026 hiring cycle. Each one names the mistake and the fix.

Memorizing commands instead of understanding state. A candidate who can recite init, plan, apply in order but cannot explain what state is or why a plan diff is meaningful will collapse on the first follow-up. The fix: learn state cold first, then layer the commands on top, because every hard question traces back to state.
Rushing force-unlock without confirming the holder is dead. Force-unlocking a lock that a live apply still holds is how you corrupt state, and interviewers ask this scenario specifically to see if you slow down. The fix: always verify nobody is applying (check the pipeline, check teammates), then unlock, then re-plan before doing anything else.
Over-modularizing. Wrapping a single resource in a module adds indirection with no reuse payoff and reads as someone who learned "modules are good" without learning when. The fix: modularize repeated patterns, not individual resources, and wait until you have seen the repetition before abstracting.
Giving a vague workspaces answer. "Workspaces are for environments" is the answer that signals book knowledge, because the real trade-off is workspaces (lightweight, shared code, good for ephemeral stacks) versus separate directories (hard isolation, good for prod-versus-staging). The fix: rehearse the specific trade-off and name a concrete good use for each.
Hardcoding credentials or secrets in the config. Putting provider credentials or secret values directly in a .tf file is both a security failure and a signal of inexperience. The fix: source credentials from the environment or a secrets system, know that some secrets still land in state, and treat the encrypted backend as part of your security perimeter.

Related guides

Kubernetes interview questions: the orchestration layer Terraform often provisions, and the most common adjacent topic in platform and DevOps loops.
AWS interview questions: the cloud platform many Terraform configs target, including the CloudFormation-versus-Terraform infrastructure-as-code comparison.
System design basics for new grads: the broader round where infrastructure-as-code and provisioning trade-offs show up inside a larger architecture discussion.
Data engineer interview questions: the adjacent role that increasingly provisions its own cloud infrastructure and gets tested on the same state-and-pipeline thinking.

About the author: Sam K. is the founder of InterviewChamp.AI, building AI interview prep for the new-grad CS market and writing about the modern interview gauntlet from the inside.

Related guides

Interview Process

DevOps Interview Questions for 2026: 45+ Questions Across CI/CD, IaC, Observability, Kubernetes, Deployments, SRE, and Incident Response

DevOps interview questions in 2026 cluster into six areas: CI/CD pipelines, infrastructure-as-code, monitoring and observability, containers and orchestration, deployment strategies (blue-green and canary), and the SRE plus incident-response thinking that ties them together. The new-grad gap is reasoning about production trade-offs you've never owned on call. This guide gives 45+ questions across those areas, the culture questions interviewers slip in, and the honest framing that works when you've never carried a pager.

Sam K. · 2026-06-02

Interview Process

Docker Interview Questions for 2026: 40+ Q's Across Images vs Containers, the Layer Cache, Dockerfiles, Volumes, Networking, Compose, and the Orchestration Intro New Grads Get Wrong

Docker interview questions in 2026 split between definition recall (what's an image vs a container, what's a layer) and the build-and-debug scenarios that separate the candidate who ran `docker run` once from the one who actually shipped a containerized app. Expect questions on the layer cache, Dockerfile authoring, volumes, networking, docker-compose, multi-stage builds, containers vs VMs, and a closing intro to orchestration. This guide gives 40+ questions with answer outlines and a three-week prep plan that doesn't ask you to fake production experience.

Sam K. · 2026-06-02

Interview Process

JavaScript Interview Questions for 2026: 45+ Questions on Closures, the Event Loop, Promises, this-Binding, and the Live-Coding Tasks Interviewers Actually Ask

JavaScript interview questions in 2026 cluster into three buckets: language internals (closures, the event loop, prototypal inheritance, this-binding, hoisting), async reasoning (promises, async/await, microtasks), and live coding (debounce, throttle, deep clone, array transforms). The new-grad trap is reciting MDN definitions you can't apply when the follow-up asks why your code logs that value. This guide gives 45+ questions with answer outlines, the live-coding tasks you'll actually face, and how to sound like you've shipped JavaScript instead of memorized it.

Sam K. · 2026-06-02

Try the live demo →

Frequently asked questions

What Terraform interview questions should I expect in 2026?: Expect three buckets. Core mechanics (45-55% of questions) test state, plan and apply, providers, modules, and variables. Failure modes (20-30%) test drift, state locking, partial applies, and how you recover a broken state file. Design trade-offs (15-25%) test workspaces vs separate directories, module structure, and Terraform vs other infrastructure-as-code tools. Entry-level loops lean heavier on core mechanics. Platform and DevOps loops lean heavier on the failure modes, because that is where real teams lose hours.
Do Terraform interviewers expect production experience from CS new grads?: No, but they expect you to have actually run terraform init, plan, and apply against a real cloud account, even a free-tier one. Writing a config that provisions three or four resources, then changing it and reading the plan diff, is the floor. The honest framing if you are a new grad: 'I have provisioned real resources with Terraform on a personal project, but I have not managed shared state across a team.' That keeps the interviewer engaged. Claiming team experience you do not have gets exposed on the first state-locking follow-up.
What is Terraform state and why does it matter in an interview?: Terraform state is a JSON file that maps the resources in your configuration to the real resources that exist in your cloud provider. It is how Terraform knows that the EC2 instance in your code is the same one already running, so it can plan a change instead of creating a duplicate. State matters in interviews because almost every hard Terraform question traces back to it: remote state, state locking, drift, and importing existing resources are all state questions. If you understand state deeply, most of the rest of the interview follows.
What is the difference between terraform plan and terraform apply?: terraform plan computes the difference between your configuration and the current state, then prints what it would create, change, or destroy without touching anything. terraform apply executes that plan and makes the real changes. The interview-relevant detail is that plan is a dry run you can review and even save to a file, and apply can consume that saved plan so the change that runs is exactly the change you reviewed. In a real pipeline, plan runs on every pull request and apply runs only after a human approves.
What is a Terraform module and when should you create one?: A module is a reusable, parameterized group of Terraform resources that you call with inputs and read outputs from. The root module is your top-level configuration; child modules are the ones it calls. You create a module when the same set of resources gets stamped out more than twice, for example a standard VPC layout or a service deployment pattern. The interview trap is over-modularizing: wrapping a single resource in a module adds indirection without payoff. Modularize patterns, not individual resources.
What is state locking and what happens without it?: State locking prevents two people or pipelines from running apply against the same state at the same time. A remote backend acquires a lock before writing and releases it after. Without locking, two concurrent applies can interleave their writes and corrupt the state file, leaving Terraform's view of the world out of sync with reality. The classic recovery question follows: a lock got stuck after a crashed run, and you have to force-unlock it after confirming nobody else is actually applying.
What is drift in Terraform and how do you detect it?: Drift is when the real infrastructure no longer matches what Terraform's state and configuration say it should be, usually because someone changed a resource by hand in the cloud console. You detect it by running terraform plan, which compares state and config against the live resources and shows any out-of-band changes as a diff. The fix is either to re-apply so Terraform restores the intended state, or to update the configuration to match the manual change if it was intentional. Repeated drift is a process smell: it means people are bypassing the pipeline.
What is the difference between Terraform workspaces and separate directories?: Workspaces let one configuration keep multiple independent state files, switched with terraform workspace select. Separate directories give each environment its own configuration files and its own backend. Workspaces are lightweight but share the same code, so they suit ephemeral or near-identical environments. Separate directories are more verbose but give hard isolation and let production differ from staging safely. Most teams in 2026 use separate directories for prod versus staging and reserve workspaces for short-lived per-developer or per-branch stacks.
How is Terraform different from other infrastructure-as-code tools?: Terraform is declarative and cloud-agnostic: you describe the desired end state in its own configuration language, and a provider plugin reconciles reality to match across many clouds. Cloud-native tools are tied to one provider but ship support for new services first. Imperative or general-purpose-language tools let you write infrastructure in a language you already know, trading the simple declarative model for more flexibility. The interview point is matching the tool to the team: one cloud and tight vendor integration favors the native tool, multi-cloud or a strong module ecosystem favors a declarative cloud-agnostic tool.
What is idempotency and why does it matter for Terraform?: Idempotency means running the same operation repeatedly produces the same end state. Terraform is built on it: applying the same unchanged configuration twice makes no changes the second time, because the desired state already matches reality. It matters because it makes infrastructure changes safe to re-run after a failure and makes plans trustworthy. The interview follow-up often probes the edge: resources or provisioners that are not naturally idempotent, where you have to lean on lifecycle rules or avoid imperative provisioners entirely.
What does a remote backend do in Terraform?: A remote backend stores the state file in a shared location instead of on one laptop, and usually adds locking and encryption. It is what makes a team able to collaborate safely: everyone reads and writes the same state, locking serializes concurrent applies, and the state is not lost when a laptop dies. The interview signal is knowing that local state is fine for a solo learning project but a non-starter for a team, and that the backend is configured in the terraform block, not in a provider.
How do you import existing infrastructure into Terraform?: You write the resource block to match the existing resource, then run terraform import to bind that block to the real resource's ID, which writes it into state. After importing you run plan and expect no changes if your configuration matched reality. Newer Terraform also supports declarative import blocks that you commit to code and apply, which scales better than the one-by-one command. The interview point is that import only populates state; it does not generate your configuration for you, so the config still has to be written to match.