Skill Guide

Infrastructure as Code (Terraform, CloudFormation)

Infrastructure as Code (IaC) is the practice of managing and provisioning cloud or data center infrastructure through machine-readable definition files, rather than manual processes.

It enables organizations to achieve repeatable, version-controlled, and automated infrastructure deployments, directly increasing deployment velocity and operational reliability while reducing human error and configuration drift.

3 Careers

3 Categories

8.7 Avg Demand

20% Avg AI Risk

How to Learn Infrastructure as Code (Terraform, CloudFormation)

Focus on: 1) Understanding core cloud provider primitives (VPCs, EC2, IAM roles) in one cloud (AWS/Azure/GCP). 2) Grasping the declarative vs. imperative paradigms; Terraform uses HCL (declarative). 3) Mastering the basic IaC workflow: write, plan, apply, destroy.

Move from single-resource provisioning to multi-service, multi-environment architectures. Learn to modularize your code for reusability (Terraform modules, CloudFormation nested stacks). Implement state management (remote state, locking). A common mistake is hardcoding values; learn to use variables and data sources effectively to create dynamic, environment-agnostic templates.

Master at the architectural level: design enterprise-scale IaC strategies including GitOps workflows for deployment, policy-as-code (e.g., Sentinel, OPA) for governance, and advanced state manipulation for zero-downtime refactoring. Align IaC practices with CI/CD pipelines to enforce infrastructure change reviews. Mentor teams on patterns like the 'composition over inheritance' model for modules.

Practice Projects

Beginner

Project

Deploy a Static Website with IaC

Scenario

You need to host a simple HTML/CSS website on a cloud provider with high availability, using IaC for reproducibility.

How to Execute

1) Choose Terraform or CloudFormation for AWS S3 + CloudFront (or similar on Azure/GCP). 2) Write the template defining the S3 bucket, bucket policy, and CloudFront distribution. 3) Use variables for region, bucket name, and domain. 4) Execute `terraform init`, `plan`, and `apply` to deploy the infrastructure and upload your website files.

Intermediate

Project

Build a Multi-Environment Deployment Pipeline

Scenario

Your company needs identical staging and production environments for a web application (database, compute cluster, load balancer) deployed via IaC, with safe promotion.

How to Execute

1) Structure your IaC into reusable modules (e.g., `modules/network`, `modules/database`). 2) Create environment-specific workspaces or directories (`env/staging`, `env/prod`) that consume the modules with different variable files (e.g., `staging.tfvars`). 3) Implement a CI/CD pipeline (GitHub Actions, GitLab CI) that runs `terraform plan` on pull requests and `apply` only on merges to main, targeting the staging environment first. 4) Use separate state files per environment and implement state locking.

Advanced

Project

Enterprise IaC Governance Framework

Scenario

As a platform engineer, design a system that allows multiple teams to provision standardized, compliant infrastructure independently, while enforcing security and cost policies centrally.

How to Execute

1) Develop a curated internal registry of approved, well-documented Terraform modules with embedded security best practices (e.g., encrypted storage, private subnets). 2) Implement a policy-as-code layer using tools like HashiCorp Sentinel or Open Policy Agent (OPA) to validate plans against rules (e.g., 'No public S3 buckets', 'Tag mandatory'). 3) Integrate this validation into the team's CI pipeline; plans that fail policy checks are blocked. 4) Set up a GitOps model where teams submit infrastructure requests via pull requests to a central repo, triggering automated planning, validation, and gated applies.

Tools & Frameworks

Software & Platforms

Terraform (HashiCorp)AWS CloudFormationAzure Resource Manager (ARM) / BicepGoogle Cloud Deployment ManagerPulumi (using general-purpose languages)

Terraform is the multi-cloud industry standard using HCL; use it for cloud-agnostic provisioning or complex multi-provider setups. CloudFormation is the native, tightly integrated choice for AWS-only shops. Use ARM/Bicep for Azure-centric environments. Pulumi is chosen when teams prefer using Python, TypeScript, etc., for IaC logic.

Supporting Tools & Practices

GitCI/CD (GitHub Actions, GitLab CI)Policy-as-Code (Sentinel, OPA)State Management (S3/Azure Blob + DynamoDB/Azure Table for locking)

Git is non-negotiable for versioning your infrastructure definitions. CI/CD pipelines automate testing and deployment of IaC changes, enabling peer review. Policy-as-Code tools automate compliance checks against the infrastructure plan before apply. Robust state management in remote backends with locking is critical for team collaboration and safety.

Interview Questions

Answer Strategy

This tests fundamental operational knowledge. The candidate must explain the purpose of state (mapping config to real-world resources), the risk of local state (no collaboration, no locking, no backup), and the solution (remote backends like S3 with a DynamoDB locking table).

Answer Strategy

This tests architectural thinking and experience with large-scale IaC. The interviewer is looking for a strategy involving modularity, clear interfaces, and isolation.