Terraform Tutorial for Beginners: Infrastructure as Code

E-Learning Sherdil — Wed, 03 Jun 2026 05:45:54 +0000

📌 This article was originally published on Sherdil E-Learning. I'm republishing it here so the dev.to community can benefit too.

If you have ever clicked through the AWS console, Azure portal, or GCP dashboard to create cloud resources, you know the pain: it's slow, hard to repeat reliably across staging and production, and easy to get wrong. Infrastructure as Code (IaC) solves this problem, and Terraform is the most widely used IaC tool in industry.

This guide takes you from "what is IaC" to running your first Terraform deployment on AWS, then walks through a working VPC + EC2 example you can adapt for production. It also covers the BUSL / OpenTofu split from 2023 that every Terraform learner in 2026 should understand.

What is Infrastructure as Code?

Infrastructure as code is the practice of managing cloud resources — servers, databases, networks, storage, security groups — through configuration files rather than manual clicks in a web console. You describe the infrastructure you want in text files, store those files in Git, and let an IaC tool create and update the real resources to match.

The practical benefits compound:

Repeatability — the same files produce the same infrastructure every time, which removes the "I forgot to open port 443" class of mistake.
Audit log built in — Git history becomes the audit log for every change, and pull requests become the review process.
Speed — a complete environment (VPC, subnets, instances, load balancer, database) can spin up in minutes instead of hours of console work.
Self-documenting — the configuration files double as documentation: anyone joining the team can read the Terraform code and understand exactly what is deployed.
Reusable patterns — once you have written a module for, say, a standard VPC, you can reuse it across every project with different inputs.

What is Terraform — and a note on OpenTofu

Terraform is an open-source-style infrastructure-as-code tool originally created by HashiCorp in 2014. It uses a declarative configuration language called HCL (HashiCorp Configuration Language) and supports hundreds of cloud and SaaS providers through a shared provider model.

One thing every Terraform learner in 2026 should know: in August 2023, HashiCorp changed Terraform's license from MPL 2.0 to the Business Source License (BUSL), which restricts commercial competitive use. In response, the OpenTofu project was forked from Terraform 1.5.5, kept the MPL 2.0 license, and is now maintained by the Linux Foundation.

OpenTofu is a drop-in replacement: same HCL syntax, same workflow, same provider ecosystem.

For learners, the practical difference is small. Terraform has more name recognition with employers, so start with Terraform for employability. If your future employer prefers OpenTofu, the switch is trivial. The rest of this tutorial works for both.

Official sites: terraform.io for Terraform; opentofu.org for OpenTofu.

Terraform vs other IaC tools

Tool	Scope	Language	Best for
Terraform	Multi-cloud (AWS, Azure, GCP, Alibaba, +hundreds)	HCL (declarative)	Teams working across more than one cloud
AWS CloudFormation	AWS only	YAML / JSON	AWS-only shops wanting tight native integration
Pulumi	Multi-cloud	Python, TypeScript, Go, C#	Teams that want a real programming language for infra
Ansible	Configuration management	YAML	Configuring software on existing servers (different category)

Terraform's biggest advantage is multi-cloud support — same syntax, every provider. CloudFormation is AWS-only and tightly integrated. Pulumi appeals to teams that want a real programming language. Ansible occupies a different category — it's better for configuring software on existing servers than provisioning the servers themselves.

How Terraform works: write, plan, apply

Terraform's daily workflow is three commands. Once you know what each one does, the rest of the tool makes sense.

Step 1: Write

Create .tf files (Terraform configuration files) that describe the infrastructure you want — resources like virtual machines, databases, networks, IAM roles. Each file is just plain text in HCL.

Step 2: Plan

terraform plan

Terraform reads your configuration files, compares them to the current state of your infrastructure, and shows you exactly what it will create, modify, or destroy — before changing anything. This is your safety net.

Step 3: Apply

terraform apply

Terraform executes the changes shown in the plan, calling the cloud provider's API to create, update, or delete resources to match your configuration.

There's also terraform destroy, which removes everything Terraform created — useful for tearing down test environments to avoid charges.

Core Terraform concepts

Five concepts come up constantly. Get comfortable with these and the rest of Terraform becomes a matter of looking up provider-specific resource names.

Providers

Plugins that let Terraform interact with specific cloud platforms or services. The AWS provider talks to the AWS API, the Azure provider talks to the Azure API, and so on. You declare which provider you need and Terraform downloads the right plugin during terraform init. Browse the full catalogue at registry.terraform.io.

Resources

The building blocks of your infrastructure. Each resource block defines one component — an EC2 instance, an S3 bucket, an IAM role, a VPC. The first label on a resource block is the type (e.g. aws_s3_bucket), the second is a name you choose for referring to this resource elsewhere in your code.

Variables

Variables make your code reusable. Instead of hard-coding values like the AWS region or instance size, you declare variables and pass values at apply time. The same Terraform code can then deploy a small dev environment or a large production environment by changing only the variable values.

State

Terraform maintains a state file (terraform.tfstate) that records what infrastructure Terraform currently manages. The state file maps your configuration to real-world resources, so Terraform knows what to update, what to leave alone, and what to destroy.

⚠️ State management is the single most important production concern. Never commit terraform.tfstate to Git, and use a remote backend (S3, Azure Blob, Terraform Cloud) for any team work.

Modules

Reusable packages of Terraform configuration. Think of a module as a function: you define one standard VPC setup, then call that module across staging, production, and every new project with different inputs. The Terraform Registry hosts thousands of open-source modules.

Your first Terraform project: a hands-on walkthrough

Before you start you need three things:

An AWS account with Free Tier access (sign up at aws.amazon.com).
AWS CLI installed and configured with your access keys (run aws configure after install).
Terraform installed — download from terraform.io or install via your package manager.

Step 1: Create a project directory

mkdir my-first-terraform && cd my-first-terraform

Step 2: Write a configuration file

Create a file called main.tf:

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-first-terraform-bucket-replace-this-name"
}

This tells Terraform to use the AWS provider in us-east-1 and create an S3 bucket. Replace the bucket name with something globally unique — S3 bucket names must be unique across all of AWS.

Step 3: Initialise Terraform

terraform init

This downloads the AWS provider plugin. Run it once per project, plus again when you add new providers or change provider versions.

Step 4: Preview the changes

terraform plan

Terraform shows what it will do. In this case: 1 to add, 0 to change, 0 to destroy — creating one new S3 bucket. Always read the plan output before applying.

Step 5: Apply the changes

terraform apply

Type yes when prompted. Terraform creates the S3 bucket. Verify it in the AWS S3 console.

Step 6: Clean up

terraform destroy

Removes the S3 bucket so you don't incur any charges. Type yes to confirm. This matters: Terraform makes it easy to create real resources accidentally, so always destroy what you don't need.

A working VPC and EC2 example

A more realistic configuration that creates a VPC, an Internet Gateway, a public subnet with routing, a security group, and an EC2 instance that is actually reachable from the internet on port 80. The AMI is fetched dynamically so the example doesn't rot when AWS publishes a new Amazon Linux image.

provider "aws" {
  region = "us-east-1"
}

# Look up the latest Amazon Linux 2023 AMI dynamically
data "aws_ami" "amazon_linux" {
  most_recent = true
  owners      = ["amazon"]

  filter {
    name   = "name"
    values = ["al2023-ami-*-x86_64"]
  }
}

resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  tags = { Name = "main-vpc" }
}

resource "aws_internet_gateway" "main" {
  vpc_id = aws_vpc.main.id
  tags   = { Name = "main-igw" }
}

resource "aws_subnet" "public" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.1.0/24"
  map_public_ip_on_launch = true
  tags                    = { Name = "public-subnet" }
}

resource "aws_route_table" "public" {
  vpc_id = aws_vpc.main.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.main.id
  }
}

resource "aws_route_table_association" "public" {
  subnet_id      = aws_subnet.public.id
  route_table_id = aws_route_table.public.id
}

resource "aws_security_group" "web" {
  vpc_id = aws_vpc.main.id

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "web" {
  ami                    = data.aws_ami.amazon_linux.id
  instance_type          = "t2.micro"
  subnet_id              = aws_subnet.public.id
  vpc_security_group_ids = [aws_security_group.web.id]
  tags                   = { Name = "web-server" }
}

Notice how resources reference each other:

The Internet Gateway attaches to the VPC (aws_vpc.main.id).
The route table sits inside the VPC and forwards 0.0.0.0/0 traffic to the gateway.
The route table is then associated with the public subnet so instances in that subnet can reach the internet.
The EC2 instance lives in the public subnet and uses the security group that allows port 80 inbound from anywhere.

Terraform works out the correct creation order automatically based on these references.

Best practices for beginners

Five habits to build from your first project, in order of how much pain they save you.

1. Always run terraform plan before terraform apply. Read the plan output carefully, particularly look for any destroy actions you didn't expect. One wrong configuration change can drop a production database. Treat plan output as a contract.

2. Use variables instead of hard-coded values. Region, instance type, environment name, CIDR blocks, tags — none of these should be hard-coded. Create a separate .tfvars file for each environment (dev.tfvars, staging.tfvars, prod.tfvars) and pass the right one at apply time.

3. Use a remote backend for state. Once more than one person works on the codebase, store terraform.tfstate in S3 (or Azure Blob, or Terraform Cloud) with state locking via DynamoDB. Never commit the state file to Git — it contains secrets in plain text.

4. Extract reusable patterns into modules. The first time you write a VPC, write it as plain resources. The second time, extract it into a module. By the third project you will save hours.

5. Tag every resource. At minimum tag with environment (dev / staging / prod), owner, and cost-centre. Untagged resources become impossible to attribute and trim when the AWS bill grows.

Frequently asked questions

Is Terraform free?

The Terraform CLI is free to download and use. Since August 2023 it is licensed under the Business Source License (BUSL) rather than fully open-source, which restricts commercial competitive use but not normal day-to-day work. Terraform Cloud has a free tier for small teams (up to 500 resources) and paid tiers for larger organisations. If you specifically want a fully open-source IaC tool, OpenTofu is the MPL-licensed fork.

Do I need to know programming to use Terraform?

No general-purpose programming is required. HCL is a configuration language, closer to JSON or YAML than to Python. If you can read and edit a JSON file, you can write Terraform. The mental model for variables, references, and modules will take a week or two but doesn't require previous coding experience.

Should I learn Terraform or CloudFormation first?

If you work exclusively with AWS, either tool is fine. If you work with multiple cloud providers, or want the broadest job market, learn Terraform. Most DevOps job listings that mention IaC list Terraform first. Some AWS-only shops still use CloudFormation for tighter integration with AWS services.

What is OpenTofu and should I use it instead of Terraform?

OpenTofu is a Linux Foundation-maintained fork of Terraform 1.5.5, created in September 2023 after HashiCorp moved Terraform to the BUSL license. It keeps the MPL 2.0 open-source license and is largely a drop-in replacement — same HCL syntax, same workflow, same provider ecosystem. For learning, start with Terraform because more employers list it by name. Switching to OpenTofu later is straightforward if your company prefers it.

How do I store Terraform state safely?

Never commit terraform.tfstate to Git — it can contain secrets in plain text. For team work, use a remote backend: S3 with DynamoDB-based state locking is the most common AWS pattern; Terraform Cloud is the easiest if you want a managed solution; Azure Blob Storage and Google Cloud Storage work for Azure and GCP-centric teams. Configure the backend block in your Terraform configuration and run terraform init to migrate.

Can I use Terraform with Azure and GCP, not just AWS?

Yes — Terraform's biggest strength is multi-cloud support. The Azure provider (azurerm), Google Cloud provider (google), Alibaba Cloud provider (alicloud), and hundreds of others all use the same workflow. The configuration syntax is the same; only the resource names change.

How long does it take to learn Terraform?

You can deploy your first Terraform configuration in one to two weeks of part-time study. Becoming proficient with modules, remote state, workspaces, and production patterns takes two to three months. The Terraform Associate certification typically takes four to six weeks of preparation on top of basic familiarity.

Next steps

The order I recommend at Sherdil:

Get comfortable with the six-step S3 walkthrough above.
Build the VPC + EC2 example end-to-end.
Learn variables and modules.
Set up a remote backend.
Book the HashiCorp Certified: Terraform Associate (003) exam — multiple-choice, ~$70 USD, the entry-level cert employers recognise.

For a structured deep-dive, the Mastering Terraform Course at Sherdil E-Learning covers everything above in depth plus the production-pattern material needed for the Terraform Associate exam. For learners who want IaC in the context of a full DevOps stack, the DevOps Engineer Course sequences Terraform alongside Docker, Kubernetes, AWS, and CI/CD.

About the author

Muhammad Usman Khan is a Lead Cloud Instructor at Sherdil E-Learning, holding the Alibaba Cloud ACP certification along with AWS and Azure credentials. He is an expert trainer in AWS and Google Cloud, having delivered 1,500+ hours of training across 12+ countries and successfully completed 50+ multi-cloud projects.

💬 Found this useful? Drop a ❤️ or a 🦄, and let me know in the comments what you'd like the next deep-dive to cover — remote backends, modules, or a Terraform Cloud walkthrough?

📖 Full original article (with diagrams): elearning.sherdil.org/pages/terraform-tutorial-beginners-iac

DEV Community: E-Learning Sherdil