π― Objective
Build production-grade Terraform infrastructure with:
- Remote state (S3 + DynamoDB)
- Secure S3 bucket (encryption, versioning, blocking public access)
- DynamoDB locking
- ECR (container registry)
- Secrets management (SSM + Secrets Manager)
- Proper security practices
π· PART 1 β WHY THIS MATTERS (INTERVIEW ANSWER)
β Why S3 + DynamoDB?
Answer (short, interview-ready):
- S3 β stores Terraform state centrally
- DynamoDB β prevents concurrent runs (locking)
- Prevents corruption and race conditions
- Enables team collaboration
β Why ECR?
- Store Docker images securely
- Integrate with ECS/EKS
- IAM-controlled access
- Avoid public registries (security risk)
β Why Secrets Management?
β BAD:
password = "admin123"
β GOOD:
- AWS SSM Parameter Store
- AWS Secrets Manager
-
Avoid storing secrets in:
- Terraform code
- GitHub
- state file (important!)
π· PART 2 β PROJECT STRUCTURE (PRODUCTION)
terraform-prod/
β
βββ backend/
β βββ main.tf # S3 + DynamoDB (bootstrap)
β
βββ modules/
β βββ s3/
β βββ dynamodb/
β βββ ecr/
β βββ secrets/
β
βββ envs/
β βββ prod/
β βββ main.tf
β βββ backend.tf
β βββ variables.tf
β
βββ README.md
π· PART 3 β BOOTSTRAP (CREATE BACKEND FIRST)
backend/main.tf
provider "aws" {
region = "us-east-2"
}
resource "aws_s3_bucket" "tf_state" {
bucket = "jumptotech-tf-state-prod"
lifecycle {
prevent_destroy = true
}
}
resource "aws_s3_bucket_versioning" "versioning" {
bucket = aws_s3_bucket.tf_state.id
versioning_configuration {
status = "Enabled"
}
}
resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
bucket = aws_s3_bucket.tf_state.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
resource "aws_s3_bucket_public_access_block" "block" {
bucket = aws_s3_bucket.tf_state.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_dynamodb_table" "tf_lock" {
name = "terraform-lock"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
π₯ RUN FIRST (BOOTSTRAP)
cd backend
terraform init
terraform apply -auto-approve
π· PART 4 β REMOTE BACKEND CONFIG
envs/prod/backend.tf
terraform {
backend "s3" {
bucket = "jumptotech-tf-state-prod"
key = "prod/terraform.tfstate"
region = "us-east-2"
dynamodb_table = "terraform-lock"
encrypt = true
}
}
π· PART 5 β ECR MODULE (PRODUCTION)
modules/ecr/main.tf
resource "aws_ecr_repository" "repo" {
name = var.name
image_scanning_configuration {
scan_on_push = true
}
encryption_configuration {
encryption_type = "AES256"
}
}
modules/ecr/variables.tf
variable "name" {}
π· PART 6 β SECRETS (CRITICAL PART)
OPTION 1 β SSM Parameter Store
resource "aws_ssm_parameter" "db_password" {
name = "/prod/db/password"
type = "SecureString"
value = var.db_password
}
β οΈ PROBLEM:
- Stored in Terraform state β still risky
β BEST PRACTICE (SENIOR LEVEL)
OPTION 2 β Secrets Manager (recommended)
resource "aws_secretsmanager_secret" "db" {
name = "prod-db-secret"
}
resource "aws_secretsmanager_secret_version" "db_value" {
secret_id = aws_secretsmanager_secret.db.id
secret_string = jsonencode({
username = "admin"
password = var.db_password
})
}
π΄ CRITICAL KNOWLEDGE (INTERVIEW)
β Terraform STILL stores secrets in state!
π Solution:
-
Use:
- External secret injection (CI/CD)
- Vault
- AWS IAM roles instead of passwords
π· PART 7 β USING ECR + SECRETS IN PROD
envs/prod/main.tf
provider "aws" {
region = "us-east-2"
}
module "ecr" {
source = "../../modules/ecr"
name = "prod-backend"
}
module "secrets" {
source = "../../modules/secrets"
db_password = var.db_password
}
π· PART 8 β VARIABLES
envs/prod/variables.tf
variable "db_password" {
sensitive = true
}
RUN
cd envs/prod
terraform init
terraform plan
terraform apply
π· PART 9 β HOW TO PASS SECRETS (PRODUCTION)
β NEVER DO THIS
db_password = "mypassword"
β USE ENV VARIABLES
export TF_VAR_db_password="supersecure123"
terraform apply
β EVEN BETTER (CI/CD)
- GitLab / GitHub Actions secrets
- AWS IAM role (OIDC)
- No hardcoded secrets
π· PART 10 β SECURITY BEST PRACTICES (MUST KNOW)
β S3
- Versioning ENABLED
- Encryption ENABLED
- Public access BLOCKED
- Logging enabled (optional)
β DynamoDB
- Locking prevents corruption
β Terraform
- Use remote state
- Never commit
.tfstate - Use
.gitignore
β Secrets
- Never in code
- Never in GitHub
- Prefer IAM roles over passwords
π· PART 11 β REAL INTERVIEW QUESTIONS
1. What is Terraform state?
β Tracks real infrastructure vs code
2. What is state locking?
β Prevents concurrent updates (DynamoDB)
3. What happens if two engineers run apply?
β Without locking β corruption
β With DynamoDB β one waits
4. Where is state stored in production?
β S3 (remote backend)
5. Can Terraform manage secrets securely?
π BEST ANSWER:
- Terraform can create secrets
- BUT not ideal to store them
- Use external secret systems (Vault / AWS Secrets Manager / CI/CD)
6. Why ECR instead of Docker Hub?
- Private
- IAM integrated
- Secure
- No rate limits
7. What is drift?
β Infrastructure changed outside Terraform
π· PART 12 β ADVANCED (SENIOR LEVEL)
Must Know:
- Remote backend
- State locking
- Modules (reusable)
- Sensitive variables
- IAM roles (instead of passwords)
- CI/CD integration
- OIDC (GitLab β AWS)
- Drift detection
- Terraform plan in PR
π· FINAL REAL-WORLD FLOW
Developer β Git push
β
CI/CD Pipeline
β
terraform plan (MR)
β
Approval
β
terraform apply (protected branch)
β
State stored in S3
β
Locking via DynamoDB
π₯ WHAT MAKES THIS β6-YEAR ENGINEER LEVELβ
You are not just writing Terraform.
You understand:
- Security
- State management
- Team workflows
- CI/CD integration
- Secrets handling
- Production risks
Top comments (0)