Terraform

What Is Terraform?

Terraform is the most widely used open-source tool for Infrastructure as Code (IaC). Developed by HashiCorp, Terraform enables declarative definition of your entire cloud infrastructure in configuration files. You describe the desired state – Terraform calculates the necessary changes and executes them.

For mid-market companies, Terraform offers a decisive advantage: working cloud-agnostically. Whether AWS, Azure, Google Cloud, or a combination – Terraform manages infrastructure through a unified language and workflow.

HashiCorp Configuration Language (HCL)

Terraform uses its own language HCL (HashiCorp Configuration Language). HCL is declarative, human-readable, and specifically designed for infrastructure definition:

• Resources: The building blocks – every infrastructure component (EC2 instance, S3 bucket, VPC) is defined as a resource.
• Providers: Plugins handling communication with cloud APIs. Over 3,000 providers available.
• Variables: Parameterise your configuration for different environments (dev, staging, prod).
• Outputs: Export values like IP addresses or DNS names after apply.
• Data Sources: Read existing information from the cloud (e.g., current AMI ID).

Declarative vs. Imperative

Terraform works declaratively: you describe WHAT you want, not HOW it should be created. If you say "I want three EC2 instances," Terraform checks the current state. If two already exist, it creates only one more. If four exist, it deletes one. This approach is more robust and less error-prone than imperative scripts.

State Management

The Terraform state is the heart of Terraform. It stores the mapping between your configuration and actual cloud resources. Without state, Terraform would not know which resources it manages.

• Local State: By default, Terraform stores state as a file (terraform.tfstate). Unsuitable for teams as concurrent editing is not possible.
• Remote State: Essential in practice. S3 + DynamoDB (for state locking) is the most proven setup for AWS. Terraform Cloud offers a hosted alternative.
• State Locking: Prevents two people from making changes simultaneously. Absolutely mandatory in teams.

State Security

The state contains sensitive data such as database passwords in plain text. Encrypt the state in the remote backend (S3 Server-Side Encryption) and restrict access via IAM policies.

Terraform Modules

Modules are reusable Terraform configurations. Instead of repeating the same VPC configuration in every project, you create a VPC module and call it with different parameters. The Terraform Registry offers thousands of public modules.

Practical example: A mid-market company creates three internal modules – VPC, EKS cluster, RDS database. Every new project uses these modules and has a complete, consistent infrastructure within minutes.

Terraform vs. CloudFormation

• Multi-Cloud: Terraform supports AWS, Azure, GCP, and over 3,000 additional providers. CloudFormation only AWS.
• Language: Terraform uses HCL (or optionally JSON). CloudFormation uses JSON or YAML – often significantly more verbose.
• State Management: Terraform requires its own state management. CloudFormation manages state automatically within AWS.
• Ecosystem: Terraform has the larger community, more public modules, and better tooling (tflint, tfsec, Terragrunt).
• Drift Detection: terraform plan shows changes even when someone has manually modified something. CloudFormation has drift detection but it is less reliable.

Terraform Best Practices

• Remote State with Locking: From day one. S3 + DynamoDB for AWS.
• Modularisation: Create reusable modules for common patterns.
• Environment Separation: Separate state files per environment. Workspaces or Terragrunt for management.
• CI/CD Integration: terraform plan in the CI pipeline, terraform apply with manual approval.
• Version Pinning: Pin provider and module versions to avoid unexpected changes.
• Code Review: Every Terraform change via pull requests with review.
• Naming Conventions: Consistent resource naming with prefixes for environment and project.

Using Terraform in the Mittelstand

Start small: first define network infrastructure (VPC, subnets, security groups) in Terraform. Then gradually expand to compute (EC2, EKS), storage (S3, RDS), and additional services. This builds experience without having to migrate the entire infrastructure immediately.