This cheatsheet is a practical + reference-style guide to Terraform, with emphasis on AWS deployments. It covers syntax, workflow, core concepts, and links to official documentation for deeper study.
Terraform is an Infrastructure as Code (IaC) tool by HashiCorp that lets you:
- Declare infrastructure in HCL (HashiCorp Configuration Language)
- Version-control infrastructure
- Provision, update, and destroy resources safely
Official Docs: https://developer.hashicorp.com/terraform/docs
Providers are plugins that talk to APIs (AWS, Azure, GCP, etc.).
provider "aws" {
region = "us-east-1"
}AWS Provider Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
Resources are infrastructure objects (EC2, VPC, ECS, S3, IAM, etc.).
resource "aws_s3_bucket" "example" {
bucket = "my-bucket"
}Resource Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources
Used to read existing infrastructure.
data "aws_vpc" "default" {
default = true
}Data Source Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources
Terraform keeps a state file that maps configuration → real resources.
- Default:
terraform.tfstate(local) - Production: remote backend (S3 + DynamoDB)
State Docs: https://developer.hashicorp.com/terraform/language/state
Typical project layout:
.
├── main.tf # Core resources
├── variables.tf # Input variables
├── outputs.tf # Outputs
├── providers.tf # Provider config
├── versions.tf # Terraform/provider versions
├── terraform.tfvars # Variable values
block_type "label1" "label2" {
argument = value
}instance_type = "t3.micro"
count = 2
enabled = truename = "${var.env}-app"Expression Docs: https://developer.hashicorp.com/terraform/language/expressions
variable "region" {
type = string
default = "us-east-1"
}region = var.regionVariable Docs: https://developer.hashicorp.com/terraform/language/values/variables
output "vpc_id" {
value = aws_vpc.main.id
}Output Docs: https://developer.hashicorp.com/terraform/language/values/outputs
locals {
app_name = "my-app"
}Local Docs: https://developer.hashicorp.com/terraform/language/values/locals
terraform init- Downloads providers
- Configures backend
Docs: https://developer.hashicorp.com/terraform/cli/commands/init
terraform validateterraform fmtterraform planWith variables:
terraform plan -var-file=terraform.tfvarsDocs: https://developer.hashicorp.com/terraform/cli/commands/plan
terraform applyAuto-approve:
terraform apply -auto-approveDocs: https://developer.hashicorp.com/terraform/cli/commands/apply
terraform destroyDocs: https://developer.hashicorp.com/terraform/cli/commands/destroy
Terraform uses the AWS SDK.
- AWS CLI credentials (
~/.aws/credentials) - Environment variables
- IAM roles (EC2, ECS, EKS)
- OIDC (GitHub Actions)
Auth Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
}resource "aws_instance" "web" {
ami = "ami-0abcdef"
instance_type = "t3.micro"
}Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance
resource "aws_iam_role" "ecs_role" {
name = "ecsTaskExecutionRole"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Effect = "Allow"
Principal = { Service = "ecs-tasks.amazonaws.com" }
Action = "sts:AssumeRole"
}]
})
}Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
resource "aws_ecr_repository" "repo" {
name = "my-app"
}Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
resource "aws_ecs_cluster" "cluster" {
name = "my-cluster"
}Docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster
modules/vpc/
├── main.tf
├── variables.tf
├── outputs.tf
module "vpc" {
source = "./modules/vpc"
cidr = "10.0.0.0/16"
}Module Docs: https://developer.hashicorp.com/terraform/language/modules
terraform {
backend "s3" {
bucket = "terraform-state-bucket"
key = "prod/terraform.tfstate"
region = "us-east-1"
dynamodb_table = "terraform-locks"
encrypt = true
}
}Backend Docs: https://developer.hashicorp.com/terraform/language/settings/backends/s3
count = 3for_each = toset(["a", "b", "c"])depends_on = [aws_iam_role.ecs_role]Docs: https://developer.hashicorp.com/terraform/language/meta-arguments
lifecycle {
prevent_destroy = true
create_before_destroy = true
}Docs: https://developer.hashicorp.com/terraform/language/meta-arguments/lifecycle
terraform workspace new dev
terraform workspace select prodDocs: https://developer.hashicorp.com/terraform/cli/workspaces
- Use remote state (S3 + DynamoDB)
- Use IAM roles, not access keys
- Keep modules small & reusable
- Never commit
.tfstate - Use
terraform planin CI
- Terraform Language: https://developer.hashicorp.com/terraform/language
- AWS Provider: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
- Terraform CLI: https://developer.hashicorp.com/terraform/cli
- Registry Modules: https://registry.terraform.io/
- ECS Fargate deployment
- EKS cluster with Terraform
- CI/CD with GitHub Actions + Terraform
- OIDC authentication
(You can ask for deep-dive cheatsheets on any of these.)