Glossary of Terms
Terms encountered in the articles of this course. Grouped by topic.
Basic Concepts
Declarative
An approach where the desired state of the infrastructure is described, rather than the steps to achieve it. Terraform itself builds the order of operations from dependencies between resources.
Idempotency
A property: a repeated terraform apply with the same code and the same state does not lead to new changes. If the infrastructure already matches the code, nothing will change.
Determinism
A property: identical code + identical environment → always an identical plan and result. No random choices, no hidden external dependencies.
Immutable infrastructure
An approach where resources are not modified in place, but replaced entirely. In Terraform, this manifests as forces replacement: when certain attributes are changed, the resource is not updated but recreated (destroy + create).
DRY (Don't Repeat Yourself)
A development principle: do not duplicate code. In the context of Terraform, this is a problem solved by Terragrunt: a single backend and provider are described once instead of being copied into each stack.
Drift
A discrepancy between the actual infrastructure and the Terraform state. Occurs when someone manually changes a resource via AWS Console or CLI outside of Terraform.
Blast radius
The scale of potential damage in case of an error. In the context of Terraform, this is an argument for stack isolation and multi-account: a broken apply in dev does not affect prod.
State
State / terraform.tfstate
The state file — a mapping between resources in code and actual resources in the cloud. Stores resource IDs, ARNs, attributes, dependencies, outputs.
Remote backend
Storing state in remote storage (S3, GCS, Azure Blob) instead of a local file. Mandatory for production: provides shared access, versioning, and locking.
Locking
A mechanism to prevent simultaneous apply by two engineers or two pipelines. For S3 backend, it's implemented via DynamoDB (a record with LockID). With Terraform 1.10+, via use_lockfile = true directly in S3.
force-unlock
Forcibly removes a lock by its ID. Used when a previous apply failed (CI crashed, network issue) and the lock is stuck. A dangerous operation: you need to make sure no other apply is actually running.
Sensitive
An attribute of a variable or output (sensitive = true). Hides the value in CLI output. Does not protect data in state — the value is stored in plaintext, so the backend must be encrypted.
Refresh
The process of reading the actual infrastructure state from the provider's API and comparing it with the saved state. Happens automatically before terraform plan. terraform plan -refresh-only — update state without changing infrastructure.
terraform_remote_state
Data source for reading outputs of another Terraform stack. Used to pass data between independent stacks (e.g., VPC → EKS).
Providers
Provider
A binary plugin through which Terraform interacts with a specific cloud or service (AWS, GCP, Kubernetes). Runs as a separate process, communicates with Terraform via gRPC.
gRPC
A remote procedure call protocol used for communication between the Terraform binary and the provider binary. The provider runs once for the entire apply.
required_providers
A block in the Terraform configuration where the source and version of each provider are fixed. Mandatory practice for production — prevents unexpected pulling of breaking changes.
`.terraform.lock.hcl`
Lock file, created during terraform init. Fixes the exact versions of providers and their checksums. Must be committed to git.
alias
A parameter of the provider block, allowing the use of multiple configurations of one provider in the same code — for example, two regions or two AWS accounts.
assume_role
A block in the AWS provider configuration. The CI/CD runner performs AssumeRole into the target IAM role instead of using long-lived keys.
AssumeRole / AssumeRoleWithWebIdentity
AWS STS mechanism: obtaining temporary credentials by assuming an IAM role. AssumeRole — for cross-account access. AssumeRoleWithWebIdentity — for OIDC (exchanging a CI/CD token for credentials).
Eventual consistency
A property of cloud APIs: a created resource may not be available for immediate reading. Providers account for this through retries with backoff. Sometimes explicit depends_on is required.
Authentication and Security
OIDC (OpenID Connect)
An authentication protocol based on OAuth 2.0. In the context of CI/CD: the platform (GitHub Actions, GitLab CI) issues a temporary JWT token, AWS exchanges it for temporary credentials. Does not require storing static keys in CI/CD secrets.
IRSA (IAM Roles for Service Accounts)
A mechanism for binding IAM roles to Kubernetes Service Accounts via OIDC. Allows pods to obtain AWS credentials without storing keys. Configured via Terraform: IAM role + OIDC trust policy.
STS (AWS Security Token Service)
AWS service for issuing temporary credentials. Used in AssumeRole and OIDC authentication.
SCPs (Service Control Policies)
Policies at the AWS Organizations level. Guardrails for all IAM users and roles in an account, including root. Terraform manages them from the management account.
Graph and Lifecycle
DAG (Directed Acyclic Graph)
A directed acyclic graph. A data structure that Terraform builds from resources and their dependencies. Determines the order of creation: a resource is created only after all its dependencies. No cycles.
Implicit dependency
A dependency that Terraform infers automatically from references between resources: subnet_ids = aws_subnet.private[*].id → Terraform automatically builds the dependency.
Explicit dependency / depends_on
An explicit dependency, specified via depends_on. Used when a dependency exists but is not reflected in the resource attributes. Blocks parallelism — do not overuse.
Parallelism
The number of resources created in parallel. Default is 10. Changed via -parallelism=N. Only resources without dependencies between them are created in parallel.
-target
The terraform apply -target=<resource> flag to apply changes only to a specific resource. Violates state integrity — only for emergency situations.
Lifecycle block
create_before_destroy
Lifecycle option: create a new resource before deleting the old one (instead of the standard destroy → create). Used for zero-downtime when recreating Load Balancers, ASG, ACM certificates.
prevent_destroy
Lifecycle option: prevents a resource from being deleted via Terraform. An error occurs if deletion is attempted. Applied to RDS, S3 with data, VPC.
ignore_changes
Lifecycle option: Terraform ignores changes to specified attributes. Used when attributes are managed externally (e.g., desired_capacity in ASG is changed by Auto Scaling).
precondition
A validation block within a resource. Checked before the resource is created. An error appears at the plan stage with a clear message.
forces replacement
A marker in the provider documentation: changing this attribute will cause a destroy + create of the resource. Appears in the plan as -/+.
Modules and Reusability
Root module
The directory from which terraform plan/apply is run. The entry point.
Child module
Any module called via the module {} block from the root or another module.
versions.tf
A file in a module or root configuration with required_version and required_providers blocks. Fixes the minimum Terraform CLI version and provider versions.
`~>` (pessimistic constraint)
Versioning operator: ~> 5.0 allows 5.x, but not 6.x. ~> 5.0.0 — only 5.0.x.
State Refactoring
moved block
A declarative way to rename or move a resource within the state without recreation. Described in code, goes through code review. Appeared in Terraform 1.1.
terraform state mv
CLI command for moving a resource in state. Imperative analog of the moved block — without code review and git history. Used for emergency operations.
terraform state rm
Removes an entry from state without touching the actual resource in AWS. Terraform stops managing the resource.
import block (Terraform 1.5+)
A declarative way to import an existing resource into state. Described in code, applied via a regular terraform apply. An alternative to the terraform import command.
terraform import
CLI command for linking an existing AWS resource to an address in Terraform state. Only adds to state — you need to write the code yourself.
CI/CD and Tools
Plan artifact
Saved result of terraform plan -out=tfplan. Guarantees that terraform apply tfplan will apply exactly the plan that was reviewed.
Atlantis
Open-source tool for automating Terraform via Pull Requests. Listens to webhooks from GitHub/GitLab, runs plan/apply in PR comments.
tflint
Linter for Terraform. Finds issues that terraform validate doesn't see: incorrect instance_type values, deprecated arguments, naming convention violations.
checkov
A tool for checking the security and compliance of Terraform code. Built-in rules for CIS Benchmark, SOC2, PCI-DSS. Supports custom rules.
tfsec / trivy
Scanner for Terraform code for security misconfiguration: S3 without encryption, RDS without deletion_protection, open 0.0.0.0/0.
OPA (Open Policy Agent)
Policy engine. Allows describing rules for Terraform plan as code in the Rego language. Used via conftest to check the JSON plan.
Sentinel
Built-in policy engine for Terraform Cloud / HCP. Plan fails if the policy is not met.
Terratest
Go library for integration testing Terraform modules. Creates real infrastructure, tests, destroys. Expensive — not run on every PR.
TF_LOG
Environment variable to control Terraform logging level. Levels: ERROR, WARN, INFO, DEBUG, TRACE. DEBUG — provider API requests. TRACE — full HTTP requests to the cloud API.
Terragrunt
Terragrunt
A thin wrapper over Terraform to eliminate duplication of backend and provider configuration for a large number of stacks. A tool from Gruntwork.
find_in_parent_folders()
Built-in Terragrunt function: searches for terragrunt.hcl up the directories and includes it via include.
path_relative_to_include()
Built-in Terragrunt function: returns the path of the current directory relative to the root terragrunt.hcl. Used for automatic generation of a unique S3 key for each stack.
run-all
Terragrunt command: finds all stacks in subdirectories, builds a dependency graph between them, and applies them in the correct order. Example: terragrunt run-all apply.
dependency block
A block in Terragrunt: declares a dependency of one stack on another and allows reading its outputs. run-all considers these dependencies when determining the application order.
AWS and Multi-account
AWS Organizations
A service for centralized management of multiple AWS accounts. The root management account manages billing, SCPs, and account structure.
Transit Gateway
AWS service for connecting VPCs from different accounts. Managed via Terraform with two provider aliases.
RAM (Resource Access Manager)
AWS service for sharing resources between accounts. Used to share Transit Gateway with workload accounts.
Kubernetes Integration
Helm provider
Terraform provider for installing Helm charts. Used to bootstrap infrastructure components of the cluster: ingress-nginx, cert-manager, cluster-autoscaler.
GitOps
The practice of managing infrastructure/applications through git as the source of truth. In the context of Kubernetes: ArgoCD or Flux synchronize the cluster state with a git repository.
ArgoCD
Kubernetes-native GitOps tool. Terraform bootstraps ArgoCD via Helm, after which ArgoCD takes over management of application workloads.
Comments