Executive Summary
Terraform dominates Infrastructure as Code at 72% adoption in 2026. OpenTofu (the open-source fork) provides an MPL-licensed alternative. Pulumi at 28% offers IaC with real programming languages. AWS CDK at 22% serves AWS-only environments. Key trends: GitOps for infrastructure (Atlantis, Spacelift), policy as code (Sentinel, OPA), cost estimation (Infracost), and testing frameworks (terraform test, Terratest).
72%
Terraform adoption
28%
Pulumi adoption
40+
Glossary terms
15
FAQ questions
Part 1: Infrastructure as Code Fundamentals
Infrastructure as Code (IaC) manages infrastructure through configuration files instead of manual processes. Benefits: version control, reproducibility, automation, collaboration, and documentation. Declarative (Terraform: what you want) vs imperative (Ansible: how to get there). Terraform uses HCL to declare desired state; the engine calculates and applies changes.
IaC Tool Adoption (2018-2026)
Source: OnlineTools4Free Research
Part 2: HCL and Terraform Language
HCL (HashiCorp Configuration Language) is declarative and human-readable. Core constructs: resource blocks define infrastructure, variable blocks define inputs, output blocks export values, data blocks reference existing resources, locals compute values. Control flow: for_each (iterate over maps/sets), count (create N instances), conditionals (ternary). Functions: string, numeric, collection, filesystem, and encoding functions.
Terraform Commands Reference
10 rows
| Command | Category | Description | Key Flags |
|---|---|---|---|
| terraform init | Setup | Initialize directory, download providers and modules | -backend-config, -upgrade |
| terraform plan | Planning | Preview changes without applying | -out, -var, -target |
| terraform apply | Execution | Apply changes to reach desired state | -auto-approve, plan.tfplan |
| terraform destroy | Teardown | Destroy all managed resources | -auto-approve, -target |
| terraform validate | Validation | Validate configuration syntax | |
| terraform fmt | Formatting | Format files to canonical style | -check, -recursive |
| terraform state list | State | List resources in state | |
| terraform import | State | Import existing infrastructure | |
| terraform workspace | Workspace | Manage workspaces | new, select, list |
| terraform output | Output | Display output values | -json, -raw |
Part 3: State Management
State maps configuration to real infrastructure. Remote backends (S3, GCS, Terraform Cloud) enable team collaboration with locking. State locking prevents concurrent modifications. Never edit state manually. Split state by team/component to reduce blast radius. Enable encryption and versioning for security and recovery.
State Backend Comparison
4 rows
| Backend | Cloud | Locking | Best For |
|---|---|---|---|
| S3 + DynamoDB | AWS | DynamoDB table | AWS teams, most common |
| GCS | GCP | Built-in | GCP teams |
| Azure Blob | Azure | Blob leasing | Azure teams |
| Terraform Cloud | Any | Built-in | Team collaboration |
Part 4: Modules
Modules are reusable packages of configuration. Design: one concern per module, variables for inputs, outputs for exports, documentation with terraform-docs. Version with Git tags. Consume from Terraform Registry or Git. Pin versions. Test with terraform test or Terratest. Avoid deeply nested or overly generic modules.
Part 5: IaC Tools Comparison
Terraform: HCL, multi-cloud, largest ecosystem. OpenTofu: open-source fork, API-compatible. Pulumi: real programming languages, IDE support. AWS CDK: TypeScript for AWS, generates CloudFormation. CloudFormation: AWS-native, managed state. Ansible: procedural, config management focus. Choose based on: multi-cloud needs, team expertise, and ecosystem requirements.
IaC Tools Comparison (2026)
6 rows
| Tool | Language | Approach | Cloud Support | Best For |
|---|---|---|---|---|
| Terraform | HCL | Declarative | Multi-cloud (1000+ providers) | Multi-cloud, mature ecosystem |
| OpenTofu | HCL | Declarative | Same as Terraform | Open-source Terraform alternative |
| Pulumi | TS/Python/Go/C# | Imperative + Declarative | Multi-cloud | Programming language IaC |
| AWS CDK | TS/Python/Java | Imperative (generates CFN) | AWS only | AWS-only, TypeScript teams |
| CloudFormation | JSON/YAML | Declarative | AWS only | AWS-native, managed state |
| Ansible | YAML | Procedural | Multi-cloud + on-prem | Config management, server provisioning |
Terraform vs Pulumi (2022-2026)
Source: OnlineTools4Free Research
Part 6: Best Practices
Code: use modules for reusability, for_each over count, pin provider versions, commit lock file. State: remote backend with locking, encrypt at rest, split by blast radius. CI/CD: fmt, validate, lint, security scan, plan, approve, apply. Security: never commit secrets, use secret manager data sources, policy as code (Sentinel/OPA). Operations: detect and fix drift, version modules, document with terraform-docs.
Glossary (40 Terms)
HCL
LanguageHashiCorp Configuration Language. Declarative language for defining infrastructure. Supports expressions, functions, loops (for_each, count), and conditionals.
Provider
CorePlugin implementing resource types for a platform. AWS, GCP, Azure providers. 1000+ on Terraform Registry. Each has its own resources and data sources.
Resource
CoreAn infrastructure object managed by Terraform (aws_instance, google_compute_instance). Terraform tracks state and applies changes to reach desired state.
State
CoreJSON file mapping configuration to real infrastructure. Remote state (S3, GCS) enables collaboration. State locking prevents concurrent modifications.
Module
OrganizationReusable package of Terraform configuration. Contains resources, variables, outputs. Published to Registry or private registries. Promotes DRY code.
Variable
LanguageInput parameter for configuration. Types: string, number, bool, list, map, object. Set via -var, .tfvars, env vars, or defaults.
Output
LanguageValue exported from a module. Used for display, inter-module communication, and sharing infrastructure details.
Data Source
CoreRead-only reference to existing infrastructure. Queries provider API during plan/apply. Used for referencing shared resources.
Backend
StateWhere state is stored. Local (default) or remote (S3, GCS, Terraform Cloud). Remote enables collaboration and locking.
State Locking
StatePrevents concurrent state modifications. DynamoDB for AWS, built-in for GCS/TF Cloud. Essential for teams.
Workspace
OrganizationIsolated state file within same configuration. Used for managing dev/staging/prod with one codebase.
Plan
WorkflowPreview of changes. Shows resources to create (+), update (~), or destroy (-). Always review before apply.
Apply
WorkflowExecute planned changes. Creates, updates, or destroys infrastructure via API calls.
Terragrunt
ToolingWrapper for Terraform providing DRY config, remote state management, and dependency management. Reduces boilerplate.
OpenTofu
ToolingOpen-source fork of Terraform (Linux Foundation). MPL-licensed, API-compatible. Created after BSL license change.
for_each
LanguageCreates multiple resource instances from map/set. Each instance has unique key. Better than count for named instances.
count
LanguageCreates multiple instances by number. Indexed (0,1,2). Limitation: removing shifts indexes, causing unnecessary destroys.
Dynamic Block
LanguageGenerates repeated nested blocks inside resources. Reduces repetitive configuration. Use sparingly for readability.
Lifecycle Block
LanguageControls resource lifecycle: create_before_destroy, prevent_destroy, ignore_changes, replace_triggered_by.
Terraform Import
WorkflowBring existing infrastructure under Terraform management. Adds to state. Import blocks (TF 1.5+) generate config automatically.
Sentinel
GovernanceHashiCorp policy-as-code framework. Enforces policies on plans before apply. Available in TF Cloud/Enterprise. Alternative: OPA.
State Drift
OperationsWhen real infrastructure differs from state. Caused by manual changes. Detect with terraform plan. Fix with apply or import.
tfsec
SecurityStatic analysis for Terraform security. Scans for misconfigurations. Now part of Trivy. Alternative: Checkov.
Infracost
CostCloud cost estimation for Terraform plans. Shows cost impact before apply. Integrates with CI/CD.
terraform-docs
ToolingAuto-generate module documentation from variables, outputs, and descriptions. Markdown/JSON output.
Moved Block
LanguageTF 1.1+ feature for refactoring. Tells Terraform a resource was renamed/moved without destroy/recreate.
Terraform Cloud
PlatformHashiCorp managed service. Remote state, team access, policy as code, private registry, VCS integration.
Pulumi
AlternativeIaC tool using general-purpose languages (TypeScript, Python, Go). Full programming language power. Alternative to Terraform.
Remote State Data Source
StateRead outputs from another Terraform state. Used for cross-project resource references.
Provisioner
FeatureRuns scripts on resources after creation. Best practice: avoid. Use cloud-init or config management instead.
Backend Migration
OperationsMoving state between backends. terraform init -migrate-state. Always backup before migration.
Module Composition
DesignBuilding complex infra by combining smaller modules. Root module orchestrates child modules. Avoid deep nesting.
Policy as Code
GovernanceDefining compliance rules as executable code. Evaluate against plans before apply. Sentinel, OPA/Conftest, Checkov.
Blast Radius
DesignPotential impact of a change. Smaller state files = smaller blast radius. Split by team, lifecycle, risk.
Terraform Registry
EcosystemPublic repository for providers and modules. Verified modules. Private registries for internal modules.
Terraform Testing
QualityTesting levels: validate (syntax), tflint (lint), tfsec (security), plan (preview), terraform test (TF 1.6+), Terratest (integration).
DRY Configuration
PracticeAvoid repetition with: modules, variables, for_each, locals, Terragrunt. No copy-paste across environments.
GitOps for Infrastructure
PracticeGit as source of truth. PRs for changes, review, automated plan/apply. Tools: TF Cloud, Atlantis, Spacelift.
Check Block
LanguageTF 1.5+ continuous validation. Asserts conditions about infrastructure. Runs during plan and apply.
Ephemeral Resources
LanguageTF 1.10+ resources existing only during plan/apply, not stored in state. For temporary credentials.
FAQ (15 Questions)
Raw Data Downloads
Citations and Sources
Try These Tools for Free
Put this knowledge into practice with our browser-based tools. No signup needed.
JSON Formatter
Format, validate, and beautify JSON data with syntax highlighting.
YAML Validate
Validate YAML syntax, show errors with line numbers, format/beautify, and convert YAML to JSON.
JSON to YAML
Convert JSON data to YAML format for configuration files.
.env Gen
Generate .env files from templates. Select services like DB, Stripe, Auth, AWS, and get properly commented environment variables.
Related Research Reports
Kubernetes Guide 2026: Pods, Services, Deployments, Ingress, Helm, Operators
The definitive Kubernetes guide for 2026. Pods, services, deployments, ingress, helm, operators, GitOps, and security. 40 glossary, 15 FAQ. 30,000+ words.
AWS Services Guide 2026: EC2, S3, Lambda, RDS, DynamoDB, CloudFront, IAM & VPC
The definitive AWS reference for 2026. Covers EC2, S3, Lambda, RDS, DynamoDB, CloudFront, IAM, and VPC architecture. 40+ glossary, 15 FAQ. 30,000+ words.
The Complete DevOps & CI/CD Guide 2026: Pipelines, GitHub Actions, ArgoCD & Monitoring
The definitive DevOps reference for 2026. Covers CI/CD pipeline design, GitHub Actions, Jenkins, ArgoCD, GitOps, monitoring with Prometheus and Grafana, logging, Infrastructure as Code, and SRE practices. 28,000+ words.