Skip to content
CloudOps
Newsletter
All guides
AI for Terraform By James Joyner IV · · 18 min read

The Best Way to Learn Terraform for Real Infrastructure

The best way to learn Terraform is to build real infrastructure in a throwaway cloud account, in a deliberate order, with state, modules, and CI from day one.

  • #terraform
  • #iac
  • #learning
  • #devops
  • #automation

The best way to learn Terraform is to build real infrastructure in a throwaway cloud account, in a deliberate order, with remote state, modules, and CI wired in from day one — not by watching tutorials or memorizing HCL syntax. Terraform is a tool for managing the lifecycle of real resources, and the hard parts (state, drift, refactoring, multi-environment promotion) only show up once you actually own resources you care about. So you learn it the way you’ll use it: a small project that grows, where every concept gets earned by hitting the problem it solves.

I’ve onboarded a lot of engineers onto Terraform, and the ones who get good fastest all do the same thing — they stop treating it like a syntax course and start treating it like operating a system. Below is the exact staged roadmap I hand them, with mini-projects, real HCL, and the traps that bite almost everyone. It maps directly to how I run Terraform in production today.

Set up the throwaway account first

Before Stage 1, do this once. Create a dedicated cloud account (or a sandbox sub-account / project) that you are willing to delete entirely. Set a hard budget alert at a low number. Use a region you don’t use for anything else. This account exists so you can be reckless about creating and destroying resources without fear, and so a terraform destroy at the end of a session genuinely cleans up.

Install the CLI and confirm it works:

terraform version
terraform -install-autocomplete   # optional but worth it

Everything below assumes you can apply something real, see it in the cloud console, and destroy it. That feedback loop is the entire point.

Stage 1 — Core concepts: providers, resources, plan/apply, state

What to learn: the provider block, a single resource, and the init → plan → apply → destroy loop. Understand that terraform.tfstate is the database mapping your config to real-world objects.

Mini-project: stand up one cheap resource. An S3 bucket, a resource group, a DNS zone — something with no blast radius.

terraform {
  required_version = ">= 1.6.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "learning" {
  bucket = "tf-learning-${random_id.suffix.hex}"
}

resource "random_id" "suffix" {
  byte_length = 4
}
terraform init     # downloads providers, creates .terraform.lock.hcl
terraform plan     # shows what WILL happen, changes nothing
terraform apply    # makes it real, writes state
terraform destroy  # tears it down

Now open terraform.tfstate in an editor. Look at it. See your bucket recorded there. Then run terraform plan again with no changes and watch it say “No changes.” That’s Terraform comparing config, state, and reality.

Beginner trap: thinking the .tf files are the source of truth. They describe intent; state is what Terraform believes exists. The whole rest of your Terraform career is about keeping config, state, and reality in sync. Internalize that now.

Stage 2 — Variables, outputs, and expressions

What to learn: parameterize your config with variable, surface values with output, and use HCL expressions (for, conditionals, functions, locals) instead of copy-paste.

Mini-project: take your Stage 1 resource and make the name, region, and tags all driven by variables, with a sane default tag map applied everywhere.

variable "environment" {
  type        = string
  description = "Deployment environment name"

  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "environment must be dev, staging, or prod."
  }
}

locals {
  common_tags = {
    Environment = var.environment
    ManagedBy   = "terraform"
    Project     = "tf-learning"
  }
}

resource "aws_s3_bucket" "learning" {
  bucket = "tf-learning-${var.environment}-${random_id.suffix.hex}"
  tags   = local.common_tags
}

output "bucket_name" {
  value = aws_s3_bucket.learning.bucket
}

Pass the variable explicitly so you understand precedence:

terraform apply -var="environment=dev"

Beginner trap: reaching for variables for everything. Not every value should be a variable — a value that is the same in every environment is a local, not an input. Over-parameterized modules are miserable to call. Variables are for things that genuinely differ between callers or environments.

Stage 3 — Remote state and locking

What to learn: move state off your laptop into a shared backend, and enable locking so two people (or two CI jobs) can’t corrupt it by running at once.

Mini-project: configure an S3 backend with native state locking (or your cloud’s equivalent — Azure storage account, GCS bucket). Migrate your local state into it.

terraform {
  backend "s3" {
    bucket       = "my-tf-state-bucket"
    key          = "tf-learning/terraform.tfstate"
    region       = "us-east-1"
    encrypt      = true
    use_lockfile = true   # S3-native locking, no DynamoDB needed (TF 1.10+)
  }
}
terraform init -migrate-state   # moves local state into the backend

Note: the state-storage bucket itself is a chicken-and-egg resource. Create it once by hand or with a tiny bootstrap config that uses local state, then point everything else at it.

Beginner trap: running without locking and without versioning on the state bucket. Without locking, a concurrent apply can write a partial state and leave you with orphaned or duplicated resources. Turn on bucket versioning too — it’s your undo button when state goes sideways. This is also the right time to read up on structuring state and remote backends that scale before your layout calcifies.

Stage 4 — Modules and composition

What to learn: factor repeated config into a reusable module with clear inputs and outputs, then call it. Understand the difference between a root module (the directory you run terraform in) and child modules (reusable units).

Mini-project: wrap your bucket-plus-tags pattern into a module and instantiate it twice.

.
├── main.tf
├── variables.tf
└── modules/
    └── tagged-bucket/
        ├── main.tf
        ├── variables.tf
        └── outputs.tf
# modules/tagged-bucket/variables.tf
variable "name"        { type = string }
variable "environment" { type = string }

# modules/tagged-bucket/main.tf
resource "aws_s3_bucket" "this" {
  bucket = "${var.name}-${var.environment}"
  tags = {
    Environment = var.environment
    ManagedBy   = "terraform"
  }
}

# modules/tagged-bucket/outputs.tf
output "bucket_name" {
  value = aws_s3_bucket.this.bucket
}
# root main.tf
module "logs_bucket" {
  source      = "./modules/tagged-bucket"
  name        = "app-logs"
  environment = var.environment
}

module "assets_bucket" {
  source      = "./modules/tagged-bucket"
  name        = "app-assets"
  environment = var.environment
}

Beginner trap: building one giant root module that does everything, or, the opposite extreme, wrapping every single resource in its own module. A good module has a job (“a bucket with our standard tags and policy”), a small input surface, and meaningful outputs. If you want a sanity check on your module boundaries, this is a great place to lean on AI — see the AI section below, and the Terraform Prompt Pack has module-design prompts I use for exactly this.

Stage 5 — Workspaces and multi-environment

What to learn: run the same config against multiple environments without copy-pasting directories. Understand the two dominant patterns: CLI workspaces vs. directory-per-environment, and when each fits.

Mini-project: deploy your module set to dev and staging, with per-environment variable files.

# directory-per-env (my default for anything serious)
environments/
├── dev/terraform.tfvars
└── staging/terraform.tfvars

terraform apply -var-file=environments/dev/terraform.tfvars

Or with CLI workspaces for lightweight cases:

terraform workspace new staging
terraform workspace select staging
terraform apply

Inside config you can branch on the workspace, but keep it minimal:

locals {
  instance_count = terraform.workspace == "prod" ? 3 : 1
}

Beginner trap: using CLI workspaces to separate prod from dev. They share the same backend key and the same config, so a fat-fingered apply in the wrong workspace hits the wrong environment, and the blast radius is real. Workspaces are fine for ephemeral or near-identical variants; directories with separate state keys are safer for prod isolation. There’s a fuller breakdown in the workspaces category.

Stage 6 — CI/CD with plan-on-PR and approval

What to learn: stop running apply from your laptop. Wire Terraform into CI so every change opens a pull request, CI posts the plan, a human reviews it, and apply runs only after merge/approval.

Mini-project: a pipeline that runs fmt -check, validate, and plan on every PR, and apply only on the protected branch.

# .github/workflows/terraform.yml (sketch)
jobs:
  plan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform fmt -check
      - run: terraform validate
      - run: terraform plan -no-color -out=tfplan
      # post the plan output as a PR comment for review

  apply:
    needs: plan
    if: github.ref == 'refs/heads/main'
    environment: production   # gated approval
    steps:
      - run: terraform apply -auto-approve tfplan

The key discipline: the human reviews the plan, not the diff of the HCL. The plan is what’s actually going to change. Reviewing plans well is a skill in itself — I run them through a structured review step, and you can do the same in code review.

Beginner trap: apply with -auto-approve from a developer’s machine. It works right up until it doesn’t, and there’s no record of who changed what. Once you go through CI, your git history becomes your infrastructure changelog. Plenty of guidance for this in the Terraform category.

Stage 7 — Testing and policy-as-code

What to learn: catch bad infrastructure before it ships. Use native terraform test for behavior, and a policy engine (OPA/Conftest or Sentinel) to enforce rules like “no public buckets” or “everything must be tagged.”

Mini-project: write a test that asserts your module produces the expected bucket name, and a policy that fails the plan if a bucket is public.

# tests/bucket.tftest.hcl
run "creates_named_bucket" {
  command = plan

  variables {
    name        = "app-logs"
    environment = "dev"
  }

  assert {
    condition     = aws_s3_bucket.this.bucket == "app-logs-dev"
    error_message = "Bucket name did not match expected convention."
  }
}
terraform test

A policy check (Conftest over plan JSON) runs in the same PR pipeline as Stage 6, so a non-compliant change never reaches apply.

Beginner trap: writing tests that just re-assert your own config back to you (tautologies that always pass), or treating policy-as-code as optional. The point of a test is to fail when behavior regresses; the point of policy is to make the unsafe thing impossible, not merely discouraged.

Stage 8 — Refactoring with moved/import, and handling drift

What to learn: change your code structure without destroying and recreating resources (moved blocks, import blocks), and detect/reconcile drift — when reality diverges from state because someone clicked in the console.

Mini-project: rename a resource in your config and use a moved block so Terraform updates state instead of replacing the resource. Then manually change a tag in the cloud console and run plan to see the drift.

# you renamed aws_s3_bucket.learning -> aws_s3_bucket.app
moved {
  from = aws_s3_bucket.learning
  to   = aws_s3_bucket.app
}
# adopt a resource that already exists in the cloud
import {
  to = aws_s3_bucket.legacy
  id = "existing-bucket-name"
}
terraform plan   # should show a move/import, NOT a destroy+create

To see drift, change something by hand in the console, then:

terraform plan -refresh-only   # shows what reality looks like vs state

Beginner trap: renaming a resource and running apply without a moved block. Terraform sees the old address gone and a new one appearing, so it destroys and recreates — catastrophic for a database or anything stateful. The moved block tells Terraform “same object, new name.” Same lesson for adopting existing infra: use import, never let Terraform think it owns something it actually needs to recreate.

Common mistakes beginners make

These are the ones I see over and over. Avoiding them is half of being good at Terraform.

  • Committing terraform.tfstate to git. State often contains secrets (passwords, keys, generated tokens) in plaintext. Add *.tfstate* to .gitignore on day one and use a remote backend (Stage 3). Do commit .terraform.lock.hcl, though — that’s the provider lockfile, and it belongs in version control.
  • No state locking. Two concurrent applies will race and can corrupt state. Always enable locking on shared backends.
  • Hardcoded secrets in .tf files. Never put a password or API key literally in HCL. Use a secrets manager data source, environment variables, or write-only arguments. More on doing this safely in the Terraform category.
  • One giant root module. A 2,000-line main.tf is unreviewable and has a huge blast radius. Compose small modules (Stage 4) and split state by domain.
  • Click-ops drift. Making changes in the console “just this once” silently diverges reality from state. Either bring the change into code or accept that your next apply may undo it. Treat the console as read-only for anything Terraform manages.
  • Auto-apply everywhere. -auto-approve outside a reviewed CI pipeline removes the one human checkpoint that catches a destructive plan. Reserve it for CI on a protected branch, after a human has read the plan.

Using AI to accelerate learning (without skipping the understanding)

AI is genuinely the fastest way to shorten the learning curve — if you use it to understand, not to outsource. The discipline that makes it safe: AI can read, explain, and draft, but it never runs apply. You stay the operator. Here’s how I use it while learning:

  • Explain a plan. Paste terraform plan output and ask what’s being created, changed, or — the dangerous one — replaced. Ask specifically: “is anything being destroyed and recreated, and why?” This teaches you to read plans, the single most valuable Terraform skill.
  • Review your HCL. Paste your module and ask for a critique: input surface too wide? Missing validation? A resource that should be for_each instead of count? You learn idioms faster by having your own code critiqued than by reading docs cold.
  • Generate a module skeleton you then verify. Ask for a starting structure (“a module for an S3 bucket with versioning, encryption, and standard tags”), then read every line, run terraform validate and plan, and confirm it does what you think. The verification step is where the learning happens.

The non-negotiable: never paste an AI-generated config and apply it blind. Run validate, run plan, read the plan, and only then apply — through your reviewed pipeline. I drive most of this from Claude and Cursor, and I keep reusable, tested instructions in prompts. The Terraform Prompt Pack bundles the plan-explanation, HCL-review, and module-skeleton prompts so you’re not reinventing them.

The 30/60/90-day plan

Days 1–30 — Fundamentals you can run. Work through Stages 1–3. By day 30 you can stand up and tear down real resources, parameterize with variables and outputs, and you have remote state with locking. Goal: never lose state, never fear destroy.

Days 31–60 — Structure and environments. Stages 4–6. Build reusable modules, deploy the same config to dev and staging, and get Terraform out of your laptop and into CI with plan-on-PR and gated apply. Goal: every change is a reviewed pull request.

Days 61–90 — Production discipline. Stages 7–8. Add native tests and policy-as-code to your pipeline, and practice refactoring with moved/import and reconciling drift. Goal: you can safely change and restructure live infrastructure that other people depend on.

By day 90 you’re not “learning Terraform” anymore — you’re running it the way a team runs it in production.

FAQ

How long does it take to learn Terraform? You can be productive with the basics (Stages 1–3) in a week or two of hands-on work. Reaching the point where you can safely manage shared, multi-environment production infrastructure — modules, CI, testing, refactoring — is more like the full 90-day arc above. The syntax is small; the operational judgment is what takes time, and it only comes from running real plans and applies.

Terraform vs. OpenTofu — which should I learn? Learn the concepts and they transfer almost entirely. OpenTofu is an open-source fork of Terraform and remains highly compatible with the HCL and CLI workflow you’ll use here; nearly everything in this roadmap applies to both. Pick based on your team’s licensing stance and which features you need (OpenTofu has some of its own, like native state encryption). The learning path is identical.

Do I need to know a cloud provider first? A little helps, but you don’t need to be an expert. You’ll actually learn the cloud faster through Terraform, because every resource you declare forces you to understand its real-world configuration. Start with simple resources (storage, DNS, IAM) in one provider rather than trying to learn the whole cloud catalog at once.

Should I learn modules from the registry or write my own? Both, in order. Early on, reading well-written public modules teaches you idioms and good input/output design. But write your own from Stage 4 — you don’t truly understand modules until you’ve designed the input surface and felt the pain of a bad one. In production I use a mix: vetted registry modules for commodity infrastructure, in-house modules for anything opinionated.

Is it worth using AI to learn, or is that cheating? It’s worth it, as long as you use AI to explain and critique rather than to skip understanding. Having a plan explained or your HCL reviewed accelerates the feedback loop enormously. The line is apply: you read every plan and you run the apply, never the AI. Used that way, it’s the difference between learning in months instead of years.

Conclusion

The best way to learn Terraform isn’t a course — it’s a project you actually run. Spin up a throwaway account, work the eight stages in order, and earn each concept by hitting the problem it solves: state on day one, modules when copy-paste hurts, CI when laptop-applies get scary, tests and policy when other people depend on your infra. Keep the operator discipline — read every plan, never blind-apply — and lean on AI to shorten the loop without skipping the understanding. Do that for 90 days and you won’t be someone who learned Terraform. You’ll be someone who runs it.

Browse more in the Terraform category, and grab the Terraform Prompt Pack for the exact AI prompts I use to explain plans, review HCL, and scaffold modules.

Free download · 368-page PDF

Download the Free 500-Prompt DevOps AI Toolkit

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.