50 AI Prompts for Terraform and Infrastructure as Code

50 practical AI prompts for Terraform and Infrastructure as Code. Covers provider setup, modules, state management, workspaces, remote backends, security scanning, AWS and GCP resources, CI/CD integration, and Terragrunt.

June 19, 2026•ShortIQ Editorial Team

How to Use These Terraform Prompts

Terraform by HashiCorp is the most widely used Infrastructure as Code tool. It provisions cloud resources declaratively across AWS, GCP, Azure, and hundreds of other providers. These 50 prompts cover Terraform from first init to multi-environment production deployments with CI/CD pipelines. All prompts assume Terraform 1.8 or later and HCL (HashiCorp Configuration Language).

When using these prompts, always specify your cloud provider and region, the Terraform version, and any existing state backend. Terraform code is highly context-dependent — the correct resource names, AMI IDs, and VPC configurations depend on your specific cloud account and region. Include your existing main.tf or provider block when asking for additions to an existing configuration.

Provider Setup, Resources, and Variables (Prompts 1-16)

Prompt 1: Write a Terraform AWS provider configuration for a production account. Configure the provider with the us-east-1 region, set up an S3 backend for remote state with a DynamoDB lock table, define required_providers with an exact version constraint, and create a versions.tf file with the minimum Terraform version. Show the complete file structure: main.tf, variables.tf, outputs.tf, versions.tf, and backend.tf.

Prompt 2: Create a Terraform module for an AWS VPC with public and private subnets. Inputs: vpc_cidr, availability_zones list, public_subnet_cidrs list, private_subnet_cidrs list, and environment tag. Resources: VPC, internet gateway, public subnets with auto-assign public IP, private subnets, public route table with internet gateway route, and private route tables. Outputs: vpc_id, public_subnet_ids, private_subnet_ids. Prompt 3: Write a Terraform configuration for an AWS EC2 Auto Scaling Group behind an Application Load Balancer. Define the launch template with the latest Ubuntu 24.04 AMI, instance type, security group, and user data script. Define the ASG with min 2, max 10, desired 2 instances across multiple AZs. Define the ALB with HTTPS listener, certificate ARN from ACM, and target group with health checks.

Prompt 4: Create a Terraform AWS RDS PostgreSQL instance with a parameter group, subnet group across private subnets, security group allowing access only from the application security group, automatic backups with 7-day retention, encryption at rest, and deletion protection enabled for production.
Prompt 5: Write a Terraform configuration for an AWS Lambda function with an API Gateway HTTP API trigger. Define the Lambda function, IAM execution role with CloudWatch Logs permissions, a zip archive from a local directory, the API Gateway integration, a stage with auto-deploy, and a CloudWatch log group with 14-day retention.
Prompt 6: Create a Terraform S3 bucket configuration for a static website. Enable versioning, block all public access and use a CloudFront Origin Access Control policy instead, enable server-side encryption with AES-256, add a lifecycle rule to expire non-current versions after 30 days, and add a bucket policy allowing CloudFront access.
Prompt 7: Write a Terraform AWS ECS Fargate service. Define the ECS cluster, task definition with a container spec for a Node.js application with CPU and memory limits and environment variables from SSM Parameter Store, a Fargate service in private subnets behind an ALB, an IAM task execution role, and a CloudWatch log group for container logs.
Prompt 8: Create a Terraform variables.tf with validation. Define a variable for environment that only accepts dev, staging, or production using a validation block with a custom error message. Define a variable for allowed_cidr_blocks that validates each entry is a valid CIDR range. Show how to reference variables with var.environment.
Prompt 9: Write a Terraform locals.tf that computes derived values. Compute common_tags as a map with environment, project, and managed_by keys. Compute the full resource name as a concatenation of project and environment. Use these locals in all resource tags and name attributes to ensure consistency.
Prompt 10: Create a Terraform for_each pattern. Given a map of environments (dev, staging, production) each with a different instance type and replica count, create an aws_instance resource for each environment using for_each. Show how to reference the current map key and value inside the resource block.
Prompt 11: Write a Terraform dynamic block for security group ingress rules. Define a variable that is a list of objects with port, protocol, and description. Use a dynamic ingress block to generate one ingress rule per list item. Show both the variable definition and the security group resource.
Prompt 12: Create a Terraform data source pattern. Use aws_ami to find the latest Ubuntu 24.04 AMI by owner and name filter. Use aws_vpc and aws_subnets data sources to reference an existing VPC by tag name rather than hardcoding the VPC ID. Show how data sources are referenced in resource arguments.
Prompt 13: Write a Terraform module with conditional resources. Accept a boolean variable enable_monitoring. When true, create a CloudWatch dashboard and alarm resources. When false, skip them. Use count = var.enable_monitoring ? 1 : 0 and show how to conditionally reference the resource outputs.
Prompt 14: Create a Terraform workspace pattern for managing multiple environments. Show the commands to create and switch workspaces for dev, staging, and production. Show how to use terraform.workspace in expressions to select environment-specific variable values from a map. Explain when workspaces are appropriate versus separate state files.
Prompt 15: Write a Terraform taint and import workflow. Show the terraform taint command to mark a resource for replacement on the next plan. Show the terraform import command to bring an existing manually created S3 bucket into Terraform state. Show the terraform state list and terraform state show commands for inspecting state.
Prompt 16: Create a Terraform moved block for safe resource renaming. Given an aws_instance named web being renamed to app_server, write the moved block that tells Terraform to update the state without destroying and recreating the resource. Show how to verify the move with terraform plan before applying.

Modules, Security, CI/CD, and Advanced Patterns (Prompts 17-50)

Prompt 17: Write a Terraform module registry structure. Create a module with a standard file layout: main.tf, variables.tf, outputs.tf, README.md, and examples/ subdirectory. Show how to publish it to the Terraform Registry and how to call it from a root module with version pinning using a GitHub source.

Prompt 18: Create a Terragrunt configuration for a multi-account AWS setup. Show the root terragrunt.hcl with remote state configuration, an accounts/ directory with dev and production subdirectories each having their own terragrunt.hcl overrides, and a modules/ directory referenced by both. Show the dependency block for referencing VPC outputs from a networking module. Prompt 19: Write a GitHub Actions workflow for Terraform CI/CD. On pull requests: run terraform fmt -check, terraform validate, tfsec for security scanning, and terraform plan with the output posted as a PR comment. On merge to main: run terraform apply with auto-approve. Use OIDC for AWS authentication and store the Terraform plan as a workflow artifact.

Prompt 20: Create a tfsec configuration for a Terraform project. Add a .tfsec directory with a config.json that sets the minimum severity to WARNING, ignores specific check IDs that are acceptable for your use case, and shows how to add inline ignore comments to specific resources.
Prompt 21: Write a Terraform AWS IAM role and policy pattern. Define an IAM role with a trust policy for EC2 service assumption, attach an inline policy with least-privilege S3 access to a specific bucket and key prefix, attach an AWS managed policy for CloudWatch agent, and output the role ARN and instance profile name.
Prompt 22: Create a Terraform GCP provider configuration with a GCS remote backend. Define the google provider with project and region, configure a GCS bucket backend for state with a prefix for environment isolation, and define a Google Cloud VPC with custom subnets and secondary IP ranges for GKE.
Prompt 23: Write a Terraform Azure provider configuration. Configure the azurerm provider with a service principal, define a resource group, virtual network, subnet, and Azure Container App environment. Show the azurerm_container_app resource for deploying a Docker container with environment variables from Azure Key Vault.
Prompt 24: Create a Terraform null_resource and local-exec pattern. Use null_resource with a local-exec provisioner to run a database migration script after an RDS instance is created. Use the triggers map to re-run the migration only when the RDS instance ID changes. Show the depends_on to ensure ordering.
Prompt 25: Write a Terraform output that produces a structured object. Define an output named connection_info that returns a map with database_host, database_port, app_url, and load_balancer_dns. Show how to reference this output from another Terraform module using the terraform_remote_state data source.

FAQ

What is the difference between Terraform and Ansible?

Terraform is for provisioning infrastructure: creating VPCs, EC2 instances, RDS databases, S3 buckets, and IAM roles. It manages the lifecycle of cloud resources declaratively. Ansible is for configuration management: installing software, managing files, running commands on existing servers. They are complementary: Terraform creates the server, Ansible configures it. Many teams use both, with Terraform for infrastructure provisioning and Ansible or cloud-init for server configuration.

How do I manage Terraform state in a team?

Use remote state with state locking. Store state in an S3 bucket with a DynamoDB table for locking (AWS) or a GCS bucket (GCP). Never store the state file in git — it can contain sensitive values. Use Terraform workspaces or separate state files per environment. Consider Terraform Cloud or HCP Terraform for a managed remote state solution with role-based access control and run history.

Should I use Terraform modules?

Yes, for reused infrastructure patterns. A VPC module, an ECS service module, and a database module let you provision consistent infrastructure across environments by changing input variables. Avoid modules for one-off resources — the abstraction cost is not worth it for a single resource. A good rule: create a module when you use the same pattern more than twice, or when you want to enforce organizational standards across teams.

What is the difference between terraform plan and terraform apply?

terraform plan shows what changes Terraform will make without making them: resources to create, update, or destroy. terraform apply executes those changes. Always review the plan output before applying in production. In CI/CD, save the plan as an artifact with terraform plan -out=tfplan and apply that exact plan with terraform apply tfplan to ensure what was reviewed is what runs — applying without a saved plan allows state changes between plan and apply to produce unexpected results.

Related free tools

If you want to turn this topic into action, use one of ShortIQ's free tools for campaign planning, UTM structure, or QR distribution.

Continue Reading

Explore more guides on link shortener SaaS strategy, Bitly alternatives, and white label link management.

Free newsletter

Get new guides in your inbox

We publish practical guides on dev tooling, prompt engineering, marketing workflows, and deployment. No fluff — straight to the point.

No spam. Unsubscribe any time.

Was this article helpful?

Tell us if this guide solved the problem or what was still missing. We use this to improve the blog and only follow up if you explicitly allow it.