Introduction
Infrastructure as Code (IaC) has transformed how we manage cloud resources, and Terraform remains the de facto standard in 2026. Whether you're provisioning a single AWS EC2 instance or orchestrating a multi-cloud deployment spanning AWS, Azure, and GCP, the quality of your Terraform code depends on how well you communicate your intent. This article presents a structured collection of 10 expert-level prompts—organized by skill level—that will help you generate, debug, and optimize Terraform configurations using AI assistants. Each prompt includes a clear task, the prompt itself, and a realistic example result.
Why Prompts Matter for Terraform
Terraform's declarative language is powerful, but writing efficient modules, managing state files, and handling provider-specific quirks can be time-consuming. AI-generated prompts can accelerate your workflow by:
- Generating boilerplate module structures
- Suggesting best practices for remote state backends
- Creating multi-cloud configuration templates
- Identifying potential security misconfigurations
Prompt Collection
Basic Prompts
1. Generate a Basic Resource Configuration
Task: Create a Terraform configuration to provision an AWS EC2 instance with a security group.
Prompt:
Generate a Terraform configuration that creates an AWS EC2 instance of type t3.micro with an Amazon Linux 2 AMI. Include a security group that allows SSH (port 22) and HTTP (port 80) from 0.0.0.0/0. Use the aws provider with region us-east-1. Output the public IP and instance ID.
Example Result:
provider "aws" {
region = "us-east-1"
}
resource "aws_security_group" "web_sg" {
name = "web-server-sg"
description = "Allow SSH and HTTP"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
vpc_security_group_ids = [aws_security_group.web_sg.id]
tags = {
Name = "web-server"
}
}
output "public_ip" {
value = aws_instance.web.public_ip
}
output "instance_id" {
value = aws_instance.web.id
}
2. Create a Simple S3 Bucket with Versioning
Task: Write Terraform to create an S3 bucket with versioning enabled.
Prompt:
Create a Terraform configuration that provisions an AWS S3 bucket with versioning enabled. The bucket name should be passed as a variable. Also enable server-side encryption using AES256.
Example Result:
variable "bucket_name" {
description = "Name of the S3 bucket"
type = string
}
resource "aws_s3_bucket" "my_bucket" {
bucket = var.bucket_name
versioning {
enabled = true
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
tags = {
Environment = "dev"
}
}
Advanced Prompts
3. Design a Reusable VPC Module
Task: Build a Terraform module that creates a VPC with public and private subnets across multiple availability zones.
Prompt:
Create a reusable Terraform module for a VPC that accepts inputs for CIDR block, number of public and private subnets, and environment name. The module should create an internet gateway for public subnets and a NAT gateway for private subnets. Output the subnet IDs and VPC ID.
Example Result:
# modules/vpc/main.tf
variable "cidr_block" {
type = string
}
variable "public_subnets_count" {
type = number
default = 2
}
variable "private_subnets_count" {
type = number
default = 2
}
variable "environment" {
type = string
}
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
tags = {
Name = "${var.environment}-vpc"
}
}
resource "aws_subnet" "public" {
count = var.public_subnets_count
vpc_id = aws_vpc.main.id
cidr_block = cidrsubnet(var.cidr_block, 8, count.index)
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "${var.environment}-public-${count.index}"
}
}
resource "aws_internet_gateway" "igw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "${var.environment}-igw"
}
}
output "vpc_id" {
value = aws_vpc.main.id
}
output "public_subnet_ids" {
value = aws_subnet.public[*].id
}
4. Manage Remote State with Terraform Cloud
Task: Configure Terraform to use Terraform Cloud as a remote backend for state management.
Prompt:
Write the backend configuration to store Terraform state in Terraform Cloud. Use the organization 'my-org' and workspace 'production'. Also show how to set workspace variables for AWS credentials.
Example Result:
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "my-org"
workspaces {
name = "production"
}
}
}
# In Terraform Cloud UI, set:
# AWS_ACCESS_KEY_ID = <your-access-key>
# AWS_SECRET_ACCESS_KEY = <your-secret-key>
5. Create a Multi-Cloud Resource Group (AWS + Azure)
Task: Provision a resource group in Azure and an S3 bucket in AWS within the same configuration.
Prompt:
Write a Terraform configuration that uses multiple providers to create an Azure resource group named 'rg-multi-cloud' in West Europe and an AWS S3 bucket named 'multi-cloud-bucket-123' in us-east-1. Output the resource group name and bucket ARN.
Example Result:
provider "azurerm" {
features {}
location = "West Europe"
}
provider "aws" {
region = "us-east-1"
}
resource "azurerm_resource_group" "rg" {
name = "rg-multi-cloud"
location = "West Europe"
}
resource "aws_s3_bucket" "bucket" {
bucket = "multi-cloud-bucket-123"
acl = "private"
}
output "resource_group_name" {
value = azurerm_resource_group.rg.name
}
output "bucket_arn" {
value = aws_s3_bucket.bucket.arn
}
Expert Prompts
6. Implement a Multi-Cloud Load Balancer Pattern
Task: Design a Terraform configuration that deploys an Application Load Balancer in AWS and an Application Gateway in Azure, both pointing to backend services.
Prompt:
Create a Terraform configuration that sets up an AWS ALB with a target group pointing to EC2 instances, and an Azure Application Gateway with a backend pool pointing to VMs. Use modules for each provider and output the DNS names.
Example Result:
module "aws_alb" {
source = "./modules/alb"
vpc_id = aws_vpc.main.id
subnets = aws_subnet.public[*].id
}
module "azure_agw" {
source = "./modules/app_gateway"
resource_group_name = azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.frontend.id
}
output "aws_alb_dns" {
value = module.aws_alb.dns_name
}
output "azure_agw_dns" {
value = module.azure_agw.dns_name
}
7. Write a Policy to Prevent Public S3 Buckets
Task: Generate a Sentinel policy that blocks Terraform runs creating S3 buckets with public ACLs.
Prompt:
Write a Sentinel policy in Terraform Cloud that prevents provisioning of any S3 bucket with public read or write ACLs. The policy should evaluate `aws_s3_bucket` resources and check the `acl` attribute.
Example Result:
import "tfplan/v2" as tfplan
# Rule: public buckets are not allowed
main = rule {
all tfplan.resource_changes as _, rc {
rc.type is "aws_s3_bucket" implies
rc.change.after.acl not in ["public-read", "public-read-write"]
}
}
8. Optimize State with Workspaces
Task: Structure Terraform configuration to use workspaces for staging and production environments.
Prompt:
Create a Terraform configuration that uses workspaces to differentiate between staging and production. Each workspace should have different instance counts and sizes. Use `terraform.workspace` to conditionally set variables.
Example Result:
variable "instance_count" {
type = map(number)
default = {
staging = 1
production = 3
}
}
variable "instance_type" {
type = map(string)
default = {
staging = "t3.micro"
production = "t3.medium"
}
}
resource "aws_instance" "app" {
count = var.instance_count[terraform.workspace]
ami = data.aws_ami.ubuntu.id
instance_type = var.instance_type[terraform.workspace]
tags = {
Name = "${terraform.workspace}-app-${count.index}"
}
}
9. Design a Disaster Recovery Cross-Region Setup
Task: Write Terraform to replicate an S3 bucket across two AWS regions for disaster recovery.
Prompt:
Create a Terraform configuration that sets up cross-region replication for an S3 bucket from us-east-1 to us-west-2. Include necessary IAM roles and replication rules. Output the source and destination bucket ARNs.
Example Result:
provider "aws" {
alias = "west"
region = "us-west-2"
}
resource "aws_s3_bucket" "source" {
bucket = "my-source-bucket-123"
acl = "private"
replication_configuration {
role = aws_iam_role.replication.arn
rules {
status = "Enabled"
destination {
bucket = aws_s3_bucket.destination.arn
}
}
}
}
resource "aws_s3_bucket" "destination" {
provider = aws.west
bucket = "my-destination-bucket-123"
acl = "private"
}
resource "aws_iam_role" "replication" {
name = "s3-replication-role"
assume_role_policy = data.aws_iam_policy_document.replication_assume.json
}
output "source_arn" {
value = aws_s3_bucket.source.arn
}
output "destination_arn" {
value = aws_s3_bucket.destination.arn
}
10. Automate Terraform with CI/CD Pipeline
Task: Generate a GitHub Actions workflow to run terraform plan and terraform apply on pull requests.
Prompt:
Write a GitHub Actions workflow that runs terraform init, plan on pull requests, and apply on merge to main. Use Terraform Cloud as the backend. Include steps for linting with tflint.
Example Result:
name: Terraform CI/CD
on:
pull_request:
branches: [ main ]
push:
branches: [ main ]
jobs:
terraform:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.7.0
- name: Terraform Init
run: terraform init
env:
TFE_TOKEN: ${{ secrets.TFE_TOKEN }}
- name: Terraform Format
run: terraform fmt -check
- name: Terraform Plan
if: github.event_name == 'pull_request'
run: terraform plan
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply -auto-approve
Conclusion
These 10 prompts demonstrate the range of Terraform tasks you can accelerate with structured AI assistance—from basic resource creation to advanced multi-cloud orchestration and policy enforcement. By using prompts that are specific, context-rich, and action-oriented, you can reduce boilerplate, enforce best practices, and focus on architecture rather than syntax. As you integrate these into your workflow, remember to always review generated code for security and compliance. For further learning, consider exploring official HashiCorp documentation and community modules on the Terraform Registry.
Comments