What is AWS Terraform?

✅ Terraform in simple words

Terraform is an Infrastructure as Code (IaC) tool by HashiCorp.
You write infrastructure in declarative config files (HCL), and Terraform creates/updates/destroys resources safely. HashiCorp Developer+1

Think of it like:

“Git for infrastructure” — your AWS setup becomes version-controlled code.

---

Why Terraform is needed (Real-world reasons)

1) Repeatable environments

Create identical dev / stage / prod using the same code.

2) Change control + audit

Infra changes are reviewed in PRs and tracked in Git.

3) Safer deployments (plan → apply)

Terraform shows what will change before it changes it.

4) Avoid manual console mistakes

No “clicked wrong region / deleted wrong bucket” surprises.

---

Basic Example: Create S3 Bucket + Allow One Role Access

✅ What we will build

• Create an S3 bucket

• Block public access

• Add a bucket policy that allows one IAM role to:

  • List the bucket

  • Read/Write objects

AWS bucket policies are a standard way to grant access to buckets. AWS Documentation+1

---

📁 Folder Structure

s3-terraform-demo/
  main.tf
  variables.tf
  outputs.tf

---

1️⃣ main.tf

terraform {
  required_version = ">= 1.5.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

provider "aws" {
  region = var.aws_region
}

# -----------------------------
# S3 Bucket
# -----------------------------
resource "aws_s3_bucket" "app_bucket" {
  bucket = var.bucket_name

  tags = {
    Name        = var.bucket_name
    Environment = var.environment
  }
}

# Optional but recommended: block all public access
resource "aws_s3_bucket_public_access_block" "app_bucket_block_public" {
  bucket = aws_s3_bucket.app_bucket.id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# -----------------------------
# Bucket policy: allow ONE IAM role access
# -----------------------------
data "aws_iam_policy_document" "allow_role_access" {
  statement {
    sid    = "AllowRoleListBucket"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [var.allowed_role_arn]
    }

    actions = [
      "s3:ListBucket"
    ]

    resources = [
      aws_s3_bucket.app_bucket.arn
    ]
  }

  statement {
    sid    = "AllowRoleReadWriteObjects"
    effect = "Allow"

    principals {
      type        = "AWS"
      identifiers = [var.allowed_role_arn]
    }

    actions = [
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteObject"
    ]

    resources = [
      "${aws_s3_bucket.app_bucket.arn}/*"
    ]
  }
}

resource "aws_s3_bucket_policy" "app_bucket_policy" {
  bucket = aws_s3_bucket.app_bucket.id
  policy = data.aws_iam_policy_document.allow_role_access.json
}

Notes:

• aws_s3_bucket creates the bucket. Terraform Registry

• aws_s3_bucket_policy attaches the policy to the bucket. Terraform Registry

---

2️⃣ variables.tf

variable "aws_region" {
  type        = string
  description = "AWS region to deploy into"
  default     = "us-west-2"
}

variable "environment" {
  type        = string
  description = "Environment name (dev/stage/prod)"
  default     = "dev"
}

variable "bucket_name" {
  type        = string
  description = "Globally unique S3 bucket name"
}

variable "allowed_role_arn" {
  type        = string
  description = "IAM Role ARN that should get access to the bucket"
}

---

3️⃣ outputs.tf

output "bucket_name" {
  value = aws_s3_bucket.app_bucket.bucket
}

output "bucket_arn" {
  value = aws_s3_bucket.app_bucket.arn
}

---

▶️ How to Run

1) Set variables (example)

export TF_VAR_bucket_name="vinod-demo-bucket-123456789"
export TF_VAR_allowed_role_arn="arn:aws:iam::123456789012:role/MyAppRole"

2) Initialize / Plan / Apply

terraform init
terraform plan
terraform apply

---

✅ Summary (Interview-ready)

• Terraform is IaC that manages infra lifecycle using declarative code. HashiCorp Developer+1

• You define AWS resources like aws_s3_bucket and attach policies using aws_s3_bucket_policy. Terraform Registry+1

• To give a role access to a bucket, you use an S3 bucket policy (resource-based policy) listing the role as a principal. AWS Documentation+1