How do you test infrastructure changes (Terraform) in a pipeline?
CI/CD & GitOps · Advanced level
Answer
Terraform changes should be formatted, validated, linted, security-scanned, planned, reviewed, and applied through controlled approvals. The plan artifact should be tied to the commit, and production apply should use remote state locking, least-privilege credentials, and drift detection.
Technical explanation
Terraform plans should be reviewed as artifacts tied to a commit, but apply should re-check state and use locking.
Use policy-as-code and drift detection to catch risky infrastructure changes before apply.
A secure pipeline protects source, build environment, dependencies, artifacts, deployment credentials, and runtime promotion gates as one chain.
Immutable artifacts, SBOMs, signatures, provenance, vulnerability gates, and environment promotion reduce ambiguity about what was built and deployed.
CI runners are high-value targets; isolate untrusted jobs, patch runner images, remove persistent credentials, and prefer ephemeral execution where possible.
Release safety depends on both automation and observability: use canaries, feature flags, rollback plans, and automated metric-based decisions.
Hands-on example
1. Design an advanced delivery exercise for: How do you test infrastructure changes (Terraform) in a pipeline using one service, one Git repository, one artifact registry, and one Kubernetes environment.
2. Run terraform fmt -check, terraform validate, tflint, security scan, and terraform plan -out=tfplan against remote state with locking enabled.
3. Attach the plan to the PR, require review, then apply only the reviewed commit in the target environment using short-lived credentials.
4. Use progressive exposure where relevant: feature flag off by default, canary 5%, automated metric check for error rate and latency, then expand or rollback.
5. Record audit evidence: PR, approver, pipeline run, artifact digest, SBOM location, signature verification result, deployment event, and rollback or forward-fix decision.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More CI/CD & GitOps interview questions
- What is CI/CD, and what is the difference between continuous delivery and continuous deployment?
- What are the goals of a CI pipeline beyond just running tests?
- What is Jenkins, and what is the difference between a controller and an agent?
- What is the difference between a freestyle job and a pipeline job in Jenkins?
- What is the difference between a declarative and a scripted Jenkins pipeline?
- What is a Jenkinsfile, and why keep your pipeline as code in the repo?
- Explain the structure of a declarative pipeline (agent, stages, steps, post).
- What is the post section used for, and what are its conditions (success, failure, always)?