Interview › Infrastructure as Code (Terraform, Ansible)
How do you review and approve infrastructure changes safely as a team?
Infrastructure as Code (Terraform, Ansible) · Advanced level
Answer
I review infrastructure changes safely by requiring plans in pull requests, checking policy and security rules, using saved plans for apply, locking state, separating dev and prod permissions, requiring approvals for destructive changes, and keeping audit trails for who approved and applied each change.
Technical explanation
Plans and rendered manifests should be attached to pull requests.
Approvals should focus on blast radius, data loss, IAM, public exposure, and cost impact.
Emergency paths should exist but still leave an audit trail and follow-up review.
Keep source manifests or IaC definitions readable enough that reviewers can understand the final desired state.
Use overlays, modules, or roles for reuse, but keep environment-specific differences explicit and reviewable.
Validate generated output in CI before applying it through kubectl, Argo CD, Terraform, or Ansible.
Hands-on example
1. Implement a team workflow for: How do you review and approve infrastructure changes safely as a team?
2. Use a repository layout that separates reusable building blocks from environment entrypoints:
iac/
terraform/modules/
terraform/envs/dev|stage|prod/
ansible/roles/
kubernetes/base/
kubernetes/overlays/dev|stage|prod/
3. For every pull request, generate Terraform plans, render Kustomize output, run ansible-lint, and attach summaries for review.
4. Require owners to approve changes touching IAM, networking, data stores, secrets, and production overlays.
5. After merge, apply through controlled pipelines with state locking, audit logs, and drift detection tickets for anything changed manually.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Infrastructure as Code (Terraform, Ansible) interview questions
- What is Infrastructure as Code, and what problems does it solve over click-ops?
- What is the difference between declarative and imperative IaC, and where do Terraform and Ansible fall?
- What is the difference between configuration management and provisioning?
- What is Terraform, and what is the core plan/apply workflow?
- What does terraform init do?
- What is the Terraform state file, and why is it critical?
- Why should state be stored remotely, and what backend would you use on AWS?
- What is state locking, and why does it matter for teams?