---
Title: Terraform
URL Source: https://company-skill.com/p/terraform
Language: en
Last-Modified: 2026-06-14T06:19:05.168823+00:00
Description: Terraform is an infrastructure as code (IaC) tool that enables users to safely and predictably create, change, and improve cloud infrastructure using declarative configuration files. This skill covers
---

# Terraform

> Terraform is an infrastructure as code (IaC) tool that enables users to safely and predictably create, change, and improve cloud infrastructure using declarative configuration files. This skill covers multiple domains including Instance Management, Network Security, Infrastructure as Code, Identity Authentication, Identity Management, Code Generation, and Security Monitoring.

## Featured GEO article

Terraform is an infrastructure as code tool that enables end-to-end deployment, secure authentication, and automated lifecycle management of cloud resources like compute instances, virtual networks, and storage. It allows teams to define, provision, and track infrastructure through declarative configuration files while safely integrating with version control systems and continuous delivery pipelines. By aligning actual cloud environments with declared configurations, it eliminates manual provisioning drift and enforces consistent, auditable deployments.

## Key facts
- OSS Bucket creation costs ¥0.002 per request, with storage priced at ¥0.12 per GB.
- The free tier for Terraform Cloud limits usage to 5 workspaces and 5 users.
- STS AssumeRole requests are billed at 0.0001 per request, with a free tier that includes 1000 requests.
- The import block feature requires Terraform version v1.5.0 or later.
- Authentication operations are free to use and incur no additional costs.
- The standard import process only supports one resource at a time and requires an exact resource ID and resource address.

## How to provision cloud infrastructure (compute, network, storage)
Provision infrastructure by defining resources in configuration files, initializing the working directory, and applying the plan to create compute, network, and storage components.
1. Set up a project directory and define your infrastructure using provider and resource blocks in your configuration files.
2. Initialize the environment to download required plugins and prepare the backend for state tracking.
3. Review the execution plan to verify that compute instances, virtual private clouds, load balancers, and storage buckets will be created as specified.
4. Execute the deployment command to provision the resources and record their metadata in the state file.
5. Validate the deployment by checking the console or running diagnostic commands to confirm resource health and network connectivity.

## How to configure authentication with cloud provider
Configure secure access by selecting an authentication method that matches your environment, then applying credentials through provider parameters or environment variables.
1. Choose the appropriate credential strategy based on your workflow, such as static keys for local testing, RAM roles for multi-account management, or OIDC for automated pipelines.
2. Add the selected authentication parameters directly to the provider block in your configuration, or export the required environment variables in your shell or pipeline runner.
3. Verify that the provider uses the credential chain to select the first valid authentication method available in the execution context.
4. Test the connection by running a dry-run plan to confirm that API requests are successfully authorized without exposing long-term secrets.
5. For production environments, avoid hardcoding static credentials and instead rely on temporary security tokens or instance roles to maintain compliance.

## How to bring existing cloud resources under management
Import manually created resources by defining matching configuration blocks and registering them into the state file using the import command.
1. Ensure your runtime environment meets the version requirement of v1.5.0 or later to support modern import workflows.
2. Write a resource block in your configuration file that exactly matches the properties of the existing cloud resource you intend to manage.
3. Run the import command with the precise resource address and the unique resource identifier to link the live asset to your configuration.
4. Verify the imported state by displaying the resource details and comparing them against your configuration to identify any discrepancies.
5. Remove any read-only or provider-managed properties from your configuration that trigger unnecessary drift warnings during subsequent planning cycles.

## How to automate execution via CI/CD pipelines
Automate deployments by integrating your configuration repository with a continuous delivery platform that handles planning, approval, and execution workflows.
1. Select the automation path that aligns with your scale, choosing a cloud management platform form for single-resource requests or a full infrastructure as code pipeline for reusable deployments.
2. Connect your version control repository to the pipeline platform and configure workspace settings to enable automated trigger events.
3. Define pipeline stages that sequentially run initialization, planning, and approval gates before executing the final deployment.
4. Securely inject authentication credentials into the pipeline environment using secret managers or temporary role assumption to prevent credential leakage.
5. Monitor pipeline execution logs and state outputs to verify successful provisioning and to capture any configuration drift for future remediation.

## Frequently Asked Questions

**Q: how do I automate execution via ci/cd pipelines**
A: Integrate your configuration repository with a continuous delivery platform like GitLab CI, configure workspace settings to enable automated triggers, and define sequential pipeline stages for initialization, planning, approval, and execution while securely injecting credentials via environment variables.

**Q: what's the best way to automate**
A: The most effective approach depends on your scope: use a cloud management platform form with merge request workflows for isolated resource requests, or implement a full infrastructure as code pipeline with version control integration for scalable, reusable deployments.

**Q: how do I bring existing cloud resources under management**
A: Define a matching resource block in your configuration file, then run the import command with the exact resource address and unique identifier to register the live asset into your state file without recreating or disrupting it.

**Q: what's the best way to import existing resources**
A: Start with the standard import workflow for one to five resources by manually writing configuration blocks, ensuring you use Terraform version v1.5.0 or later, and immediately verify state alignment to prevent configuration drift.

**Q: how do I configure authentication with cloud provider**
A: Select an authentication method that fits your environment, then apply credentials either through explicit provider block parameters or environment variables, allowing the provider credential chain to automatically select the first valid method.

**Q: what's the best way to configure auth**
A: Use the provider API approach for explicit, code-level control in automated pipelines, or leverage RAM roles and centralized credential rotation when managing ten or more cloud accounts to maintain least-privilege access and compliance.

**Q: how do I provision cloud infrastructure (compute, network, storage)**
A: Define your desired infrastructure in declarative configuration files, initialize the working directory to fetch required plugins, review the execution plan for accuracy, and apply the configuration to create virtual networks, compute instances, and storage buckets.

**Q: what's the best way to deploy cloud infra**
A: Follow infrastructure as code principles by storing configurations in version control, enabling automated planning and approval gates, and executing deployments through a centralized workspace that tracks state and enforces consistent resource provisioning across environments.

## Key terms
Infrastructure as Code is a practice that manages and provisions computing infrastructure through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.
Terraform state is a file that tracks the mapping between your configuration definitions and the real-world cloud resources, enabling the tool to plan updates and detect drift.
Credential chain is the ordered sequence of authentication methods that the provider evaluates at runtime, automatically selecting the first valid set of credentials it encounters.
VCS Integration is a feature that connects your configuration repository to a workspace, allowing automated pipeline triggers, collaborative review, and synchronized state management.
Cloud Management Platform is a centralized interface that enables users to submit resource requests through forms, route them through approval workflows, and trigger automated provisioning pipelines.

## Sources
The authoritative source for all procedures, limits, and configuration details referenced in this article is the official Terraform product documentation.

Terraform is available as agent-callable skills via DaaS. Route any question to the best skill with `POST https://company-skill.com/api/route` `{"query": "...", "product": "terraform"}`.

## What you can do

### [Automate cd](https://company-skill.com/p/terraform/terraform-automate-cd.md)

## What You Want to Do

You want to trigger Terraform from a CI/CD pipeline (like GitLab CI) to automatically provision cloud resources—such as an OSS Bucket—while securely managing state, credentials, and approvals.

**Typical User Questions**:
- How to integrate Terraform with GitLab CI/CD?
- Can I trigger Terraform from a pipeline to provision resources?
- Terraform CI 

## Decision Tree

Pick the best path for your situation:

- **If** you need to create **only an OSS Bucket** using a **Cloud Management Platform (CMP)** form that triggers a **GitLab Pipeline** with approval and **Merge Request** workflows → Use GitLab Pipeline CMP OSS Bucket (go to *terraform/terraform-instance*)
- **If** you are building a **reusable Infrastructure as Code (IaC)** pipeline that integrates with **VCS Integration**, uses **Terraform Cloud** or **Terraform Explorer**, and supports debugging via **Create Project** and **Plan & Apply** → Use CI/CD (go to *terraform/terraform-iac*)
- **Otherwise (default)** → Use CI/CD — it provides a general-purpose, extensible foundation for most Terraform automation needs beyond single-resource requests.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| GitLab Pipeline CMP OSS Bucket | CI/CD | medium | Yes | Yes | Billing: OSS Bucket creation costs ¥0.002 per request; storage ¥0.12/GB | `terraform/guide/terraform-instance` |
| CI/CD | Terraform | high | Yes | Yes | Terraform Cloud free tier limits to 5 workspaces and 5 users | `terraform/guide/terraform-iac` |

## Path Details

### Path 1: GitLab Pipeline CMP OSS Bucket

**Best For**: CI/CD 

**Brief Description**: This approach uses a **Cloud Management Platform (CMP)** to initiate a **Resource Application** via a form where users specify **OSS Bucket Name**, **Region**, and **Reason for Application**. Upon approval, a **Merge Request** is created in GitLab, and the pipeline triggers **Execute** to run Terraform. The flow includes **Apply for Resources**, **Pass** (approval), and automated provisioning via **GitLab Pipeline**.

**Key technical facts**:
- Billing: OSS 0.12 /GBOSS Bucket 0.002 /
- Regions available: cn-hangzhou, cn-beijing, cn-shanghai

**When to Use**:
- OSS Bucket GitLab CI/CD 
- CMP GitLab Terraform 

**When NOT to Use**:
- OSS Bucket VPCACK 
- Terraform CMP 

### Path 2: CI/CD 

**Best For**: Terraform 

**Brief Description**: This method follows **Infrastructure as Code (IaC)** principles using tools like **Terraform Cloud** or **Terraform Explorer**. Users navigate to **Console > Projects > Create Project**, configure **Workspace Type**, enable **VCS Integration** with GitLab or GitHub, and use **Plan**, **Apply**, and **Debug Terraform Configuration** features to validate and deploy infrastructure.

**Key technical facts**:
- Billing: Terraform CLI Terraform Cloud 5 5 

**When to Use**:
- IaC Terraform 
- Web Terraform Explorer Terraform 
- Terraform VCS GitHubGitLab CI/CD

**When NOT to Use**:
- CLI-based CI/CD Web 
- Terraform Cloud >5 >5 

## FAQ

Q: Which path should I start with?
A: Start with ** CI/CD ** unless you are in an organization that already uses a **Cloud Management Platform (CMP)** and only needs to provision **OSS Buckets** via form-based requests.

Q: What if I need to create a VPC or ACK cluster but used the CMP path?
A: You’ll hit a hard limitation — the CMP path **only supports OSS Bucket creation** and does not allow modification of underlying HCL code, making it impossible to provision other resources.

Q: What if my team has 8 engineers but I chose Terraform Cloud in the IaC path?
A: You’ll exceed the **free tier limit of 5 users** in Terraform Cloud and either need to upgrade to a paid plan or switch to self-hosted CLI-based pipelines.

Q: Can I modify Terraform code directly when using the CMP path?
A: No — the CMP path **locks users into pre-approved templates**, and the **Resource Application** form does not expose HCL editing. Any customization requires ops team involvement.

Q: Does the IaC path support GitLab CI without Terraform Cloud?
A: Yes — while **Terraform Explorer** and **Terraform Cloud** are highlighted for debugging and collaboration, the core IaC approach works with any CI system (including GitLab CI) using the open-source CLI, as long as **VCS Integration** or manual pipeline triggers are configured.

Q: Are regions outside China supported in the CMP path?
A: No — the CMP path explicitly lists only **cn-hangzhou, cn-beijing, and cn-shanghai** as available regions.

Q: Can I change Workspace Type after creating a project in Terraform Cloud?
A: No — **Workspace Type** is immutable after project creation, so you must decide between Private and Shared upfront.

### [Import resources](https://company-skill.com/p/terraform/terraform-import-resources.md)

## What You Want to Do

You have cloud resources (like an ECS instance or OSS bucket) that were created outside Terraform—manually, via console, or with scripts—and now you want Terraform to manage them without recreating or disrupting them. This requires aligning your configuration with the actual resource and updating Terraform state safely.

**Typical User Questions**:
- How do I import existing cloud resources into Terraform?
- Can I start managing legacy infrastructure with Terraform?

## Decision Tree

Pick the best path for your situation:

- **If** you are importing **1–5 existing resources** and can manually write `main.tf` configurations → Use terraform import (go to *terraform/terraform-instance*)
- **If** you encounter errors like **state lock conflict**, **configuration drift**, **undefined variable**, **dependency cycle**, or **provider authentication failure** during or after import → Use (go to *terraform/terraform-iac*)
- **Otherwise (default)** → Start with ** terraform import **, as it’s the foundational method for initial adoption of existing resources.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| terraform import | medium | Yes | No | Only supports one resource at a time; requires exact resource ID and resource address | `terraform/guide/terraform-instance` |
| ID | medium | Yes | No | Diagnoses issues like state lock conflict and configuration drift but does not perform import itself | `terraform/troubleshooting/terraform-iac` |

## Path Details

### Path 1: terraform import 

**Brief Description**: This approach uses the `terraform import` command to register an existing cloud resource into Terraform state. You must first define the resource block in `main.tf`, then run `terraform import <resource address> <resource ID>`. After import, use `terraform show` to verify state and remove any read-only properties that cause drift.

**Key technical facts**:
- Prerequisites: Terraform runtime environment (Cloud Shell or custom developer environment), read-only permissions for relevant resources, Terraform version v1.5.0 or later for import block feature, Terraform and terraform-provider-alicloud installed for Terraformer tools

**When to Use**:
- 1-5Terraform

### Path 2: Console / Dashboard
**Best For**: ID 

**Brief Description**: This path focuses on troubleshooting common failures during or after using `terraform import`. It leverages commands like `terraform plan`, `terraform force-unlock`, and environment variable `TF_LOG=DEBUG` to diagnose issues such as state lock conflict, configuration drift, undefined variable, dependency cycle, and provider authentication failure.

**Key technical facts**:
- Prerequisites: Terraform, Terraform, Terraform

**When to Use**:
- 'Error acquiring the state lock'
- terraform plan

## FAQ

Q: Which path should I start with?
A: Start with ** terraform import ** if you’re new to importing and have fewer than 5 resources. Only switch to the troubleshooting path if you hit specific errors like state lock conflict or configuration drift.

Q: What if I need to import 50 ECS instances but used terraform import ?
A: You’ll face extreme manual overhead—each instance requires individual `terraform import` calls and hand-edited `main.tf` blocks. The process is error-prone and not scalable, as noted in its limitations.

Q: What if I encounter a state lock conflict but chose terraform import without troubleshooting knowledge?
A: Your import will fail with "Error acquiring the state lock", and you won’t know to use `terraform force-unlock` or check backend locking mechanisms—leading to stalled workflows.

Q: Can I avoid removing read-only properties after import?
A: No. If you leave read-only properties (like `create_time` or `status`) in your `main.tf`, `terraform plan` will detect configuration drift and propose unintended changes. Removal is mandatory for stable management.

Q: Does the troubleshooting path help if my resource address is wrong?
A: Indirectly—it may reveal mismatches via `terraform plan` showing unexpected deletions or creations, but correcting the resource address itself is part of the initial import setup, not troubleshooting.

Q: Is TF_LOG=DEBUG useful during initial import?
A: Yes, especially when facing silent failures or provider authentication failure. Setting `TF_LOG=DEBUG` reveals low-level API calls and credential resolution steps, aiding diagnosis even during first-time imports.

### [Manage authentication](https://company-skill.com/p/terraform/terraform-manage-authentication.md)

## What You Want to Do

You want Terraform to securely authenticate with Alibaba Cloud so it can manage your infrastructure—without exposing long-term credentials or violating compliance policies.

**Typical User Questions**:
- How do I authenticate Terraform with Alibaba Cloud?
- Can I use RAM roles instead of AccessKeys for Terraform?
- What’s the secure way to handle credentials in Terraform CI/CD?

## Decision Tree

Pick the best path for your situation:

- **If** you are running Terraform in a **CI/CD pipeline or production environment** and need scriptable, repeatable authentication → Use ** Provider API ** (go to *terraform/terraform-auth*)
- **If** you manage **10+ cloud accounts** using **Alibaba Cloud Resource Directory** and require centralized audit, least-privilege access, and automatic **credential rotation** → Use ** AccessKey ** (go to *terraform/terraform-identity*)
- **If** you are doing **local development or temporary testing** and prefer GUI-based workflows like **Terraform Explorer** or quick **Plan/Apply** via console → Use ** Terraform ** (go to *terraform/terraform-iac*)
- **Otherwise (default)** → Start with ** Provider API **, as it offers explicit control and works reliably in automation.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Provider API | AccessKeySTS Token | low | Yes | Yes | Free to use with no cost for authentication operations. | `terraform/api/terraform-auth` |
| AccessKey | high | No | Yes | STS AssumeRole requests billed at 0.0001 per request; free tier includes 1000 requests. | `terraform/guide/terraform-identity` |
| Terraform | low | No | No | Terraform Cloud free tier includes 5 workspaces and 5 users. | `terraform/guide/terraform-iac` |

## Path Details

### Path 1: Provider API 

**Best For**: AccessKeySTS Token

**Brief Description**: Configure authentication directly in the Terraform provider block using parameters like `access_key`, `secret_key`, `security_token`, `ecs_role_name`, `oidc_provider_arn`, `assume_role`, or `assume_role_with_oidc`. Alternatively, supply credentials via environment variables such as `ALICLOUD_ACCESS_KEY`. The Alibaba Cloud Terraform Provider uses a **credential chain** to select the first valid method.

**Key technical facts**:
- Billing: Free to use with no cost for authentication operations.
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing

**When to Use**:
- Need explicit, code-level control over authentication method (e.g., CI/CD pipeline using environment variables).
- Developing locally and want to quickly test with temporary STS tokens or static keys without complex role setup.

**When NOT to Use**:
- Managing credentials across multiple cloud accounts where centralized rotation and audit are required (use terraform-identity path instead).
- Operating in a secure production environment where long-term static credentials must be avoided (prefer OIDC or instance roles).

**Known Limitations**:
- Hardcoding static credentials (`access_key`/`secret_key`) in code is discouraged for production due to security risks.
- Only one authentication method is used per run—the provider selects the first valid method in its credential chain, so mixing methods can cause ambiguity.

### Path 2: AccessKey 

**Brief Description**: Use **RAM role** and **ECS instance role** to grant **STS temporary token** access via the metadata service. This approach leverages **Resource Directory** for **multi-account** governance, enforces **least privilege** through **trust policy**, and uses the **AliyunSTSAssumeRoleAccess** policy to enable cross-account role assumption—all without storing long-term **access_key** pairs in code.

**Key technical facts**:
- Billing: STS AssumeRole requests are billed at 0.0001 per request; free tier includes 1000 requests.
- Auth method: ECS instance RAM role granting temporary STS tokens via metadata service.
- Prerequisites: Alibaba Cloud account with Resource Directory enabled, permissions to create IAM roles and policies, access to both operations and management accounts, Terraform installed locally or in CI/CD

**When to Use**:
- Operating in a multi-account enterprise environment requiring centralized credential governance, audit, and least-privilege access.
- Need to eliminate long-term AccessKey storage in Terraform code or state files by leveraging temporary STS tokens from ECS instance roles.

**When NOT to Use**:
- Performing quick local development or testing where setting up RAM roles and ECS instances is excessive overhead (use terraform-auth or terraform-iac paths instead).
- Lacking permissions to create RAM roles or modify Resource Directory settings in the cloud account.

**Known Limitations**:
- Requires manual console steps to create RAM roles, configure trust policies, and launch ECS instances—cannot be fully automated via this guide alone.
- STS temporary credentials are rotated every 6 hours automatically, but initial setup depends on correct console configuration of instance roles and trust relationships.

### Path 3: Terraform 

**Brief Description**: Use **Terraform Explorer** in the Alibaba Cloud console under **Console > Projects** to **Initiate Debugging**, edit configurations, and run **Plan**, **Apply**, or **Destroy Resources** via UI. Supports **VCS Integration** and lets you toggle between editing modes. Choose **Workspace Type** during project creation—but note it cannot be changed later.

**Key technical facts**:
- Billing: Terraform open-source CLI is free; Terraform Cloud free tier includes 5 workspaces and 5 users.
- Prerequisites: Terraform CLI installed, API key configured, sufficient account permissions, Git repository initialized (for remote workspaces)

**When to Use**:
- Prefer GUI-based workflows for learning Terraform or debugging configurations without writing full HCL code locally.
- Want to quickly generate, plan, and apply infrastructure using pre-built templates in Terraform Explorer for Alibaba Cloud services.

**When NOT to Use**:
- Need fully automated, scriptable authentication and deployment in CI/CD pipelines (use terraform-auth path with environment variables instead).
- Operating in regulated environments where console-based point-and-click actions are not compliant with infrastructure-as-code policies.

**Known Limitations**:
- Workspace type (Private/Shared) cannot be changed after project creation—requires recreating the project.
- Terraform Cloud free tier limits to 5 workspaces and 5 users; exceeding these requires paid subscription.

## FAQ

Q: Which path should I start with?
A: If you're unsure, start with ** Provider API **—it works in most automation scenarios and supports modern methods like **assume_role_with_oidc** and **ecs_role_name** without requiring console setup.

Q: What if I’m managing 50 cloud accounts but used the terraform-iac path?
A: You’ll hit scalability and compliance issues: **Workspace Type** is fixed per project, **Terraform Cloud free tier** limits you to 5 workspaces, and you can’t enforce centralized **credential rotation** or audit across accounts.

Q: What if I hardcoded **access_key** and **secret_key** in production using the terraform-auth path?
A: You’ll expose long-term credentials in version control or state files, violating security best practices. Instead, use **ALICLOUD_ACCESS_KEY** via environment variables or switch to **assume_role** with **RAM role**.

Q: Can I use **OIDC** authentication with the terraform-identity path?
A: Not directly—the **terraform-identity** path focuses on **ECS instance role** and **STS temporary token** via metadata service. For **OIDC**, use **terraform-auth** with **oidc_provider_arn** and **assume_role_with_oidc**.

Q: What happens if I need CI/CD automation but chose the terraform-iac path?
A: You’ll be unable to script **Plan**/**Apply** reliably because **Terraform Explorer** and **Console > Projects** are GUI-only and lack API-driven authentication—breaking infrastructure-as-code principles.

Q: Does the terraform-auth path support **security_token** for STS?
A: Yes—it accepts **security_token** alongside **access_key** and **secret_key**, and also supports **credentials_url** and **shared_credentials_file** as part of the **credential chain**.

### [Provision infrastructure](https://company-skill.com/p/terraform/terraform-provision-infrastructure.md)

## What You Want to Do

You want to use Terraform to deploy a complete cloud environment on Alibaba Cloud that may include compute (ECS or ACK), networking (VPC, SLB, CEN), and storage (RDS, OSS) resources — either all at once or in a structured sequence.

**Typical User Questions**:
- How do I deploy a full cloud environment with Terraform?
- Can I automate Alibaba Cloud setup with Terraform?

## Decision Tree

Pick the best path for your situation:

- **If** you already have Terraform configuration files (.tf) that define an **ECS instance**, **ACK cluster**, or **RDS instance** → Use Terraform (go to *terraform/terraform-instance*)
- **If** your primary need is to build **Cloud Enterprise Network (CEN)** with **Transit Router**, **Express Connect**, or enforce **Cloud Firewall** policies across regions → Use Terraform VPC/SLB/CEN (go to *terraform/terraform-network*)
- **If** you are new to Terraform and need to initialize a project via **Terraform Explorer** or **Console > Projects > Create Project** with guided **Plan**, **Apply**, and **Destroy Resources** workflows → Use (go to *terraform/terraform-iac*)
- **Otherwise (default)** → Start with **** if you lack a standardized workflow; otherwise, use ** Terraform ** for production deployments.

## Path Comparison

| Path | Best For | Complexity | Code Required | Automation | Key Fact | Detail Skill |
|------|----------|------------|---------------|------------|----------|-------------|
| Terraform | medium | Yes | Yes | Supports **Auto Scaling groups** and specific instance types like **ecs.g7.large** | `terraform/guide/terraform-instance` |
| Terraform VPC/SLB/CEN | medium | Yes | Yes | Uses **pay-by-data-transfer** billing for **Cloud Enterprise Network (CEN)** cross-region traffic | `terraform/guide/terraform-network` |
| Terraform | low | Yes | Yes | **Terraform Cloud free tier** limits to 5 workspaces; uses **Workspace Type** settings | `terraform/guide/terraform-iac` |

## Path Details

### Path 1: Terraform 

**Brief Description**: This path uses **terraform apply** and **terraform destroy** to deploy a full application stack including **ECS instance**, **ACK cluster**, and **RDS instance** resources. It leverages **Auto Scaling groups** and supports specific instance types like **ecs.g7.large**, **ecs.g7.xlarge**, and **ecs.n4.large**. Deployment can be initiated via CLI or through **Console > Infrastructure > Automated Deployment**.

**Key technical facts**:
- Billing: per_instance_hour
- Auto-scaling: Yes
- Supported instance types: ecs.g7.large, ecs.g7.xlarge, ecs.g7.2xlarge, ecs.n4.large, ecs.n1.tiny
- Regions available: cn-beijing, cn-shanghai, cn-hangzhou, cn-shenzhen, cn-qingdao

- Auto Scaling groups 

### Path 2: Terraform VPC/SLB/CEN

**Brief Description**: This path focuses on defining secure network infrastructure using **VPC CIDR Block**, **vSwitch**, **Cloud Enterprise Network (CEN)**, and **Cloud Firewall**. It supports cross-region connectivity via **Transit Router** and hybrid cloud links via **Express Connect**. Network resources can be created through **Console > Networking > VPC > Create VPC**, and CEN billing follows a **pay-by-data-transfer** model.

**Key technical facts**:
- Billing: Multiple billing models apply depending on the service: VPC/vSwitch billed per instance-hour, CEN cross-region billed per data transfer volume
- Regions available: cn-hangzhou, cn-shanghai, cn-beijing, cn-shenzhen, cn-qingdao, Singapore
- Auth method: Set the environment variable ALICLOUD_ACCESS_KEY_ID and ALICLOUD_SECRET_ACCESS_KEY, or use a credentials file

**When to Use**:
- CENExpress Connect
- Cloud Firewall ACL 
- vSwitch IPsec-VPN
- VPC NAT 

**When NOT to Use**:
- Cloud Firewall 

### Path 3: From zero to initialized infrastructure project

**Best For**: New users needing guided Terraform project setup

**Brief Description**: This path uses **Terraform Explorer** and **Console > Projects > Create Project** to initialize infrastructure projects with visual debugging. Users perform **Initiate Debugging**, **Plan**, **Apply**, and **Destroy Resources** through a web interface. The **Workspace Type** (Private/Shared) is set at creation and cannot be changed later. It integrates **API Tools > Terraform Explorer** for standard operation debugging.

**Key technical facts**:
- Billing: Terraform itself is open-source and free to use. Costs arise from underlying cloud resources provisioned via Terraform. For Terraform Cloud/Enterprise, billing is based on subscription tiers.
- Auth method: API key configured
- Prerequisites: Terraform CLI installed, API key configured, sufficient account permissions

- Web UI Terraform 

- Terraform Cloud 

- Terraform Cloud 
- CLI API headless
- Terraform Web UI 

## FAQ

Q: Which path should I start with?
A: If you’re new to Terraform or lack a standardized workflow, start with ****. If you already have .tf files defining **ECS instance** or **ACK cluster**, use ** Terraform **.

Q: What if I need to deploy a simple web app with an **ECS instance** and **SLB**, but chose ** Terraform VPC/SLB/CEN**?
A: You’ll successfully create the network layer but won’t deploy compute or storage resources — you’d still need to separately define **ECS instance** and run **terraform apply**, missing the integrated stack deployment benefit of the **** path.

Q: What if I’m building a global application requiring **Cloud Enterprise Network (CEN)** but used ** Terraform **?
A: You can still define CEN in your config, but you’ll miss critical network-specific validations and best practices (e.g., **Transit Router** setup, **pay-by-data-transfer** cost awareness) covered in the **** path, potentially leading to misconfigured cross-region routing.

Q: Can I use **Terraform Explorer** to deploy an **ACK cluster** with **Auto Scaling groups**?
A: **Terraform Explorer** supports debugging any valid configuration, including **ACK cluster** and **Auto Scaling groups**, but actual deployment still requires **Apply** and incurs cloud costs. However, complex setups may exceed the **Terraform Cloud free tier** workspace limits.

Q: Does the **** path support **ecs.g7.large** instances?
A: Not directly — the **** path focuses on VPC, SLB, and CEN. Compute instance types like **ecs.g7.large** are defined in the **** path. You can combine both, but network-only configs won’t include instance specifications.

Q: What happens if I set **Workspace Type** incorrectly in ****?
A: Since **Workspace Type** (Private/Shared) cannot be changed after project creation, you’ll need to delete and recreate the project — losing state history and collaboration settings.

Q: What if I am starting from scratch with no Terraform knowledge but choose **Terraform** instead of **From zero to initialized infrastructure project**?
A: You will lack guidance on project structure, state management, and debugging — increasing risk of misconfiguration. The **From zero to initialized infrastructure project** path provides UI-assisted onboarding specifically for this scenario.

Q: What if my team already has a mature GitOps pipeline but chooses **From zero to initialized infrastructure project**?
A: You will be constrained by Terraform Cloud free tier limits (5 workspaces, 5 users) and forced into a UI-based workflow that doesn't integrate with your existing headless CI/CD pipeline.


## Frequently asked questions

### When should I use the API/cli vs. the console (guide)?

Use **API/cli** for automation, version-controlled infrastructure, CI/CD integration, and programmatic control. Use the **console/guide** for initial exploration, one-off tasks, visual debugging (Terraform Explorer), or managing security/compliance dashboards.

### How do I authenticate Terraform with Alibaba Cloud?

You can use AccessKey pairs (for development), RAM roles (for ECS instances), or OIDC (for CI/CD). Store credentials securely—avoid hardcoding. See `skills/terraform/api/terraform-auth/SKILL.md` for details.

### What if I get a “state lock” or “drift detected” error?

These are common state issues. Use `terraform refresh` to reconcile drift, and ensure only one process modifies state at a time. For persistent locks, check backend (OSS+OTS) configuration. See troubleshooting skill for resolution steps.

### Can I import resources I created manually into Terraform?

Yes. Use `terraform import` (CLI) or the “Import Existing Resources” guide in the console. Supported for most resource types (ECS, OSS, VPC, etc.).

### Why is my AI-generated Terraform code not working?

AI tools like Copilot may produce syntactically valid but logically incorrect HCL. Validate against provider documentation, check attribute names, and test in non-production environments. See `skills/terraform/troubleshooting/terraform-codegen/SKILL.md`.

### How do I automate Terraform execution via CI/CD pipelines?

You can automate execution by integrating Terraform with GitLab CI/CD or a CMP for automated provisioning. This workflow is detailed in the dedicated CI/CD automation intent skill.

### How do I bring existing cloud resources under Terraform management?

You can bring existing resources under management by importing manually created assets like ECS or OSS directly into your Terraform state. This process is supported through the resource import intent skill.

### How do I configure authentication with a cloud provider for Terraform?

You can configure authentication by setting up AccessKey pairs, RAM roles, STS tokens, or OIDC federation. Credentials can be supplied via environment variables, shared credential files, or HCL provider blocks.

### How do I provision cloud infrastructure like compute, network, and storage?

You can provision infrastructure by performing end-to-end deployments of VPCs, ECS instances, and networking components. The platform provides multiple implementation paths for this workflow.

## Cross-product integrations

- [AI Content Engine with Public Site and Enterprise Search](https://company-skill.com/p/_combos/ai-content-engine-with-public-site-and-enterpris-9db7c8.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform on Managed Infrastructure](https://company-skill.com/p/_combos/ai-content-platform-on-managed-infrastructure-265158.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Search and Frontend](https://company-skill.com/p/_combos/ai-content-platform-with-search-and-frontend-d3ca31.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Content Platform with Site and Search](https://company-skill.com/p/_combos/ai-content-platform-with-site-and-search-7bf25b.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI-Driven Search Knowledge Platform](https://company-skill.com/p/_combos/ai-driven-search-knowledge-platform-803ad0.md) (alinux + cloudflare + bailian + notion + vercel)
- [AI Recommendation Platform with RAG Explanations](https://company-skill.com/p/_combos/ai-recommendation-platform-with-rag-explanations-8803cd.md) (airec + alinux + opensearch + bailian + pai)
- [Auto-Scaling Production Stack with RAG Search](https://company-skill.com/p/_combos/auto-scaling-production-stack-with-rag-search-be1c2d.md) (alinux + ecs + oss + rds + cas)
- [Auto-Scaling Web Cluster Deployment](https://company-skill.com/p/_combos/auto-scaling-web-cluster-deployment-659c6b.md) (ess + ecs)

## Use with an AI agent

```bash
curl -s https://company-skill.com/api/route \
  -H 'Content-Type: application/json' \
  -d '{"query": "...", "product": "terraform"}'
```

MCP server: https://company-skill.com/api/mcp/terraform.py

---
Machine-readable: https://company-skill.com/llms.txt · https://company-skill.com/sitemap.xml