Table of Contents
Quick Answer
Describe your infrastructure in plain English with the cloud provider name, and AI writes Terraform, Pulumi, or OpenTofu code. Always review IAM policies, security groups, and state backend configuration.
- AI knows major providers well (AWS, GCP, Azure, Hetzner, DigitalOcean)
- Modules, remote state, and workspaces need human architecture decisions
- Never run
terraform applyfrom AI output withoutterraform planreview
What You'll Need
- Cloud provider account with API credentials
- Terraform or OpenTofu installed (
tofuis the FOSS fork) - State backend (S3, GCS, Terraform Cloud, or local for dev)
- AI IDE or CLI
Steps
- Describe desired state. Prompt:
Write Terraform for a Hetzner CAX41 VPS, floating IP, and firewall allowing 22, 80, 443. - Organize with modules. Ask:
Refactor into reusable modules with clear input variables. - Add remote state. Prompt:
Add a backend block using S3 with DynamoDB locking. - Parameterize environments. One root per env (
envs/prod,envs/staging) with shared modules. - Run terraform plan. Review every resource carefully.
- Secrets management. Inject via
TF_VAR_*env vars or SOPS. Never commit.tfvarswith secrets. - Apply with approval. CI pipeline: plan on PR, apply on main merge with manual approval gate.
- Drift detection. Schedule nightly
terraform plan— alert on drift.
Common Mistakes
- Hardcoded secrets in
.tf. Use a secrets manager. countinstead offor_each.for_eachis safer for refactors.- Overly permissive IAM. AI defaults to
*actions. Narrow manually. - No tags. Every resource should have
environment,owner,cost-centertags.
Top Tools
| Tool | Use |
|---|---|
| Terraform / OpenTofu | IaC runtime |
| Infracost | Cost estimation in PRs |
| tflint | Lint |
| Atlantis | PR-based workflow |
| Pulumi | Typed IaC (TS/Python/Go) |
Conclusion
AI removes the cold-start problem of IaC. Start from a rough prompt, harden with a human security review, lock with a remote state backend. Misar Dev scaffolds Coolify + Hetzner Terraform setups in minutes.