Terraform Tutorial Pakistan: Infrastructure as Code 2026

By Muhammad Usman Khan, Lead Cloud Instructor at Sherdil E-Learning

Published: 23 May 2026 | Last updated: 23 May 2026

If you have ever clicked through the AWS console, Azure portal, or GCP dashboard to create cloud resources, you know the pain: it is slow, hard to repeat reliably across staging and production, and easy to get wrong. Infrastructure as Code (IaC) solves this problem, and Terraform is the most widely used IaC tool in the industry.

This guide takes you from "what is IaC" to running your first Terraform deployment on AWS, then walks through a working VPC + EC2 example you can adapt for production. It also covers the BUSL / OpenTofu split from 2023 that every Terraform learner in 2026 should understand.

What is infrastructure as code?

Infrastructure as code is the practice of managing cloud resources, servers, databases, networks, storage, and security groups through configuration files rather than manual clicks in a web console. You describe the infrastructure you want in text files, store those files in Git, and let an IaC tool create and update the real resources to match.

The practical benefits compound: the same files produce the same infrastructure every time, which removes the "I forgot to open port 443" class of mistake. Git history becomes the audit log for every change, and pull requests become the review process. A complete environment, VPC, subnets, instances, load balancer, and database can be spun up in minutes instead of hours of console work. The configuration files double as documentation: anyone joining the team can read the Terraform code and understand exactly what is deployed. And once you have written a module for, say, a standard VPC, you can reuse it across every project with different inputs.

What is Terraform, and a note on OpenTofu

Terraform is an open-source infrastructure-as-code tool created by HashiCorp in 2014. It uses a declarative configuration language called HCL (HashiCorp Configuration Language) and supports hundreds of cloud and SaaS providers through a shared provider model.

One thing every Terraform learner in 2026 should know: in August 2023, HashiCorp changed Terraform's license from MPL 2.0 to the Business Source License (BUSL), which restricts commercial competitive use. In response, the OpenTofu project was forked from Terraform 1.5.5, kept the MPL 2.0 license, and is now maintained by the Linux Foundation. OpenTofu is a drop-in replacement: the same HCL syntax, the same workflow, the same provider ecosystem.

For learners, the practical difference is small. Terraform has more name recognition with Pakistani and international employers, so we recommend starting with Terraform for employability. If your future employer prefers OpenTofu, the switch is trivial. The rest of this tutorial works for both.

Official sites: terraform.io for Terraform; opentofu.org for OpenTofu.

Terraform vs other IaC tools

A point-by-point comparison of the four most common IaC tools you will see in Pakistani and international job listings.

Feature	Terraform	CloudFormation	Pulumi	Ansible
Multi-cloud support	Yes (any provider)	AWS only	Yes	Yes (config-mgmt focus)
Language	HCL (declarative)	JSON / YAML	Python / JS / Go / etc.	YAML
State management	State file (local or remote)	Managed by AWS	State file	No state (procedural)
Learning curve	Moderate	Moderate	Easy (if you code)	Easy
Best fit	Multi-cloud infrastructure	AWS-only shops	Developer-centric teams	Server configuration
Job demand (Pakistan, Q1 2026)	Very high	High (AWS roles)	Growing	High (different use case)
Urdu training available	Yes, Sherdil E-Learning	Yes, Sherdil E-Learning	Limited	Limited

Terraform’s biggest advantage is multi-cloud support; you can manage AWS, Azure, GCP, Alibaba Cloud, and hundreds of other providers with the same syntax. CloudFormation is AWS-only and tightly integrated. Pulumi appeals to teams that want to use a real programming language for infrastructure. Ansible occupies a different category; it is better for configuring software on existing servers than for provisioning the servers themselves.

Sherdil offers both Terraform and AWS CloudFormation courses for engineers targeting either path.

How Terraform works: write, plan, apply

Terraform’s daily workflow is three commands. Once you know what each one does, the rest of the tool makes sense.

Step 1: Write

Create .tf files (Terraform configuration files) that describe the infrastructure you want, resources like virtual machines, databases, networks, and IAM roles. Each file is just plain text in HCL.

Step 2: Plan

Run Terraform plan. Terraform reads your configuration files, compares them to the current state of your infrastructure, and shows you exactly what it will create, modify, or destroy, before changing anything. This is your safety net.

Step 3: Apply

Run terraform apply. Terraform executes the changes shown in the plan, calling the cloud provider’s API to create, update, or delete resources to match your configuration. There is also terraform destroy, which removes everything Terraform created, useful for tearing down test environments to avoid charges.

Core Terraform concepts

Five concepts come up constantly. Get comfortable with these, and the rest of Terraform becomes a matter of looking up provider-specific resource names.

Providers

Plugins that let Terraform interact with specific cloud platforms or services. The AWS provider talks to the AWS API, the Azure provider talks to the Azure API, and so on. You declare which provider you need, and Terraform downloads the right plugin during terraform init. Browse the full provider catalogue at registry.terraform.io.

Resources

The building blocks of your infrastructure. Each resource block defines one component: an EC2 instance, an S3 bucket, an IAM role, or a VPC. The first label on a resource block is the type (e.g. aws_s3_bucket), the second is a name you choose for referring to this resource elsewhere in your code.

Variables

Variables make your code reusable. Instead of hard-coding values like the AWS region or instance size, you declare variables and pass values at apply time. The same Terraform code can then deploy a small dev environment or a large production environment by changing only the variable values.

State

Terraform maintains a state file (terraform.tfstate) that records what infrastructure Terraform currently manages. The state file maps your configuration to real-world resources, so Terraform knows what to update, what to leave alone, and what to destroy. State management is the single most important production concern; never commit Terraform.tfstate to Git, and use a remote backend (S3, Azure Blob, Terraform Cloud) for any teamwork.

Modules

Reusable packages of Terraform configuration. Think of a module as a function: you define one standard VPC setup, then call that module across staging, production, and every new project with different inputs. The Terraform Registry hosts thousands of open-source modules.

Your first Terraform project: a hands-on walkthrough

Before you start, you need three things:

An AWS account with Free Tier access (sign up at aws.amazon.com).
AWS CLI installed and configured with your access keys (run "aws configure" after install).
Terraform is installed, download from terraform.io or install via your package manager.

Step 1: Create a project directory

mkdir my-first-terraform && cd my-first-terraform

Step 2: Write a configuration file

Create a file called main.tf with the following content:

provider "aws" {
region = "us-east-1"
}

resource "aws_s3_bucket" "my_bucket" {
bucket = "my-first-terraform-bucket-replace-this-name"
}

This tells Terraform to use the AWS provider in us-east-1 and create an S3 bucket. Replace the bucket name with something globally unique (S3 bucket names must be unique across all of AWS).

Step 3: Initialise Terraform

terraform init

This downloads the AWS provider plugin. Run it once per project, plus again when you add new providers or change provider versions.

Step 4: Preview the changes

terraform plan

Terraform shows what it will do. In this case: "1 to add, 0 to change, 0 to destroy", creating one new S3 bucket. Always read the plan output before applying.

Step 5: Apply the changes

terraform apply

Type "yes" when prompted. Terraform creates the S3 bucket. Verify it in the AWS S3 console.

Step 6: Clean up

terraform destroy

Removes the S3 bucket so you do not incur any charges. Type "yes" to confirm. This matters: Terraform makes it easy to create real resources accidentally, so always destroy what you do not need.

A working VPC and EC2 example

A more realistic configuration that creates a VPC, an Internet Gateway, a public subnet with routing, a security group, and an EC2 instance that is actually reachable from the internet on port 80. The AMI is fetched dynamically, so the example does not rot when AWS publishes a new Amazon Linux image.

provider "aws" {
region = "us-east-1"
}

# Look up the latest Amazon Linux 2023 AMI dynamically
data "aws_ami" "amazon_linux" {
most_recent = true
owners = ["amazon"]

filter {
name = "name"
values = ["al2023-ami-*-x86_64"]
}
}

resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = { Name = "main-vpc" }
}

resource "aws_internet_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = { Name = "main-igw" }
}

resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
tags = { Name = "public-subnet" }
}

resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id

route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
}

resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}

resource "aws_security_group" "web" {
vpc_id = aws_vpc.main.id

ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

resource "aws_instance" "web" {
ami = data.aws_ami.amazon_linux.id
instance_type = "t2.micro"
subnet_id = aws_subnet.public.id
vpc_security_group_ids = [aws_security_group.web.id]
tags = { Name = "web-server" }
}

Notice how resources reference each other. The Internet Gateway attaches to the VPC (aws_vpc.main.id). The route table sits inside the VPC and forwards 0.0.0.0/0 traffic to the gateway. The route table is then associated with the public subnet so instances in that subnet can reach the internet. The EC2 instance lives in the public subnet and uses the security group that allows port 80 inbound from anywhere. Terraform works out the correct creation order automatically based on these references.

Best practices for beginners

Five habits to build from your first project, in order of how much pain they save you.

Always run terraform plan before terraform apply. Read the plan output carefully, particularly looking for any "destroy" actions you did not expect. One wrong configuration change can drop a production database. Treat plan output as a contract.

Use variables instead of hard-coded values. Region, instance type, environment name, CIDR blocks, tags, none of these should be hard-coded. Create a separate .tfvars file for each environment (dev.tfvars, staging.tfvars, prod.tfvars) and pass the right one at apply time.

Use a remote backend for state. Once more than one person works on the codebase, store terraform.tfstate in S3 (or Azure Blob, or Terraform Cloud) with state locking via DynamoDB. Never commit the state file to Git; it contains secrets in plain text.

Extract reusable patterns into modules. The first time you write a VPC, write it as a plain resource. The second time, extract it into a module. By the third project, you will save hours.

Tag every resource. At minimum, tag with environment (dev/staging/prod), owner, and cost-centre. Untagged resources become impossible to attribute and trim when the AWS bill grows.

Terraform career opportunities in Pakistan

Terraform is now a near-default requirement in DevOps, cloud-engineering, and platform-engineering job listings. The salary ranges below come from active listings on Rozee.pk and LinkedIn Pakistan in Q1 2026, with the remote USD column based on the Stack Overflow Developer Survey 2025 and active Upwork postings for Pakistani IaC engineers.

Role	Pakistan (PKR/month)	Remote international (USD)
Junior IaC / DevOps engineer	100,000 – 200,000	$2,000 – $4,000/month
Mid-level Terraform engineer	200,000 – 400,000	$3,500 – $6,000/month
Senior IaC / platform engineer	350,000 – 600,000	$5,500 – $9,000/month
Freelance Terraform projects	—	$30 – $80/hour

The HashiCorp Certified: Terraform Associate (003) credential is the entry-level cert that employers recognise. It is multiple-choice rather than hands-on, costs around $70 USD, and validates that you understand the concepts in this tutorial, plus a level of detail beyond it. We have seen Sherdil DevOps graduates land first IaC-focused interviews specifically because the Terraform Associate badge was visible on their LinkedIn profile.

Frequently asked questions

Is Terraform free?

The Terraform CLI is free to download and use. Since August 2023, it has been licensed under the Business Source License (BUSL) rather than fully open-source, which restricts commercial competitive use but not normal day-to-day work. Terraform Cloud has a free tier for small teams (up to 500 resources) and paid tiers for larger organisations. If you specifically want a fully open-source IaC tool, OpenTofu is the MPL-licensed fork.

Do I need to know programming to use Terraform?

No general-purpose programming is required. HCL is a configuration language, closer to JSON or YAML than to Python. If you can read and edit a JSON file, you can write Terraform. The mental model for variables, references, and modules will take a week or two, but does not require previous coding experience.

Should I learn Terraform or CloudFormation first?

If you work exclusively with AWS, either tool is fine. If you work with multiple cloud providers or want the broadest job market, learn Terraform. Most Pakistani job listings that mention IaC list Terraform first. Some AWS-only shops still use CloudFormation for tighter integration with AWS services.

What is OpenTofu, and should I use it instead of Terraform?

OpenTofu is a Linux Foundation-maintained fork of Terraform 1.5.5, created in September 2023 after HashiCorp moved Terraform to the BUSL license. It keeps the MPL 2.0 open-source license and is largely a drop-in replacement, with the same HCL syntax, same workflow, same provider ecosystem. For learning, start with Terraform because more employers list it by name. Switching to OpenTofu later is straightforward if your company prefers it.

How do I store Terraform state safely?

Never commit Terraform.tfstate to Git; it can contain secrets in plain text. For teamwork, use a remote backend: S3 with DynamoDB-based state locking is the most common AWS pattern; Terraform Cloud is the easiest if you want a managed solution; Azure Blob Storage and Google Cloud Storage work for Azure and GCP-centric teams. Configure the backend block in your Terraform configuration and run terraform init to migrate.

Can I use Terraform with Azure and GCP, not just AWS?

Yes, Terraform’s biggest strength is multi-cloud support. The Azure provider (azurerm), Google Cloud provider (google), Alibaba Cloud provider (alicloud), and hundreds of others all use the same workflow. The configuration syntax is the same; only the resource names change. Many Pakistani teams run multi-cloud Terraform setups, managing AWS and Azure side by side.

How long does it take to learn Terraform?

You can deploy your first Terraform configuration in one to two weeks of part-time study. Becoming proficient with modules, remote state, workspaces, and production patterns takes two to three months. The Terraform Associate certification typically takes four to six weeks of preparation on top of basic familiarity.

Next steps

The order we recommend at Sherdil: get comfortable with the six-step S3 walkthrough above, then build the VPC + EC2 example end-to-end, then learn variables and modules, then set up a remote backend, then book the Terraform Associate exam.

For a structured Urdu-language path, the Mastering Terraform Course at Sherdil E-Learning covers everything in this tutorial in depth, plus the production-pattern material needed for the Terraform Associate exam. For learners who want IaC in the context of a full DevOps stack, the DevOps Engineer Course sequences Terraform alongside Docker, Kubernetes, AWS, and CI/CD.

About the author

Muhammad Usman is a Lead Cloud Instructor at Sherdil E-Learning, holding the Alibaba Cloud ACP certification along with AWS and Azure credentials. He is an expert trainer in AWS and Google Cloud, having delivered 1,500+ hours of training across 12+ countries and completed 50+ multi-cloud projects. Passionate about transforming technical expertise into real-world success, he helps professionals and organisations build strong cloud and DevOps capabilities.