The question I hear most often from junior engineers is some version of this: how do you run terraform apply against production safely, without your palms sweating every time you hit enter? I have a blunt answer, and it comes from the most terrifying demo of my career — a live one, in front of 500 people, with no safety net.
Let me tell you what happened. Then let me tell you why "terraform apply" should never be the scariest command you type.
500 students, no fallback
I was on stage at an IT marathon. On paper the plan was simple: deploy real infrastructure to Azure, live, in front of the room. No pre-recorded video, no "here's one I made earlier." Just my terminal on a giant screen and a terraform plan that 500 people could read over my shoulder.
The whole point was to prove something I believe deeply: real infrastructure isn't slides with pretty diagrams. It's code you can actually replicate. So I built it as code — twenty-three resources, all codified, all reproducible:
- Virtual networks with proper subnet isolation
- Network security groups enforcing deny-by-default rules
- Private DNS zones, so nothing was exposed to the public internet
- Automated VM provisioning
- MySQL behind private endpoints, encrypted at rest
Then I ran terraform apply. And it failed.
The apply that failed in front of everyone
Network policy conflict. A CIDR range that overlapped. Twenty-three resources, and the very first apply threw an error while 500 pairs of eyes stared at the screen.
I had two options. Pivot to slides and mumble something about the demo being "supplementary." Or debug it live, in front of everyone, with zero guarantee I'd fix it in time.
I chose to debug live.
And something I didn't expect happened: the room leaned in. The demo stopped being a polished performance and became real — a real engineer solving a real problem in real time. I found the CIDR conflict in about 90 seconds, fixed the block, re-applied, and all 23 resources came up green.
The applause was louder than it would have been if nothing had gone wrong.
Why "terraform apply" shouldn't be your scariest command
Here's the lesson that matters more than the war story. If terraform apply is the command that makes your stomach drop, the problem isn't Terraform. It's your pipeline. A safe apply isn't about courage — it's about guardrails you set up long before you press enter.
This is what actually makes applying to production safe:
- Remote state with locking. State lives in a backend (Azure Storage, S3, whatever) with state locking on. Two people can't apply at once and corrupt it. Your laptop is never the source of truth.
- Plan before apply, always.
terraform planis your diff. Read it. Review it like you'd review a pull request, because that's exactly what it is — for your infrastructure. - Apply through CI/CD, not from a laptop. The pipeline runs plan, a human approves the diff, and only then does apply run. Nobody types
applyagainst prod from their own machine. - Deny by default. NSG rules deny first and allow explicitly. No public IPs unless there's a real reason. Private endpoints over public exposure, every time.
- Small blast radius. Modules and separate state per environment, so a mistake in staging can never touch prod.
Do those things, and terraform apply becomes boring. Boring is exactly what you want in production.
Teach the security, not just the syntax
The part I care about most: alongside the syntax, I taught the security-first mindset. Because if you teach bad habits — public IPs everywhere, state files on someone's laptop, allow-all rules "just to make the demo work" — you create bad engineers. The syntax fades. The habits stick.
If your infrastructure can't be rebuilt from code in under an hour, you don't have infrastructure as code. You have infrastructure as hope.
And that's the real reason I debugged live instead of hiding behind slides. Teaching means letting people watch you think — not performing how smart you are. Perfect demos are boring. Real debugging is educational. Your composure when things break IS the lesson.
If you can debug in front of 500 people, you can debug anything alone. And if your pipeline has the right guardrails, you'll never have to be brave to run terraform apply again.