How Terraform Uses Graph Theory

Feb 08, 2025

Introduction

Graph theory is a branch of mathematics that focuses on the study of graphs, which are structures used to represent relationships between objects. A graph consists of vertices (also known as nodes or points) that are connected by edges (also referred to as arcs, links, or lines). Graphs can be categorized into two types: undirected graphs, where edges connect vertices symmetrically, and directed graphs, where edges establish an asymmetric relationship between vertices.

Terraform (and OpenTofu!) leverages graph theory to efficiently manage dependencies between infrastructure resources. At its core, Terraform models the infrastructure as a Directed Acyclic Graph (DAG), ensuring that resources are created, updated, and destroyed in the correct order.

In this context:

  • Nodes (Vertices): Represent entities (e.g., VM instances, Storage buckets).
  • Edges: Represent dependencies between entities (e.g., a VM instance depends on a Firewall rule).

Terraform uses DAGs since they do not involve cyclic dependencies, which means not a single resource depends on itself either directly or indirectly.

Infrastructure as a Graph

Let’s consider a simple Terraform setup with a VM instance that depends on a Firewall rule and a Storage bucket.

[Firewall rule]    [Storage Bucket]
           |        |
           V        V
          [VM instance]

Above DAG representation ensures that Terraform will create the Firewall rule and Storage Bucket first, and then proceed with the provisioning of the VM instance.

Graph Construction

When we execute terraform plan, a dependency graph is built by analyzing the relationships between defined resources, helping in determining which resource actions can run in parallel and which should run sequentially.

Terraform can create resource that do not have dependencies on each other in parallel, which helps minimize execution time.

Traversing the Graph

Invoking terraform apply results in Terraform traversing the graph and creating the defined resources for us in the the correct order. Terraform processes nodes in the graph layer by layer, ensuring that dependent resources are only created once their prerequisites exist.

Traversing the Graph in Reverse

When destroying resources, Terraform traverses the graph in reverse order, ensuring that dependencies are removed safely. This prevents errors like trying to delete a resource that is containing other resources before deleting the resources inside it.

Handling Cyclic Dependencies

While Terraform does not allow circular dependencies, misconfigurations might result in them. Terraform will (loudly!) complain about these :) The solution is often to break the unintended dependecy cycles using explicit dependency overrides, via depends_on or by restructuring the resources.

Visualization

We can output a graph with Terraform as below.

terraform graph | dot -Tpng > graph.png

Note that in above1, we are piping the output from Terraform to dot, which is included with the open-source graphing library GraphViz2, which then redirects the output to a file.

The use of graph theory enables efficient and parallel execution of state changes, optimizing provisioning speed while maintaining proper dependency resolution. If you are interested in learning more, see https://www.youtube.com/watch?v=4Pd9NrZSbGU.

dep-graph.pngExample Dependancy Graph

  1. See https://developer.hashicorp.com/terraform/cli/commands/graph ↩︎

  2. See https://graphviz.org/ ↩︎

A brief Introduction to Cgroups in Linux