Mastering Terraform: Infrastructure as Code Best Practices
Infrastructure as Code (IaC) has revolutionized how we manage cloud resources, and Terraform stands at the forefront of this revolution. Let's dive deep into mastering Terraform for enterprise-grade infrastructure management.
Core Concepts and Best Practices
1. Project Structure
A well-organized Terraform project is crucial for maintainability. Here's a recommended structure:
├── environments/
│ ├── dev/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ └── prod/
│ ├── main.tf
│ ├── variables.tf
│ └── terraform.tfvars
├── modules/
│ ├── networking/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ └── compute/
│ ├── main.tf
│ ├── variables.tf
│ └── outputs.tf
└── README.md
2. Module Design Patterns
Create reusable modules that follow these principles:
# modules/networking/main.tf
variable "vpc_cidr" {
description = "CIDR block for VPC"
type = string
}
variable "environment" {
description = "Environment name"
type = string
}
variable "public_subnet_cidrs" {
description = "CIDR blocks for public subnets"
type = list(string)
}
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
tags = {
Name = "${var.environment}-vpc"
Environment = var.environment
Terraform = "true"
}
}
resource "aws_subnet" "public" {
count = length(var.public_subnet_cidrs)
vpc_id = aws_vpc.main.id
cidr_block = var.public_subnet_cidrs[count.index]
availability_zone = data.aws_availability_zones.available.names[count.index]
tags = {
Name = "${var.environment}-public-${count.index + 1}"
Environment = var.environment
Terraform = "true"
}
}
output "vpc_id" {
value = aws_vpc.main.id
}
output "public_subnet_ids" {
value = aws_subnet.public[*].id
}
3. State Management
Proper state management is crucial for team collaboration:
# backend.tf
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "environments/dev/terraform.tfstate"
region = "us-west-2"
dynamodb_table = "terraform-locks"
encrypt = true
}
}
# DynamoDB table for state locking
resource "aws_dynamodb_table" "terraform_locks" {
name = "terraform-locks"
billing_mode = "PAY_PER_REQUEST"
hash_key = "LockID"
attribute {
name = "LockID"
type = "S"
}
}
Advanced Patterns
1. Dynamic Resource Creation
Use dynamic blocks for flexible resource creation:
locals {
security_groups = {
web = {
name = "web-sg"
description = "Security group for web servers"
ingress_rules = [
{
port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
{
port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
]
}
app = {
name = "app-sg"
description = "Security group for application servers"
ingress_rules = [
{
port = 8080
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}
]
}
}
}
resource "aws_security_group" "this" {
for_each = local.security_groups
name = each.value.name
description = each.value.description
vpc_id = aws_vpc.main.id
dynamic "ingress" {
for_each = each.value.ingress_rules
content {
from_port = ingress.value.port
to_port = ingress.value.port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}
}
2. Custom Providers and Data Sources
Create custom providers for specialized needs:
provider "aws" {
region = "us-west-2"
assume_role {
role_arn = "arn:aws:iam::ACCOUNT_ID:role/TerraformRole"
}
default_tags {
tags = {
Environment = var.environment
Terraform = "true"
Team = "DevOps"
}
}
}
data "aws_ami" "ubuntu" {
most_recent = true
filter {
name = "name"
values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
}
filter {
name = "virtualization-type"
values = ["hvm"]
}
owners = ["099720109477"] # Canonical
}
Testing and Validation
1. Terraform Validation
Implement pre-commit hooks for validation:
# pre-commit-config.yaml
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.50.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- id: terraform_validate
2. Infrastructure Testing
Use Terratest for infrastructure testing:
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)
func TestVPCCreation(t *testing.T) {
terraformOptions := &terraform.Options{
TerraformDir: "../environments/dev",
Vars: map[string]interface{}{
"vpc_cidr": "10.0.0.0/16",
"environment": "test",
},
}
defer terraform.Destroy(t, terraformOptions)
terraform.InitAndApply(t, terraformOptions)
vpcID := terraform.Output(t, terraformOptions, "vpc_id")
assert.NotEmpty(t, vpcID)
}
Cost Optimization
1. Resource Scheduling
Implement cost savings with resource scheduling:
locals {
business_hours = {
start = 8 # 8 AM
end = 18 # 6 PM
}
}
resource "aws_autoscaling_schedule" "scale_up" {
scheduled_action_name = "scale-up"
min_size = 2
max_size = 10
desired_capacity = 2
recurrence = "0 ${local.business_hours.start} * * MON-FRI"
autoscaling_group_name = aws_autoscaling_group.main.name
}
resource "aws_autoscaling_schedule" "scale_down" {
scheduled_action_name = "scale-down"
min_size = 0
max_size = 0
desired_capacity = 0
recurrence = "0 ${local.business_hours.end} * * MON-FRI"
autoscaling_group_name = aws_autoscaling_group.main.name
}
2. Cost Estimation
Use the infracost tool to estimate infrastructure costs:
# .infracost/config.yml
version: 0.1
projects:
- path: environments/dev
terraform_var_files:
- terraform.tfvars
usage_file: infracost-usage.yml
Security Best Practices
1. Secrets Management
Use AWS Secrets Manager for sensitive data:
data "aws_secretsmanager_secret" "database" {
name = "prod/database/credentials"
}
data "aws_secretsmanager_secret_version" "database" {
secret_id = data.aws_secretsmanager_secret.database.id
}
locals {
db_creds = jsondecode(data.aws_secretsmanager_secret_version.database.secret_string)
}
resource "aws_db_instance" "main" {
identifier = "${var.environment}-db"
engine = "postgres"
engine_version = "13.4"
instance_class = "db.t3.micro"
username = local.db_creds.username
password = local.db_creds.password
# ... other configuration
}
2. IAM Policies
Follow the principle of least privilege:
data "aws_iam_policy_document" "s3_read_only" {
statement {
actions = [
"s3:GetObject",
"s3:ListBucket",
]
resources = [
aws_s3_bucket.data.arn,
"${aws_s3_bucket.data.arn}/*",
]
condition {
test = "StringEquals"
variable = "aws:PrincipalTag/Environment"
values = [var.environment]
}
}
}
resource "aws_iam_role_policy" "s3_read_only" {
name = "s3-read-only"
role = aws_iam_role.app.id
policy = data.aws_iam_policy_document.s3_read_only.json
}
Monitoring and Compliance
1. Resource Tagging
Implement consistent tagging strategies:
locals {
common_tags = {
Environment = var.environment
Project = var.project_name
Owner = "DevOps"
Terraform = "true"
CostCenter = var.cost_center
}
}
resource "aws_instance" "app" {
ami = data.aws_ami.ubuntu.id
instance_type = "t3.micro"
tags = merge(
local.common_tags,
{
Name = "${var.environment}-app"
Role = "application"
}
)
}
2. Compliance Checks
Use custom rules with terraform-compliance:
# features/tags.feature
Feature: Mandatory Tags
Scenario: Ensure all resources have mandatory tags
Given I have resource that supports tags defined
Then it must contain tags
And its value must match the "Environment" regex expression "[a-z]+"
And its value must match the "CostCenter" regex expression "^CC[0-9]{4}$"
Conclusion
Mastering Terraform requires understanding both its technical capabilities and organizational best practices. Key takeaways:
- Structure your code properly with modules and environments
- Manage state carefully with remote backends and locking
- Implement security at every level
- Test your infrastructure code
- Monitor costs and optimize resources
Remember:
- Start with simple patterns and evolve as needed
- Document everything
- Use version control
- Implement automated testing
- Keep security in mind from day one
The journey to infrastructure as code mastery is continuous, but these practices will help you build and maintain robust, scalable infrastructure with Terraform.
