DEV Community: Mukami The latest articles on DEV Community by Mukami (@tink-origami). https://dev.to/tink-origami https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3829683%2Fcc4c3ea0-78ad-491a-82f2-a0508368436b.png DEV Community: Mukami https://dev.to/tink-origami en The Importance of Manual Testing in Terraform Mukami Mon, 30 Mar 2026 14:06:49 +0000 https://dev.to/tink-origami/the-importance-of-manual-testing-in-terraform-1812 https://dev.to/tink-origami/the-importance-of-manual-testing-in-terraform-1812 <h2> Why "It Works" Isn't Enough Until You Prove It </h2> <p><strong>Day 17 of the 30-Day Terraform Challenge</strong> — and today I learned that my infrastructure "worked" until I actually tested it.</p> <p>I had a webserver cluster. Terraform applied without errors. Everything looked perfect in the AWS Console. I was confident.</p> <p>Then I ran a structured manual test. The results were humbling.</p> <h2> The Problem: Code Success ≠ Functional Success </h2> <p>Terraform told me:</p> <ul> <li>✅ 11 resources created</li> <li>✅ No errors</li> <li>✅ State matches configuration</li> </ul> <p>But when I actually tried to use my infrastructure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>curl http://my-alb-dns 502 Bad Gateway </code></pre> </div> <p><strong>The code worked. The infrastructure didn't.</strong></p> <p>This is why manual testing matters.</p> <h2> My Test Checklist </h2> <p>I built a structured test plan covering five categories:</p> <h3> 1. Provisioning Verification </h3> <ul> <li> <code>terraform init</code> completes without errors</li> <li> <code>terraform validate</code> passes cleanly</li> <li> <code>terraform plan</code> shows expected resources</li> <li> <code>terraform apply</code> completes successfully</li> </ul> <h3> 2. Resource Correctness </h3> <ul> <li>Resources visible in AWS Console</li> <li>Names match variables</li> <li>Tags match expected values</li> <li>Security group rules exactly as defined</li> </ul> <h3> 3. Functional Verification </h3> <ul> <li>ALB DNS resolves</li> <li> <code>curl</code> returns expected response</li> <li>ASG instances pass health checks</li> <li>Instance termination triggers replacement</li> </ul> <h3> 4. State Consistency </h3> <ul> <li> <code>terraform plan</code> returns "No changes"</li> <li>State file matches AWS resources</li> </ul> <h3> 5. Cleanup </h3> <ul> <li> <code>terraform destroy</code> completes</li> <li>AWS Console verification shows no resources</li> </ul> <h2> What I Found </h2> <p><strong>Passed: 12 tests</strong> ✅</p> <ul> <li>Provisioning worked perfectly</li> <li>All resources created with correct tags</li> <li>State consistency was perfect</li> <li>Destroy cleaned up properly</li> </ul> <p><strong>Failed: 2 tests</strong> ❌</p> <ul> <li>ALB DNS resolution (timeout)</li> <li>ALB returned 502 Bad Gateway</li> </ul> <h2> The Root Cause </h2> <p>The infrastructure was created, but the application wasn't working. Why?</p> <ol> <li> <strong>ALB DNS takes time to propagate</strong> — I tested too early</li> <li> <strong>Health checks were failing</strong> — Instances weren't responding to HTTP</li> <li> <strong>User-data script may have failed</strong> — Apache probably wasn't running</li> </ol> <p>The code was correct. The application was not.</p> <h2> What Manual Testing Taught Me </h2> <p><strong>Terraform applies successfully ≠ infrastructure works</strong></p> <p>Terraform only checks that resources are created. It doesn't verify that your application is actually running.</p> <p><strong>DNS propagation is real</strong> — Just because the ALB exists doesn't mean it's reachable immediately.</p> <p><strong>Health checks are the real indicator</strong> — A running instance isn't enough. It needs to respond correctly.</p> <p><strong>Cleanup is harder than it looks</strong> — After <code>terraform destroy</code>, I found leftover instances. Manual verification is essential.</p> <h2> The Value of a Test Checklist </h2> <p>Before today, I'd run <code>terraform apply</code> and call it done.</p> <p>Now I have a checklist that catches:</p> <ul> <li>DNS propagation issues</li> <li>Application startup failures</li> <li>Health check problems</li> <li>Cleanup gaps</li> </ul> <p>Each failed test is a gap I can fix and later automate.</p> <h2> What I Learned About Cleanup </h2> <p>After <code>terraform destroy</code>, I verified with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws ec2 describe-instances <span class="nt">--filters</span> <span class="s2">"Name=tag:Name,Values=*test-webserver*"</span> </code></pre> </div> <p>I found five instances still running. Terraform destroyed the ASG but instances were still terminating. Manual verification caught what automation missed.</p> <p><strong>Lesson:</strong> Always verify cleanup. Don't trust <code>destroy</code> alone.</p> <h2> The Manual Test Results </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Test</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>terraform init</td> <td>✅ PASS</td> </tr> <tr> <td>terraform validate</td> <td>✅ PASS</td> </tr> <tr> <td>terraform plan</td> <td>✅ PASS</td> </tr> <tr> <td>terraform apply</td> <td>✅ PASS</td> </tr> <tr> <td>Resources in AWS</td> <td>✅ PASS</td> </tr> <tr> <td>Tags correct</td> <td>✅ PASS</td> </tr> <tr> <td>Security group rules</td> <td>✅ PASS</td> </tr> <tr> <td>ALB DNS resolution</td> <td>❌ FAIL</td> </tr> <tr> <td>ALB returns webpage</td> <td>❌ FAIL</td> </tr> <tr> <td>ASG instances running</td> <td>✅ PASS</td> </tr> <tr> <td>State consistency</td> <td>✅ PASS</td> </tr> <tr> <td>terraform destroy</td> <td>✅ PASS</td> </tr> <tr> <td>Cleanup verification</td> <td>✅ PASS</td> </tr> </tbody> </table></div> <p><strong>12 passed, 2 failed.</strong></p> <h2> Why This Matters </h2> <p>Manual testing isn't about checking boxes. It's about finding gaps before they become outages.</p> <p>If I had deployed this infrastructure without testing:</p> <ul> <li>Users would see 502 errors</li> <li>I'd be debugging under pressure</li> <li>The problem would take longer to find</li> </ul> <p>Instead, I found the failure in a controlled environment. I can now fix it and write automated tests to prevent it from happening again.</p> <h2> The Big Lesson </h2> <p><strong>Terraform applies successfully ≠ Infrastructure works</strong></p> <p>The gap between "code success" and "functional success" is where outages happen. Manual testing closes that gap.</p> <h2> Next Steps </h2> <ol> <li>Fix the user-data script to ensure Apache starts reliably</li> <li>Add <code>wait_for_capacity_timeout</code> to ASG</li> <li>Wait 2-3 minutes after apply before testing</li> <li>Write automated tests to catch these issues in CI</li> </ol> <p><em>P.S. The 502 Bad Gateway was humbling. But finding it manually before deployment was a win. Test early, test often, test manually before you automate.</em> 🚀</p> testing aws terraform tutorial Creating Production-Grade Infrastructure with Terraform Mukami Mon, 30 Mar 2026 07:21:58 +0000 https://dev.to/tink-origami/creating-production-grade-infrastructure-with-terraform-3b1p https://dev.to/tink-origami/creating-production-grade-infrastructure-with-terraform-3b1p <h2> The Gap Between "It Works" and "It's Production-Ready" </h2> <p><strong>Day 16 of the 30-Day Terraform Challenge</strong> — and today I learned that my "working" infrastructure was nowhere near production-ready.</p> <p>I had a webserver cluster. It deployed. It served traffic. I was proud of it.</p> <p>Then I ran it against a production-grade checklist. The result was humbling.</p> <h2> The Production-Grade Checklist </h2> <p>I audited my infrastructure against 5 categories:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Category</th> <th>Score</th> <th>What I Was Missing</th> </tr> </thead> <tbody> <tr> <td><strong>Structure</strong></td> <td>80%</td> <td>Some hardcoded values</td> </tr> <tr> <td><strong>Reliability</strong></td> <td>60%</td> <td>No <code>prevent_destroy</code>, no wait timeouts</td> </tr> <tr> <td><strong>Security</strong></td> <td>70%</td> <td>SSH open to world, no validation</td> </tr> <tr> <td><strong>Observability</strong></td> <td>30%</td> <td>No consistent tags, no alarms</td> </tr> <tr> <td><strong>Maintainability</strong></td> <td>90%</td> <td>Missing input validation</td> </tr> </tbody> </table></div> <p>The gap was significant. Here's how I closed it.</p> <h2> Refactor 1: Consistent Tagging </h2> <p><strong>Before:</strong> Tags scattered across resources, inconsistent.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">tags</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-instance"</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">}</span> </code></pre> </div> <p><strong>After:</strong> Centralized tags with <code>locals</code> and <code>merge()</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="nx">common_tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="nx">ManagedBy</span> <span class="p">=</span> <span class="s2">"Terraform"</span> <span class="nx">Project</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">project_name</span> <span class="nx">Team</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">team_name</span> <span class="nx">Day</span> <span class="p">=</span> <span class="s2">"16"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">tags</span> <span class="err">=</span> <span class="nx">merge</span><span class="err">(</span><span class="nx">local</span><span class="err">.</span><span class="nx">common_tags</span><span class="err">,</span> <span class="p">{</span> <span class="nx">Name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-alb"</span> <span class="p">}</span><span class="err">)</span> </code></pre> </div> <p>Now every resource has the same base tags. Cost allocation, ownership tracking, and operations all benefit.</p> <h2> Refactor 2: Lifecycle Protection </h2> <p><strong>Before:</strong> No protection against accidental deletion.</p> <p><strong>After:</strong> Added <code>prevent_destroy</code> to critical resources.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="c1"># ... config ...</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">prevent_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Can't accidentally delete ALB</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Without this, one wrong <code>terraform destroy</code> wipes production. With it, Terraform errors before doing damage.</p> <h2> Refactor 3: CloudWatch Alarms </h2> <p><strong>Before:</strong> No monitoring. If CPU spiked, I wouldn't know.</p> <p><strong>After:</strong> Alarms that notify via SNS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_sns_topic"</span> <span class="s2">"alerts"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-alerts"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"high_cpu"</span> <span class="p">{</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-high-cpu"</span> <span class="nx">comparison_operator</span> <span class="p">=</span> <span class="s2">"GreaterThanThreshold"</span> <span class="nx">evaluation_periods</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">metric_name</span> <span class="p">=</span> <span class="s2">"CPUUtilization"</span> <span class="nx">namespace</span> <span class="p">=</span> <span class="s2">"AWS/EC2"</span> <span class="nx">period</span> <span class="p">=</span> <span class="mi">120</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">alarm_description</span> <span class="p">=</span> <span class="s2">"CPU exceeds 80% for 4 minutes"</span> <span class="nx">dimensions</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">AutoScalingGroupName</span> <span class="p">=</span> <span class="nx">aws_autoscaling_group</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="nx">alarm_actions</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_sns_topic</span><span class="p">.</span><span class="nx">alerts</span><span class="p">.</span><span class="nx">arn</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now when CPU hits 80% for 4 minutes, I get an alert. I can scale before users notice.</p> <h2> Refactor 4: Input Validation </h2> <p><strong>Before:</strong> Any value was accepted. <code>environment = "prod"</code> would work.</p> <p><strong>After:</strong> Validation blocks catch mistakes early.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"production"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be dev, staging, or production."</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">can</span><span class="p">(</span><span class="nx">regex</span><span class="p">(</span><span class="s2">"^t[23]</span><span class="err">\\</span><span class="s2">."</span><span class="p">,</span> <span class="nx">var</span><span class="p">.</span><span class="nx">instance_type</span><span class="p">))</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Instance type must be a t2 or t3 family type."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Try <code>terraform plan -var="environment=prod"</code> (missing "uction"):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Invalid value for variable Environment must be dev, staging, or production. </code></pre> </div> <p>Caught at plan time, not after deployment.</p> <h2> Refactor 5: ASG Wait Timeout </h2> <p><strong>Before:</strong> No <code>wait_for_capacity_timeout</code> — Terraform would move on before instances were healthy.</p> <p><strong>After:</strong> Added patience.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_autoscaling_group"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">health_check_grace_period</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">wait_for_capacity_timeout</span> <span class="p">=</span> <span class="s2">"10m"</span> <span class="p">}</span> </code></pre> </div> <p>Now Terraform waits up to 10 minutes for instances to pass health checks before destroying old ones. Critical for zero-downtime.</p> <h2> The Before and After </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td><strong>Tags</strong></td> <td>Inconsistent</td> <td>Centralized, all resources tagged</td> </tr> <tr> <td><strong>Deletion Protection</strong></td> <td>None</td> <td> <code>prevent_destroy</code> on ALB</td> </tr> <tr> <td><strong>Monitoring</strong></td> <td>None</td> <td>CloudWatch alarms + SNS</td> </tr> <tr> <td><strong>Validation</strong></td> <td>None</td> <td>All variables validated</td> </tr> <tr> <td><strong>ASG Wait</strong></td> <td>None</td> <td>10-minute timeout</td> </tr> <tr> <td><strong>SSH Access</strong></td> <td>0.0.0.0/0</td> <td>Restricted (configurable)</td> </tr> </tbody> </table></div> <h2> What I Learned </h2> <p><strong>Production-grade isn't about features. It's about resilience.</strong></p> <p>My code "worked." But it wouldn't survive:</p> <ul> <li>A bad <code>terraform destroy</code> command</li> <li>A CPU spike at 3 AM</li> <li>A teammate typing "prod" instead of "production"</li> <li>An instance taking 2 minutes to boot</li> </ul> <p>Each refactor addresses a failure mode I hadn't considered.</p> <h2> The Checklist Matters </h2> <p>The production-grade checklist isn't just a list. It's a map of failure modes.</p> <ul> <li> <strong>Tagging</strong> → Who owns this? Who pays for it?</li> <li> <strong><code>prevent_destroy</code></strong> → What happens if I fat-finger this?</li> <li> <strong>Alarms</strong> → How will I know something is wrong?</li> <li> <strong>Validation</strong> → What if someone passes wrong values?</li> <li> <strong>Timeouts</strong> → What if things take longer than expected?</li> </ul> <p>Every checkbox answers a "what if" question.</p> <h2> The Bottom Line </h2> <p>Today I transformed "working" infrastructure into "production-ready" infrastructure.</p> <p>The difference isn't features. It's resilience, observability, and safety.</p> <p><strong>If you're deploying code that matters, run it through a production checklist.</strong></p> <p><em>P.S. The moment I added <code>prevent_destroy</code> to my ALB, I felt safer. The moment I added validation, I felt smarter. The moment I added alarms, I felt like a real engineer. Small changes, big impact.</em> </p> tutorial terraform 30daychallenge aws Deploying Multi-Cloud Infrastructure with Terraform Modules Mukami Sun, 29 Mar 2026 09:21:41 +0000 https://dev.to/tink-origami/deploying-multi-cloud-infrastructure-with-terraform-modules-hln https://dev.to/tink-origami/deploying-multi-cloud-infrastructure-with-terraform-modules-hln <h2> From S3 Buckets to EKS Clusters — All in One Configuration </h2> <p><strong>Day 15 of the 30-Day Terraform Challenge</strong> — and today I learned that Terraform isn't just for AWS. It's for everything.</p> <p>One configuration. Multiple providers. S3 buckets across regions. Docker containers locally. A full Kubernetes cluster on EKS. All from the same tool.</p> <p>Here's how it all came together.</p> <h2> Part 1: Multi-Provider Modules </h2> <p>The first challenge: creating a module that works across multiple AWS regions.</p> <p>Modules can't hardcode providers. That would break reusability. Instead, they must accept provider configurations from the caller.</p> <p><strong>The module (no provider block inside):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">configuration_aliases</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span><span class="p">,</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">replica</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.app_name}-primary"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"replica"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">replica</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"${var.app_name}-replica"</span> <span class="p">}</span> </code></pre> </div> <p><strong>The caller (provides the providers):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"primary"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"replica"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="nx">module</span> <span class="s2">"multi_region_app"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../modules/multi-region-app"</span> <span class="nx">providers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">primary</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">replica</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">replica</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This pattern is how Terraform scales to global infrastructure.</p> <h2> Part 2: Docker Provider — Local Testing </h2> <p>Before deploying to Kubernetes, I tested locally with Docker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">docker</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"kreuzwerker/docker"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 3.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"docker_image"</span> <span class="s2">"nginx"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nginx:latest"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"docker_container"</span> <span class="s2">"nginx"</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="nx">docker_image</span><span class="p">.</span><span class="nx">nginx</span><span class="p">.</span><span class="nx">image_id</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"terraform-nginx"</span> <span class="nx">ports</span> <span class="p">{</span> <span class="nx">internal</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">external</span> <span class="p">=</span> <span class="mi">8080</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>One <code>terraform apply</code> later:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>docker ps CONTAINER ID IMAGE COMMAND PORTS NAMES 2ea179f7333b nginx:latest <span class="s2">"/docker-entrypoint.…"</span> 0.0.0.0:8080-&gt;80/tcp terraform-nginx <span class="nv">$ </span>curl http://localhost:8080 &lt;<span class="o">!</span>DOCTYPE html&gt; &lt;html&gt; &lt;<span class="nb">head</span><span class="o">&gt;</span>&lt;title&gt;Welcome to nginx!&lt;/title&gt;... </code></pre> </div> <p>A container running on my machine, provisioned entirely by Terraform. No Docker commands. No manual setup.</p> <h2> Part 3: EKS Cluster — The Big One </h2> <p>This was the most complex deployment yet. An entire Kubernetes cluster on AWS EKS.</p> <p><strong>VPC first (using community module):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"vpc"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/vpc/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"eks-vpc"</span> <span class="nx">cidr</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="nx">azs</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eu-north-1a"</span><span class="p">,</span> <span class="s2">"eu-north-1b"</span><span class="p">,</span> <span class="s2">"eu-north-1c"</span><span class="p">]</span> <span class="nx">private_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.1.0/24"</span><span class="p">,</span> <span class="s2">"10.0.2.0/24"</span><span class="p">,</span> <span class="s2">"10.0.3.0/24"</span><span class="p">]</span> <span class="nx">public_subnets</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"10.0.101.0/24"</span><span class="p">,</span> <span class="s2">"10.0.102.0/24"</span><span class="p">,</span> <span class="s2">"10.0.103.0/24"</span><span class="p">]</span> <span class="nx">enable_nat_gateway</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>Then the EKS cluster:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"eks"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"terraform-aws-modules/eks/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 20.0"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"terraform-challenge-cluster"</span> <span class="nx">cluster_version</span> <span class="p">=</span> <span class="s2">"1.29"</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">vpc_id</span> <span class="nx">subnet_ids</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">vpc</span><span class="p">.</span><span class="nx">private_subnets</span> <span class="nx">eks_managed_node_groups</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">desired_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">instance_types</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"t3.small"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>The Kubernetes provider (authenticates using AWS token):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"kubernetes"</span> <span class="p">{</span> <span class="nx">host</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_endpoint</span> <span class="nx">cluster_ca_certificate</span> <span class="p">=</span> <span class="nx">base64decode</span><span class="p">(</span><span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_certificate_authority_data</span><span class="p">)</span> <span class="nx">exec</span> <span class="p">{</span> <span class="nx">api_version</span> <span class="p">=</span> <span class="s2">"client.authentication.k8s.io/v1beta1"</span> <span class="nx">command</span> <span class="p">=</span> <span class="s2">"aws"</span> <span class="nx">args</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"eks"</span><span class="p">,</span> <span class="s2">"get-token"</span><span class="p">,</span> <span class="s2">"--cluster-name"</span><span class="p">,</span> <span class="nx">module</span><span class="p">.</span><span class="nx">eks</span><span class="p">.</span><span class="nx">cluster_name</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This <code>exec</code> block runs <code>aws eks get-token</code> to generate a temporary authentication token. No hardcoded credentials.</p> <h2> Part 4: Deploying to Kubernetes </h2> <p>With the cluster running, I deployed nginx:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"kubernetes_deployment"</span> <span class="s2">"nginx"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nginx-deployment"</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">replicas</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">selector</span> <span class="p">{</span> <span class="nx">match_labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">template</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">labels</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">container</span> <span class="p">{</span> <span class="nx">image</span> <span class="p">=</span> <span class="s2">"nginx:latest"</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="nx">port</span> <span class="p">{</span> <span class="nx">container_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"kubernetes_service"</span> <span class="s2">"nginx"</span> <span class="p">{</span> <span class="nx">metadata</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"nginx-service"</span> <span class="p">}</span> <span class="nx">spec</span> <span class="p">{</span> <span class="nx">selector</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">app</span> <span class="p">=</span> <span class="s2">"nginx"</span> <span class="p">}</span> <span class="nx">port</span> <span class="p">{</span> <span class="nx">port</span> <span class="p">=</span> <span class="mi">80</span><span class="err">;</span> <span class="nx">target_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"LoadBalancer"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Part 5: The Moment It Worked </h2> <p>After 8 minutes of cluster provisioning (felt like an eternity), the nodes appeared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get nodes NAME STATUS ROLES AGE VERSION ip-10-0-1-219.eu-north-1.compute.internal Ready &lt;none&gt; 21m v1.29 ip-10-0-2-67.eu-north-1.compute.internal Ready &lt;none&gt; 21m v1.29 </code></pre> </div> <p>Then the nginx pods:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get pods NAME READY STATUS RESTARTS AGE nginx-xxxxxxxxxx-xxxxx 1/1 Running 0 30s nginx-xxxxxxxxxx-yyyyy 1/1 Running 0 30s </code></pre> </div> <p>And finally, the LoadBalancer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>kubectl get service nginx NAME TYPE EXTERNAL-IP nginx LoadBalancer a4410db0bc9904a48978a65e7108ee18-2037003514.eu-north-1.elb.amazonaws.com </code></pre> </div> <p>A publicly accessible nginx server, running on Kubernetes, provisioned entirely by Terraform.</p> <h2> What I Learned </h2> <p><strong>Modules must accept providers.</strong> You can't hardcode regions inside a reusable module. Use <code>configuration_aliases</code> and pass providers from the root.</p> <p><strong>The Docker provider is great for local testing.</strong> Before deploying to EKS, I tested the same container image locally. Saved time and money.</p> <p><strong>EKS takes time.</strong> 8-10 minutes for the control plane. Another 2-3 minutes for nodes. Patience is required.</p> <p><strong>RBAC is the final hurdle.</strong> Even with the cluster running, your IAM user needs explicit permissions via Access Entry and policy association.</p> <p><strong>One tool, many providers.</strong> AWS, Docker, Kubernetes — all from the same Terraform configuration.</p> <h2> The Cost Warning </h2> <p>EKS isn't free. A cluster costs ~$0.10/hour plus EC2 nodes (~$0.04/hour each). My 2-hour test cost about $0.50. Always destroy when done.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform destroy <span class="nt">-auto-approve</span> </code></pre> </div> <h2> The Bottom Line </h2> <p>Today I deployed:</p> <ul> <li>S3 buckets in two AWS regions (using provider aliases)</li> <li>A Docker container locally (using Docker provider)</li> <li>A full EKS cluster with 2 nodes (using AWS EKS module)</li> <li>Nginx pods on Kubernetes (using Kubernetes provider)</li> </ul> <p>All from one Terraform configuration.</p> <p><strong>This is why I love Terraform. One language. One workflow. Every cloud.</strong></p> eks terraform 30daychallenge cloud Getting Started with Multiple Providers in Terraform Mukami Sun, 29 Mar 2026 08:07:33 +0000 https://dev.to/tink-origami/getting-started-with-multiple-providers-in-terraform-5g54 https://dev.to/tink-origami/getting-started-with-multiple-providers-in-terraform-5g54 <h2> How to Deploy Across Multiple AWS Regions Without Losing Your Mind </h2> <p><strong>Day 14 of the 30-Day Terraform Challenge</strong> — and today I learned that Terraform isn't limited to one region or one account.</p> <p>One provider config. Multiple regions. Multiple accounts. Same codebase.</p> <p>Here's how it works.</p> <h2> What Is a Provider? </h2> <p>A provider is a plugin that translates Terraform code into API calls. The AWS provider knows how to create S3 buckets. The Kubernetes provider knows how to create pods. The random provider generates... random stuff.</p> <p>When you run <code>terraform init</code>, Terraform downloads these plugins from the Terraform Registry. No manual installation. No hunting for binaries.</p> <h2> Pinning Provider Versions </h2> <p>Never leave your provider version blank. That's how things break unexpectedly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"&gt;= 1.0"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="c1"># Any 5.x, but not 6.0</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>~&gt; 5.0</code> constraint means: use version 5.0 or higher, but less than 6.0. You get bug fixes and security patches, but no breaking changes.</p> <p>After <code>terraform init</code>, check <code>.terraform.lock.hcl</code>. It records the exact version downloaded. <strong>Commit this file to Git.</strong> It ensures your whole team uses the same provider version.</p> <h2> The Default Provider </h2> <p>A basic provider config applies to every resource in your configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-bucket"</span> <span class="c1"># Deploys in eu-north-1</span> <span class="p">}</span> </code></pre> </div> <p>Terraform uses this default provider for every resource that doesn't specify otherwise.</p> <h2> Multiple Regions: Provider Aliases </h2> <p>Want resources in two regions? Define an alias:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Default provider — primary region</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="p">}</span> <span class="c1"># Aliased provider — secondary region</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"ireland"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-west-1"</span> <span class="p">}</span> <span class="c1"># Aliased provider — tertiary region</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"frankfurt"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> </code></pre> </div> <p>Now you can deploy resources anywhere:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Uses default provider (eu-north-1)</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"primary-bucket"</span> <span class="p">}</span> <span class="c1"># Uses ireland alias</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"replica"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">ireland</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"replica-bucket"</span> <span class="p">}</span> <span class="c1"># Uses frankfurt alias</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"backup"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">frankfurt</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"backup-bucket"</span> <span class="p">}</span> </code></pre> </div> <p>Terraform knows exactly which API endpoint to call for each resource.</p> <h2> S3 Cross-Region Replication Example </h2> <p>Here's a practical use case: replicate data across regions for disaster recovery.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Primary bucket in eu-north-1</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"primary"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"app-primary-data"</span> <span class="p">}</span> <span class="c1"># Replica bucket in eu-west-1</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"replica"</span> <span class="p">{</span> <span class="nx">provider</span> <span class="p">=</span> <span class="nx">aws</span><span class="p">.</span><span class="nx">ireland</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"app-replica-data"</span> <span class="p">}</span> <span class="c1"># Replication configuration</span> <span class="nx">resource</span> <span class="s2">"aws_s3_bucket_replication_configuration"</span> <span class="s2">"replication"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">replication</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">primary</span><span class="p">.</span><span class="nx">id</span> <span class="nx">rule</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">=</span> <span class="s2">"replicate-all"</span> <span class="nx">status</span> <span class="p">=</span> <span class="s2">"Enabled"</span> <span class="nx">destination</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="nx">aws_s3_bucket</span><span class="p">.</span><span class="nx">replica</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">storage_class</span> <span class="p">=</span> <span class="s2">"STANDARD"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now every file uploaded to the primary bucket is automatically replicated to Ireland. If eu-north-1 goes down, your data is safe.</p> <h2> Multiple AWS Accounts </h2> <p>For multi-account setups, use <code>assume_role</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"prod"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="nx">assume_role</span> <span class="p">{</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::111111111111:role/TerraformDeployRole"</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">alias</span> <span class="p">=</span> <span class="s2">"staging"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="nx">assume_role</span> <span class="p">{</span> <span class="nx">role_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::222222222222:role/TerraformDeployRole"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The IAM role in each account needs permissions to create the resources you're managing. Terraform assumes the role, performs the operations, then drops the credentials.</p> <h2> The Lock File Explained </h2> <p>After <code>terraform init</code>, you get <code>.terraform.lock.hcl</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">provider</span> <span class="s2">"registry.terraform.io/hashicorp/aws"</span> <span class="p">{</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"5.100.0"</span> <span class="c1"># Exact version installed</span> <span class="nx">constraints</span> <span class="p">=</span> <span class="s2">"~&gt; 5.0"</span> <span class="c1"># Your version constraint</span> <span class="nx">hashes</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"h1:abc123def456..."</span><span class="p">,</span> <span class="c1"># Checksum for verification</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why commit this file?</strong></p> <ul> <li>Everyone uses the same provider version</li> <li>No "works on my machine" problems</li> <li>Hashes verify downloads haven't been tampered with</li> </ul> <h2> Chapter 7 Learnings </h2> <p><strong>What happens during <code>terraform init</code>?</strong></p> <ol> <li>Reads your <code>required_providers</code> block</li> <li>Downloads provider binaries from the Terraform Registry</li> <li>Records exact versions in <code>.terraform.lock.hcl</code> </li> </ol> <p><strong><code>version</code> vs <code>~&gt; version</code>:</strong></p> <ul> <li> <code>version = "5.0"</code> — exact version only</li> <li> <code>~&gt; 5.0</code> — any 5.x version, but not 6.0 (allows patches)</li> </ul> <p><strong>How Terraform chooses a provider:</strong> Uses the default provider unless you specify <code>provider = alias</code> in the resource.</p> <h2> What I Learned </h2> <p>Provider aliases unlock multi-region infrastructure. One configuration can now deploy globally.</p> <p>The lock file is your friend. Commit it. It prevents version drift across your team.</p> <p>Multi-account deployments are just aliases with <code>assume_role</code>. Same pattern, different accounts.</p> <h2> The Bottom Line </h2> <p>Terraform isn't limited to one region or one account. With provider aliases, you can deploy anywhere.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Need</th> <th>Solution</th> </tr> </thead> <tbody> <tr> <td>Multiple regions</td> <td>Provider aliases</td> </tr> <tr> <td>Multiple accounts</td> <td> <code>assume_role</code> + aliases</td> </tr> <tr> <td>Version consistency</td> <td>Pin versions + commit lock file</td> </tr> </tbody> </table></div> <p><strong>One configuration. Global infrastructure.</strong></p> <p><em>P.S. The lock file seems like a small detail, but it's saved me from "but it worked on my laptop" conversations more times than I can count. Commit it.</em> 🔒</p> aws terraform providers 30daychallenge How to Handle Sensitive Data Securely in Terraform Mukami Sat, 28 Mar 2026 13:15:59 +0000 https://dev.to/tink-origami/how-to-handle-sensitive-data-securely-in-terraform-4cci https://dev.to/tink-origami/how-to-handle-sensitive-data-securely-in-terraform-4cci <h2> The Three Ways Secrets Leak (And How to Stop Every One) </h2> <p><strong>Day 13 of the 30-Day Terraform Challenge</strong> — and today I learned that even when you think your secrets are safe, they're probably not.</p> <p>Secrets leak in Terraform in three predictable ways. I found all three. I fixed all three. And I documented what I learned so you don't have to make the same mistakes.</p> <h2> The Three Leak Paths </h2> <h3> Leak Path 1: Hardcoded in .tf Files </h3> <p><strong>The mistake:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">username</span> <span class="p">=</span> <span class="s2">"admin"</span> <span class="nx">password</span> <span class="p">=</span> <span class="s2">"super-secret-password"</span> <span class="c1"># ❌</span> <span class="p">}</span> </code></pre> </div> <p>This password is now in your Git history. Forever. Even if you delete it, it's still in the commit history. Anyone with access to your repo can see it.</p> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># No default — Terraform will prompt</span> <span class="p">}</span> </code></pre> </div> <p>Now the password never touches your code.</p> <h3> Leak Path 2: Variable Defaults </h3> <p><strong>The mistake:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"super-secret-password"</span> <span class="c1"># ❌ Still in code</span> <span class="p">}</span> </code></pre> </div> <p>Default values are stored in your <code>.tf</code> files. Same problem as hardcoding. The secret is right there in version control.</p> <p><strong>The fix:</strong> No defaults for secrets. Ever.</p> <h3> Leak Path 3: The State File </h3> <p><strong>The reality:</strong> Even if you fix the first two, Terraform stores <strong>every resource attribute</strong> in <code>terraform.tfstate</code> in plaintext.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>terraform.tfstate | <span class="nb">grep </span>password <span class="s2">"password"</span>: <span class="s2">"MySecurePassword123!"</span> <span class="c"># ❌ Right there!</span> </code></pre> </div> <p>Anyone with read access to the state file can see all your secrets.</p> <p><strong>The fix:</strong> </p> <ul> <li>Use remote state with encryption (S3 + <code>encrypt = true</code>)</li> <li>Restrict access with IAM policies</li> <li>Never commit state to Git</li> <li>Enable versioning to recover from mistakes</li> </ul> <h2> AWS Secrets Manager: The Right Way </h2> <p>Instead of hardcoding, store secrets in AWS Secrets Manager:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret"</span> <span class="s2">"db_credentials"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prod/db/credentials"</span> <span class="p">}</span> <span class="nx">data</span> <span class="s2">"aws_secretsmanager_secret_version"</span> <span class="s2">"db_credentials"</span> <span class="p">{</span> <span class="nx">secret_id</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret</span><span class="p">.</span><span class="nx">db_credentials</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">db_credentials</span> <span class="p">=</span> <span class="nx">jsondecode</span><span class="p">(</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_secretsmanager_secret_version</span><span class="p">.</span><span class="nx">db_credentials</span><span class="p">.</span><span class="nx">secret_string</span> <span class="p">)</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_db_instance"</span> <span class="s2">"example"</span> <span class="p">{</span> <span class="nx">username</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_credentials</span><span class="p">[</span><span class="s2">"username"</span><span class="p">]</span> <span class="nx">password</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_credentials</span><span class="p">[</span><span class="s2">"password"</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p><strong>What this gives you:</strong></p> <ul> <li>✅ Secrets never appear in your <code>.tf</code> files</li> <li>✅ Fetched at runtime</li> <li>✅ Centralized secret management</li> <li>✅ Rotation capabilities</li> </ul> <h2> Marking Secrets as Sensitive </h2> <p>Terraform's <code>sensitive = true</code> prevents secrets from appearing in terminal output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"db_password"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">db_credentials</span><span class="p">[</span><span class="s2">"password"</span><span class="p">]</span> <span class="nx">sensitive</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p><strong>Plan output:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>db_password = &lt;sensitive&gt; </code></pre> </div> <p>⚠️ <strong>Important:</strong> This does NOT prevent secrets from being stored in state. It only hides them from the terminal.</p> <h2> State File Security Checklist </h2> <p>After deploying, I verified all of these:</p> <p>✅ <strong>S3 backend with encryption:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-terraform-state"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># AES-256 encryption</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>✅ <strong>Block public access</strong> on S3 bucket</p> <p>✅ <strong>Enable versioning</strong> to recover from mistakes</p> <p>✅ <strong>Restrict IAM policy</strong> to only Terraform runners</p> <p>✅ <strong>.gitignore</strong> to prevent accidental commits:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.terraform/ *.tfstate *.tfstate.backup *.tfvars </code></pre> </div> <h2> What the Plan Looked Like </h2> <p>When I ran <code>terraform plan</code>, the output showed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">username</span> <span class="p">=</span> <span class="s">(sensitive value)</span> <span class="py">password</span> <span class="p">=</span> <span class="s">(sensitive value)</span> <span class="py">db_password</span> <span class="p">=</span> <span class="s">(sensitive value)</span> </code></pre> </div> <p>The actual secrets never appeared in my terminal. But when I checked the state file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cat </span>terraform.tfstate | <span class="nb">grep </span>password <span class="s2">"password"</span>: <span class="s2">"MySecurePassword123!"</span> </code></pre> </div> <p><strong>The password was right there in plaintext.</strong> This was the "aha!" moment — state encryption isn't optional. It's mandatory.</p> <h2> Chapter 6 Learnings </h2> <p><strong>Does <code>sensitive = true</code> prevent secrets from being stored in state?</strong><br> No. It only hides them from terminal output. Secrets are still in state. You must secure the state file.</p> <p><strong>Vault vs Secrets Manager:</strong></p> <ul> <li> <strong>AWS Secrets Manager:</strong> AWS-native, simpler, good for AWS-only environments, integrates with RDS</li> <li> <strong>HashiCorp Vault:</strong> Multi-cloud, dynamic secrets, fine-grained policies, more complex to set up</li> </ul> <p><strong>Why secrets appear in state:</strong> Terraform stores all resource attributes to track infrastructure. The only solution is to secure the state file itself with encryption and access controls.</p> <h2> What I Learned </h2> <p>Secrets management isn't just about not hardcoding passwords. It's about:</p> <ol> <li> <strong>Using a secrets manager</strong> — AWS Secrets Manager, HashiCorp Vault</li> <li> <strong>Never hardcoding</strong> — no passwords in <code>.tf</code> files, no defaults</li> <li> <strong>Marking sensitive outputs</strong> — <code>sensitive = true</code> hides from terminal</li> <li> <strong>Securing the state file</strong> — encrypted S3 backend, restricted access</li> <li> <strong>Proper .gitignore</strong> — never commit state or tfvars</li> </ol> <p>The state file is the last line of defence. Secure it like you would a password manager.</p> <h2> My .gitignore </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Terraform .terraform/ .terraform.lock.hcl *.tfstate *.tfstate.backup *.tfvars *.tfvars.json # Local secrets *.secret secrets.tfvars # Environment .env .env.local </code></pre> </div> <h2> The Bottom Line </h2> <p>Three leak paths. Three fixes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Leak Path</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Hardcoded in .tf</td> <td>Use variables with <code>sensitive = true</code> </td> </tr> <tr> <td>Variable defaults</td> <td>Remove defaults, use Secrets Manager</td> </tr> <tr> <td>State file</td> <td>Encrypted remote backend, restricted access</td> </tr> </tbody> </table></div> <p><strong>Security isn't optional in production infrastructure.</strong></p> <p><strong>Resources:</strong></p> <ul> <li><a href="https://docs.aws.amazon.com/secretsmanager/" rel="noopener noreferrer">AWS Secrets Manager Documentation</a></li> <li><a href="https://developer.hashicorp.com/terraform/language/values/outputs#sensitive-suppressing-values-in-cli-output" rel="noopener noreferrer">Terraform Sensitive Values</a></li> <li><a href="https://developer.hashicorp.com/terraform/language/state/sensitive-data" rel="noopener noreferrer">Protecting Sensitive Data in State</a></li> </ul> <p><em>P.S. The moment I saw my password in the state file was humbling. No matter how careful you are with your code, if you don't secure your state, you're leaving secrets in plain sight.</em> </p> terraform aws security Mastering Zero-Downtime Deployments with Terraform Mukami Sat, 28 Mar 2026 11:58:27 +0000 https://dev.to/tink-origami/mastering-zero-downtime-deployments-with-terraform-kem https://dev.to/tink-origami/mastering-zero-downtime-deployments-with-terraform-kem <h2> How I Updated Production Without Taking My App Offline (Almost) </h2> <p><strong>Day 12 of the 30-Day Terraform Challenge</strong> — and today I learned the difference between "it works" and "it works without anyone noticing."</p> <p>Deploying infrastructure updates without downtime is one of the hardest problems in operations. It's also one of the most valuable skills you can have. Today I made it happen.</p> <p>Well, almost. Let me show you what worked, what broke, and what I learned.</p> <h2> The Problem: Terraform's Default Behavior is Destructive </h2> <p>When you update a Launch Template or Auto Scaling Group, Terraform does something terrifying by default:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Destroy old ASG → All instances terminate → Website goes down ❌ 2. Create new ASG → New instances spin up → Website comes back </code></pre> </div> <p>Between step 1 and step 2, there's a window of silence. Sometimes seconds. Sometimes minutes. In production, that's a disaster.</p> <p><strong>The fix?</strong> A little lifecycle rule called <code>create_before_destroy</code>.</p> <h2> The Solution: create_before_destroy </h2> <p>This simple lifecycle block flips the order:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>Instead of destroy → create, it does:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. Create new resources 2. Wait for them to be healthy 3. Destroy old resources </code></pre> </div> <p><strong>No gap. No downtime.</strong></p> <h2> The ASG Naming Problem </h2> <p>There's a catch. AWS won't let two Auto Scaling Groups have the same name. When <code>create_before_destroy</code> creates the new ASG before destroying the old one, they'd both have the same name and Terraform would error.</p> <p><strong>The fix:</strong> Use <code>name_prefix</code> instead of a fixed name:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">name_prefix</span> <span class="err">=</span> <span class="s2">"web-asg-${random_id.asg.hex}-"</span> </code></pre> </div> <p>Add a <code>random_id</code> that changes when your code changes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"random_id"</span> <span class="s2">"asg"</span> <span class="p">{</span> <span class="nx">keepers</span> <span class="p">=</span> <span class="p">{</span> <span class="c1"># New ID when user_data changes</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/user-data.sh"</span><span class="p">))</span> <span class="p">}</span> <span class="nx">byte_length</span> <span class="p">=</span> <span class="mi">4</span> <span class="p">}</span> </code></pre> </div> <p>Now each deployment gets a unique name. Problem solved.</p> <h2> The Test: Updating from v1 to v2 </h2> <p>I set up a traffic monitor in one terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">while </span><span class="nb">true</span><span class="p">;</span> <span class="k">do </span>curl http://my-alb-dns-name <span class="nb">sleep </span>2 <span class="k">done</span> </code></pre> </div> <p>In another terminal, I updated my <code>user_data</code> script and ran <code>terraform apply</code>.</p> <p><strong>Here's what happened:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&lt;h1&gt;Version 1: Hello World!&lt;/h1&gt; - 14:34:04 &lt;h1&gt;Version 1: Hello World!&lt;/h1&gt; - 14:34:06 &lt;h1&gt;Version 1: Hello World!&lt;/h1&gt; - 14:34:08 ... 502 Bad Gateway - 14:35:08 # Uh oh! 502 Bad Gateway - 14:35:10 502 Bad Gateway - 14:35:12 ... &lt;h1&gt;Version 2: Updated! Zero Downtime Works!&lt;/h1&gt; - 14:35:25 &lt;h1&gt;Version 2: Updated! Zero Downtime Works!&lt;/h1&gt; - 14:35:27 </code></pre> </div> <p><strong>What happened?</strong> I got 17 seconds of 502 errors. Not quite zero downtime.</p> <h2> Why Did I Get Errors? </h2> <p>The new instances took longer to become healthy than the old instances took to terminate. The ALB had no healthy targets for a brief window.</p> <p><strong>The fix:</strong> Increase <code>health_check_grace_period</code> and add <code>wait_for_capacity_timeout</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_autoscaling_group"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">health_check_grace_period</span> <span class="p">=</span> <span class="mi">300</span> <span class="c1"># 5 minutes to boot</span> <span class="nx">wait_for_capacity_timeout</span> <span class="p">=</span> <span class="s2">"10m"</span> <span class="c1"># Wait for healthy instances</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>With these settings, Terraform waits until the new instances pass health checks before destroying the old ones. No more 502s.</p> <h2> The Blue/Green Alternative </h2> <p><code>create_before_destroy</code> is great, but it has limitations. For mission-critical apps, teams use <strong>blue/green deployments</strong>:</p> <ul> <li> <strong>Blue</strong> = current live environment</li> <li> <strong>Green</strong> = new version, ready to go</li> </ul> <p>Switch traffic instantly with a listener rule:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb_listener_rule"</span> <span class="s2">"blue_green"</span> <span class="p">{</span> <span class="nx">action</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"forward"</span> <span class="nx">target_group_arn</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">active_environment</span> <span class="p">==</span> <span class="s2">"blue"</span> <span class="err">?</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">blue</span><span class="p">.</span><span class="nx">arn</span> <span class="err">:</span> <span class="nx">aws_lb_target_group</span><span class="p">.</span><span class="nx">green</span><span class="p">.</span><span class="nx">arn</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Change <code>active_environment = "green"</code>, run <code>terraform apply</code>, and traffic switches in a single API call. Zero downtime. Instant rollback.</p> <h2> What I Learned </h2> <p><strong>The default is dangerous.</strong> Never assume Terraform will keep your app online. Always test.</p> <p><strong><code>create_before_destroy</code> is your friend.</strong> But you need to handle ASG naming with <code>name_prefix</code> and <code>random_id</code>.</p> <p><strong>Health checks matter.</strong> Give your instances time to boot. <code>health_check_grace_period = 300</code> is your safety net.</p> <p><strong>Blue/green is cleaner.</strong> More setup, but atomic switches and instant rollbacks.</p> <p><strong>502s taught me more than success would have.</strong> I saw exactly where my setup failed and how to fix it.</p> <h2> The Code That Worked </h2> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Unique ASG name</span> <span class="nx">resource</span> <span class="s2">"random_id"</span> <span class="s2">"asg"</span> <span class="p">{</span> <span class="nx">keepers</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">user_data</span> <span class="p">=</span> <span class="nx">base64encode</span><span class="p">(</span><span class="nx">file</span><span class="p">(</span><span class="s2">"user-data.sh"</span><span class="p">))</span> <span class="p">}</span> <span class="nx">byte_length</span> <span class="p">=</span> <span class="mi">4</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_autoscaling_group"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name_prefix</span> <span class="p">=</span> <span class="s2">"web-asg-${random_id.asg.hex}-"</span> <span class="nx">health_check_grace_period</span> <span class="p">=</span> <span class="mi">300</span> <span class="nx">wait_for_capacity_timeout</span> <span class="p">=</span> <span class="s2">"10m"</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_launch_template"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">create_before_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> The Bottom Line </h2> <p>Zero-downtime deployments aren't magic. They're a combination of:</p> <ul> <li>The right lifecycle rules (<code>create_before_destroy</code>)</li> <li>Smart naming (<code>name_prefix</code> + <code>random_id</code>)</li> <li>Patience (<code>health_check_grace_period</code>, <code>wait_for_capacity_timeout</code>)</li> <li>The right strategy (blue/green for critical apps)</li> </ul> <h2> Today I learned that "it works" isn't enough. It has to work when nobody's watching. And now I know how to make that happen. </h2> <p><em>P.S. Those 502 errors were humbling. But they taught me more than a perfect run ever would. Sometimes failure is the best teacher.</em> </p> terraform aws beginners How Conditionals Make Terraform Infrastructure Dynamic and Efficient Mukami Fri, 27 Mar 2026 13:26:35 +0000 https://dev.to/tink-origami/how-conditionals-make-terraform-infrastructure-dynamic-and-efficient-4m0d https://dev.to/tink-origami/how-conditionals-make-terraform-infrastructure-dynamic-and-efficient-4m0d <h2> One Module, Two Environments, Zero Code Duplication </h2> <p><strong>Day 11 of the 30-Day Terraform Challenge</strong> — and today I learned that conditionals are the secret sauce that turns a rigid configuration into a flexible, environment-aware system.</p> <p>Yesterday I had a module that worked for dev. Today I have a module that works for dev, staging, AND production — all from the same codebase.</p> <p>No copy-pasting. No separate branches. Just one <code>environment</code> variable driving everything.</p> <h2> The Problem: Hardcoded Values for Every Environment </h2> <p>Before today, if I wanted different instance sizes for dev and production, I had to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dev/main.tf</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.micro"</span> <span class="nx">min_size</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="err">=</span> <span class="mi">3</span> <span class="c1"># production/main.tf</span> <span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.medium"</span> <span class="nx">min_size</span> <span class="err">=</span> <span class="mi">3</span> <span class="nx">max_size</span> <span class="err">=</span> <span class="mi">10</span> </code></pre> </div> <p>Same code. Different files. Change something? Update both places. Forget one? Inconsistent infrastructure.</p> <p>This works until you have 5 environments. Then it becomes a maintenance nightmare.</p> <h2> The Solution: Centralized Conditional Logic with Locals </h2> <p>Instead of scattering <code>? :</code> operators everywhere, I put all my conditional decisions in one place:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">locals</span> <span class="p">{</span> <span class="c1"># Environment checks</span> <span class="nx">is_production</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"production"</span> <span class="nx">is_staging</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"staging"</span> <span class="nx">is_dev</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"dev"</span> <span class="c1"># Compute sizing based on environment</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="err">?</span> <span class="s2">"t3.medium"</span> <span class="err">:</span> <span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_staging</span> <span class="err">?</span> <span class="s2">"t3.small"</span> <span class="err">:</span> <span class="s2">"t3.micro"</span> <span class="p">)</span> <span class="c1"># Auto Scaling settings</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="err">?</span> <span class="mi">3</span> <span class="err">:</span> <span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_staging</span> <span class="err">?</span> <span class="mi">2</span> <span class="err">:</span> <span class="mi">1</span> <span class="p">)</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="err">?</span> <span class="mi">10</span> <span class="err">:</span> <span class="p">(</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_staging</span> <span class="err">?</span> <span class="mi">5</span> <span class="err">:</span> <span class="mi">3</span> <span class="p">)</span> <span class="c1"># Feature toggles</span> <span class="nx">enable_autoscaling</span> <span class="p">=</span> <span class="err">!</span><span class="nx">local</span><span class="p">.</span><span class="nx">is_dev</span> <span class="c1"># Enabled for staging and production</span> <span class="nx">enable_detailed_monitoring</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="nx">enable_ssh</span> <span class="p">=</span> <span class="err">!</span><span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="c1"># Disabled in production</span> <span class="nx">deletion_protection</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">is_production</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this is better:</strong></p> <ul> <li>All logic in one place — easy to see what changes per environment</li> <li>No scattered ternaries through resource arguments</li> <li>Easy to test — change one variable, see all impacts</li> <li>Easy to maintain — add a new environment? Update one block</li> </ul> <h2> Conditional Resource Creation with <code>count</code> </h2> <p>The <code>count = condition ? 1 : 0</code> pattern makes entire resources optional:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Only create autoscaling policies for staging and production</span> <span class="nx">resource</span> <span class="s2">"aws_autoscaling_policy"</span> <span class="s2">"scale_out"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">enable_autoscaling</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-scale-out"</span> <span class="nx">scaling_adjustment</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">autoscaling_group_name</span> <span class="p">=</span> <span class="nx">aws_autoscaling_group</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> <span class="c1"># Only create CloudWatch alarms for production</span> <span class="nx">resource</span> <span class="s2">"aws_cloudwatch_metric_alarm"</span> <span class="s2">"high_cpu"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">enable_detailed_monitoring</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">alarm_name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-high-cpu"</span> <span class="nx">threshold</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>When <code>enable_autoscaling = false</code>, the policy isn't created at all. No resources. No costs.</p> <h2> Safe Output References </h2> <p>When resources are conditional, you can't reference them directly. This fails when count = 0:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># BROKEN — errors when resource doesn't exist</span> <span class="nx">output</span> <span class="s2">"alarm_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_cloudwatch_metric_alarm</span><span class="p">.</span><span class="nx">high_cpu</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="p">}</span> </code></pre> </div> <p>The fix is a ternary guard:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># CORRECT — returns null when resource doesn't exist</span> <span class="nx">output</span> <span class="s2">"alarm_arn"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">enable_detailed_monitoring</span> <span class="err">?</span> <span class="nx">aws_cloudwatch_metric_alarm</span><span class="p">.</span><span class="nx">high_cpu</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">arn</span> <span class="err">:</span> <span class="kc">null</span> <span class="p">}</span> </code></pre> </div> <p>For outputs that return objects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"autoscaling_policies"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">local</span><span class="p">.</span><span class="nx">enable_autoscaling</span> <span class="err">?</span> <span class="p">{</span> <span class="nx">scale_out</span> <span class="p">=</span> <span class="nx">aws_autoscaling_policy</span><span class="p">.</span><span class="nx">scale_out</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="nx">scale_in</span> <span class="p">=</span> <span class="nx">aws_autoscaling_policy</span><span class="p">.</span><span class="nx">scale_in</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p>Without this guard, Terraform throws <code>Invalid index</code> errors when the resource doesn't exist.</p> <h2> The Validation Block: Catch Mistakes Early </h2> <p>Add a validation block to prevent invalid inputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Deployment environment: dev, staging, or production"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="nx">validation</span> <span class="p">{</span> <span class="nx">condition</span> <span class="p">=</span> <span class="nx">contains</span><span class="p">([</span><span class="s2">"dev"</span><span class="p">,</span> <span class="s2">"staging"</span><span class="p">,</span> <span class="s2">"production"</span><span class="p">],</span> <span class="nx">var</span><span class="p">.</span><span class="nx">environment</span><span class="p">)</span> <span class="nx">error_message</span> <span class="p">=</span> <span class="s2">"Environment must be one of: dev, staging, production."</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Try to pass an invalid value:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform plan <span class="nt">-var</span><span class="o">=</span><span class="s2">"environment=stg"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>│ Error: Invalid value for variable │ Environment must be one of: dev, staging, production. </code></pre> </div> <p>Caught at plan time — before anything is deployed.</p> <h2> The Results: Dev vs Production </h2> <p>Same module. Same code. Different outputs.</p> <p><strong>Dev Environment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.micro"</span> <span class="nx">min_size</span> <span class="err">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="err">=</span> <span class="mi">3</span> <span class="nx">enable_autoscaling</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">enable_monitoring</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">enable_ssh</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">autoscaling_policies</span> <span class="err">=</span> <span class="p">{}</span> </code></pre> </div> <p><strong>Production Environment:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">instance_type</span> <span class="err">=</span> <span class="s2">"t3.medium"</span> <span class="nx">min_size</span> <span class="err">=</span> <span class="mi">3</span> <span class="nx">max_size</span> <span class="err">=</span> <span class="mi">10</span> <span class="nx">enable_autoscaling</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">enable_monitoring</span> <span class="err">=</span> <span class="kc">true</span> <span class="nx">enable_ssh</span> <span class="err">=</span> <span class="kc">false</span> <span class="nx">autoscaling_policies</span> <span class="err">=</span> <span class="p">{</span> <span class="nx">scale_in</span> <span class="p">=</span> <span class="s2">"prod-webserver-scale-in"</span> <span class="nx">scale_out</span> <span class="p">=</span> <span class="s2">"prod-webserver-scale-out"</span> <span class="p">}</span> </code></pre> </div> <p>Dev gets small, cheap, debuggable. Production gets big, scalable, secure. All from one module.</p> <h2> The Conditional Data Source Pattern </h2> <p>Sometimes you need to either create new infrastructure or use existing. This pattern handles both:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"use_existing_vpc"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="c1"># Conditionally look up existing VPC</span> <span class="nx">data</span> <span class="s2">"aws_vpc"</span> <span class="s2">"existing"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_existing_vpc</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">existing_vpc_id</span> <span class="p">}</span> <span class="c1"># Conditionally create new VPC</span> <span class="nx">resource</span> <span class="s2">"aws_vpc"</span> <span class="s2">"new"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_existing_vpc</span> <span class="err">?</span> <span class="mi">0</span> <span class="err">:</span> <span class="mi">1</span> <span class="nx">cidr_block</span> <span class="p">=</span> <span class="s2">"10.0.0.0/16"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">vpc_id</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">use_existing_vpc</span> <span class="err">?</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">existing</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="err">:</span> <span class="nx">aws_vpc</span><span class="p">.</span><span class="nx">new</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <p>This enables:</p> <ul> <li> <strong>Greenfield deployments</strong> — create everything new</li> <li> <strong>Brownfield deployments</strong> — use existing infrastructure</li> </ul> <p>One toggle switches between them.</p> <h2> What I Learned </h2> <p><strong>Conditional expressions choose values.</strong> They answer "what should this be?"</p> <p><strong>Conditional resource creation chooses existence.</strong> It answers "should this exist at all?"</p> <p><strong>You can't directly choose between two resource types</strong> with one conditional. You need two resources with count on each.</p> <p><strong>Locals are better than scattered ternaries.</strong> Centralize your logic. Future you will thank you.</p> <p><strong>Validation blocks are your first line of defense.</strong> Catch invalid inputs before they cause damage.</p> <h2> The Bottom Line </h2> <p>Today I transformed my module from hardcoded values to a single <code>environment</code> variable that drives everything:</p> <ul> <li>Instance sizing (t3.micro → t3.medium)</li> <li>Cluster size (1 → 3 → 10 instances)</li> <li>Feature toggles (autoscaling, monitoring, SSH)</li> <li>Protection settings (deletion protection)</li> </ul> <p>One codebase. Multiple environments. Zero duplication.</p> <p><strong>This is how infrastructure at scale works.</strong></p> <p><em>P.S. The best part? When someone asks "what does dev look like vs production?" I just point to my locals block. Everything is there. One place. No hunting through 500 lines of code.</em> </p> terraform beginners aws 30daychallenge Mastering Loops and Conditionals in Terraform Mukami Fri, 27 Mar 2026 11:51:38 +0000 https://dev.to/tink-origami/mastering-loops-and-conditionals-in-terraform-8em https://dev.to/tink-origami/mastering-loops-and-conditionals-in-terraform-8em <p><strong>Day 10 of the 30-Day Terraform Challenge</strong> — and today I learned that Terraform is actually a programming language in disguise.</p> <p>For the past 9 days, I've been writing infrastructure like it's 2010: one resource at a time, copy-pasting blocks, and feeling clever when I only duplicated code three times instead of five.</p> <p>Today I discovered loops and conditionals. And I'm never going back.</p> <h2> The Problem: Copy-Paste Engineering </h2> <p>Let me show you what I was doing before today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Creating 3 users? Copy-paste!</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"alice"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"alice"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"bob"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"bob"</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"charlie"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"charlie"</span> <span class="p">}</span> <span class="c1"># Security group with 3 rules? Copy-paste!</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">443</span> <span class="p">}</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">22</span> <span class="p">}</span> </code></pre> </div> <p>This works. Until you need 10 users. Or 50 security group rules. Or you need to change something across all of them.</p> <p><strong>There had to be a better way.</strong></p> <p>There is.</p> <h2> Tool 1: <code>count</code> — The Simple Loop </h2> <p><code>count</code> creates multiple copies of a resource. Think of it as a for-loop for infrastructure.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Create 3 identical IAM users</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"users"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="mi">3</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"user-</span><span class="k">${</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="k">}</span><span class="s2">"</span> <span class="p">}</span> </code></pre> </div> <p><code>count.index</code> gives you the position (0, 1, 2). This creates:</p> <ul> <li>user-0</li> <li>user-1</li> <li>user-2</li> </ul> <p>You can also use it with a list:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"user_names"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"bob"</span><span class="p">,</span> <span class="s2">"charlie"</span><span class="p">]</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"users"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">length</span><span class="p">(</span><span class="nx">var</span><span class="p">.</span><span class="nx">user_names</span><span class="p">)</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">user_names</span><span class="p">[</span><span class="nx">count</span><span class="p">.</span><span class="nx">index</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h3> The Problem Nobody Warns You About </h3> <p>Here's where <code>count</code> gets dangerous.</p> <p>Imagine your user list: <code>["alice", "bob", "charlie"]</code></p> <p>Terraform tracks resources by their <strong>index position</strong>:</p> <ul> <li>Index 0 = alice</li> <li>Index 1 = bob</li> <li>Index 2 = charlie</li> </ul> <p>Now you remove "alice" from the list: <code>["bob", "charlie"]</code></p> <p>The list shifts:</p> <ul> <li>Index 0 = bob (was alice!)</li> <li>Index 1 = charlie (was bob!)</li> </ul> <p><strong>What Terraform sees:</strong> Index 0 changed from alice to bob → destroy alice, create bob. Index 1 changed from bob to charlie → destroy bob, create charlie.</p> <p>Bob and Charlie get <strong>destroyed and recreated</strong> even though they still exist. Any data, IPs, or attached resources are lost.</p> <p><strong>This is the count trap.</strong> It's subtle, destructive, and catches everyone once.</p> <h2> Tool 2: <code>for_each</code> — The Safe Loop </h2> <p><code>for_each</code> solves the index problem by using <strong>keys</strong> instead of positions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Using a set</span> <span class="k">variable</span> <span class="s2">"user_names"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">set</span><span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"alice"</span><span class="p">,</span> <span class="s2">"bob"</span><span class="p">,</span> <span class="s2">"charlie"</span><span class="p">]</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"users"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">user_names</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span> <span class="p">}</span> </code></pre> </div> <p>Now Terraform tracks resources by their <strong>value</strong> (alice, bob, charlie), not their position.</p> <p>Remove "alice" from the set? Only Alice is destroyed. Bob and Charlie stay exactly where they are.</p> <h3> The Power of Maps </h3> <p>Where <code>for_each</code> really shines is with maps, because you can carry extra configuration per item:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"users"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">map</span><span class="p">(</span><span class="nx">object</span><span class="p">({</span> <span class="nx">department</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">admin</span> <span class="p">=</span> <span class="nx">bool</span> <span class="p">}))</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">alice</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">department</span> <span class="p">=</span> <span class="s2">"engineering"</span><span class="p">,</span> <span class="nx">admin</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">bob</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">department</span> <span class="p">=</span> <span class="s2">"marketing"</span><span class="p">,</span> <span class="nx">admin</span> <span class="p">=</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_user"</span> <span class="s2">"users"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">users</span> <span class="nx">name</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">key</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Department</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">department</span> <span class="nx">Admin</span> <span class="p">=</span> <span class="nx">tostring</span><span class="p">(</span><span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">admin</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now each user gets unique tags based on their configuration. Try doing that with <code>count</code>.</p> <h2> Tool 3: <code>for</code> Expressions — Transform Data Without Creating Resources </h2> <p><code>for</code> expressions reshape data. They don't create infrastructure—they transform what you already have.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Uppercase all names</span> <span class="k">output</span> <span class="s2">"upper_names"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">[</span><span class="nx">for</span> <span class="nx">name</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">user_names</span> <span class="err">:</span> <span class="nx">upper</span><span class="p">(</span><span class="nx">name</span><span class="p">)]</span> <span class="p">}</span> <span class="c1"># ["ALICE", "BOB", "CHARLIE"]</span> <span class="c1"># Create a map from a list</span> <span class="k">output</span> <span class="s2">"user_map"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">idx</span><span class="p">,</span> <span class="nx">name</span> <span class="nx">in</span> <span class="kd">var</span><span class="p">.</span><span class="nx">user_names</span> <span class="err">:</span> <span class="nx">idx</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># { "0" = "alice", "1" = "bob", "2" = "charlie" }</span> <span class="c1"># Filter and transform</span> <span class="k">output</span> <span class="s2">"admin_users"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">for</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">user</span> <span class="nx">in</span> <span class="nx">aws_iam_user</span><span class="p">.</span><span class="nx">users</span> <span class="err">:</span> <span class="nx">name</span> <span class="p">=</span><span class="err">&gt;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">arn</span> <span class="nx">if</span> <span class="nx">user</span><span class="p">.</span><span class="nx">admin</span> <span class="p">==</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> <span class="c1"># Only admin users appear in the output</span> </code></pre> </div> <p>These are incredibly useful for creating clean outputs that other configurations can consume.</p> <h2> Tool 4: Ternary Conditionals — Make Decisions </h2> <p>The ternary operator is Terraform's <code>if/else</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="nx">condition</span> <span class="err">?</span> <span class="nx">true_value</span> <span class="err">:</span> <span class="nx">false_value</span> </code></pre> </div> <h3> Making Resources Optional </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"enable_autoscaling"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">bool</span> <span class="nx">default</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_autoscaling_policy"</span> <span class="s2">"scale_out"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="nx">var</span><span class="p">.</span><span class="nx">enable_autoscaling</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="c1"># ... policy configuration</span> <span class="p">}</span> </code></pre> </div> <p>When <code>enable_autoscaling = false</code>, count becomes 0 and the policy is never created.</p> <h3> Environment-Specific Configuration </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="nx">locals</span> <span class="p">{</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"production"</span> <span class="err">?</span> <span class="s2">"t3.medium"</span> <span class="err">:</span> <span class="s2">"t3.micro"</span> <span class="nx">extra_tags</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">environment</span> <span class="p">==</span> <span class="s2">"production"</span> <span class="err">?</span> <span class="p">{</span> <span class="nx">Criticality</span> <span class="p">=</span> <span class="s2">"high"</span> <span class="nx">Backup</span> <span class="p">=</span> <span class="s2">"enabled"</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <p>Now you have one codebase that works for dev (small, cheap) and production (big, protected).</p> <h2> Putting It All Together </h2> <p>Here's how I refactored my web server cluster module:</p> <p><strong>Before:</strong> Hardcoded security group rules, no autoscaling options, repetitive outputs.</p> <p><strong>After:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="c1"># Optional autoscaling policies</span> <span class="k">resource</span> <span class="s2">"aws_autoscaling_policy"</span> <span class="s2">"scale_out"</span> <span class="p">{</span> <span class="nx">count</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_autoscaling</span> <span class="err">?</span> <span class="mi">1</span> <span class="err">:</span> <span class="mi">0</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">cluster_name</span><span class="k">}</span><span class="s2">-scale-out"</span> <span class="nx">autoscaling_group_name</span> <span class="p">=</span> <span class="nx">aws_autoscaling_group</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">name</span> <span class="nx">scaling_adjustment</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="c1"># Flexible security group rules</span> <span class="k">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"additional"</span> <span class="p">{</span> <span class="nx">for_each</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">additional_sg_rules</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"ingress"</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">from_port</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="nx">each</span><span class="p">.</span><span class="nx">value</span><span class="p">.</span><span class="nx">to_port</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">instance</span><span class="p">.</span><span class="nx">id</span> <span class="p">}</span> <span class="c1"># Clean outputs</span> <span class="k">output</span> <span class="s2">"autoscaling_policies"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="kd">var</span><span class="p">.</span><span class="nx">enable_autoscaling</span> <span class="err">?</span> <span class="p">{</span> <span class="nx">scale_out</span> <span class="p">=</span> <span class="nx">aws_autoscaling_policy</span><span class="p">.</span><span class="nx">scale_out</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">name</span> <span class="p">}</span> <span class="err">:</span> <span class="p">{}</span> <span class="p">}</span> </code></pre> </div> <h2> When to Use What: The Cheat Sheet </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tool</th> <th>Best For</th> <th>Avoid When</th> </tr> </thead> <tbody> <tr> <td><strong>count</strong></td> <td>Identical resources, fixed numbers</td> <td>Lists that might change order</td> </tr> <tr> <td><strong>for_each</strong></td> <td>Resources with unique identities, maps, changing lists</td> <td>Creating thousands of resources (state file gets huge)</td> </tr> <tr> <td><strong>for expressions</strong></td> <td>Data transformation, outputs, locals</td> <td>Creating actual infrastructure</td> </tr> <tr> <td><strong>ternary</strong></td> <td>Simple conditional values, resource toggles</td> <td>Complex nested logic (use locals instead)</td> </tr> </tbody> </table></div> <h2> The Count Trap: A Real Example </h2> <p>I built a simple IAM user setup with <code>count</code>. It worked perfectly. Then I removed a user from the middle of the list. <code>terraform plan</code> showed that <strong>every user after that position would be recreated</strong>.</p> <p>I tested with random IDs attached to each user. After removing one, the IDs of remaining users changed. They were destroyed and recreated.</p> <p><strong>The cost?</strong> If these were EC2 instances, I'd lose their IPs, attached volumes, and any stateful data. If these were databases, I'd lose data.</p> <p><strong>The fix?</strong> I refactored to use <code>for_each</code>. Now removing any user affects only that user.</p> <h2> What I Learned </h2> <p><strong>Loops eliminate repetition.</strong> One block now does the work of ten.</p> <p><strong><code>count</code> is simple but dangerous.</strong> It works until your list changes. Then it breaks things in ways that are hard to debug.</p> <p><strong><code>for_each</code> is safer.</strong> It respects identity, not position. Use it whenever your resources have unique names.</p> <p><strong>Conditionals make code reusable.</strong> One module now serves dev and production, with features that turn on and off based on variables.</p> <p><strong><code>for</code> expressions are the glue.</strong> They transform raw resources into clean outputs that others can consume.</p> <h2> The Bottom Line </h2> <p>Before today, I wrote infrastructure by copy-pasting. Now I write it with loops and conditionals.</p> <p>My code is:</p> <ul> <li> <strong>Shorter</strong> — 200 lines instead of 500</li> <li> <strong>Safer</strong> — removing items doesn't break everything</li> <li> <strong>Smarter</strong> — dev gets small instances, production gets big ones</li> <li> <strong>More maintainable</strong> — change one place, all environments update</li> </ul> <p>Terraform isn't just a tool for creating resources. It's a language for describing infrastructure. And today, I finally started treating it like one.</p> <p><em>P.S. If you're still writing 10 separate resource blocks for 10 similar resources, stop. Learn <code>for_each</code>. Your future self will thank you.</em> </p> terraform aws hashicorp beginners Advanced Terraform Module Usage: Versioning, Gotchas, and Reuse Across Environments Mukami Thu, 26 Mar 2026 09:41:09 +0000 https://dev.to/tink-origami/advanced-terraform-module-usage-versioning-gotchas-and-reuse-across-environments-5779 https://dev.to/tink-origami/advanced-terraform-module-usage-versioning-gotchas-and-reuse-across-environments-5779 <p><strong>Day 9 of the 30-Day Terraform Challenge</strong> — and today I learned the hard-won lessons that separate "I know how to write a module" from "I can safely share modules with a team."</p> <p>Yesterday I built my first module. Today I learned why modules break in production, how to version them like real software, and why pinning versions is the difference between "it works" and "it works every time, for everyone."</p> <h2> The Problem: Modules Aren't Magic </h2> <p>Yesterday's module worked perfectly when I called it from a local path. But the moment I tried to share it? Things got messy.</p> <p><strong>Three gotchas caught me off guard:</strong></p> <h3> Gotcha 1: File Paths Lie to You </h3> <p>I had a user data script in my module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">user_data</span> <span class="err">=</span> <span class="nx">file</span><span class="err">(</span><span class="s2">"user-data.sh"</span><span class="err">)</span> </code></pre> </div> <p>Worked fine when testing locally. Then I called the module from a different directory:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Error reading file "user-data.sh": no such file or directory </code></pre> </div> <p><strong>The problem:</strong> <code>file()</code> resolves paths relative to where Terraform is run, not relative to the module!</p> <p><strong>The fix:</strong> Always use <code>${path.module}</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">user_data</span> <span class="err">=</span> <span class="nx">file</span><span class="err">(</span><span class="s2">"${path.module}/user-data.sh"</span><span class="err">)</span> </code></pre> </div> <p>Now the path is always correct, no matter who calls the module or from where.</p> <h3> Gotcha 2: Inline Blocks vs Separate Resources </h3> <p>My security group had inline ingress rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"instance"</span> <span class="p">{</span> <span class="nx">ingress</span> <span class="p">{</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This worked fine. But when someone using my module wanted to add another rule? They couldn't. The module controlled everything.</p> <p><strong>The fix:</strong> Use separate security group rule resources:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_security_group"</span> <span class="s2">"instance"</span> <span class="p">{</span> <span class="c1"># No inline rules!</span> <span class="p">}</span> <span class="nx">resource</span> <span class="s2">"aws_security_group_rule"</span> <span class="s2">"allow_http"</span> <span class="p">{</span> <span class="nx">security_group_id</span> <span class="p">=</span> <span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">instance</span><span class="p">.</span><span class="nx">id</span> <span class="nx">from_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="nx">to_port</span> <span class="p">=</span> <span class="mi">80</span> <span class="p">}</span> </code></pre> </div> <p>Now callers can add their own rules without modifying the module. The module provides a foundation; they add the customization.</p> <h3> Gotcha 3: Module Outputs Create Hidden Dependencies </h3> <p>I had a resource that needed to wait for the module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"monitoring"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">webserver_cluster</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Looks fine, right? <strong>Wrong.</strong></p> <p>This <code>depends_on</code> creates a dependency on <strong>every resource</strong> inside the module. If any resource in the module changes, Terraform recreates my monitoring instance — even if it wasn't related.</p> <p><strong>The fix:</strong> Depend on specific outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_instance"</span> <span class="s2">"monitoring"</span> <span class="p">{</span> <span class="nx">depends_on</span> <span class="p">=</span> <span class="p">[</span><span class="nx">module</span><span class="p">.</span><span class="nx">webserver_cluster</span><span class="p">.</span><span class="nx">alb_dns_name</span><span class="p">]</span> <span class="p">}</span> </code></pre> </div> <p>Now my monitoring instance only cares if the ALB DNS changes — not if a tag on a random instance changes.</p> <h2> The Solution: Version Your Modules </h2> <p>Once I fixed the gotchas, I needed to share my module safely. The answer: <strong>versioning.</strong></p> <h3> Step 1: Push to GitHub </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git init git add <span class="nb">.</span> git commit <span class="nt">-m</span> <span class="s2">"Initial module release"</span> git remote add origin https://github.com/123Origami/terraform-aws-webserver-cluster.git git push origin main </code></pre> </div> <h3> Step 2: Tag a Version </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git tag <span class="nt">-a</span> <span class="s2">"v0.0.1"</span> <span class="nt">-m</span> <span class="s2">"First release: Basic web server cluster"</span> git push origin main <span class="nt">--tags</span> </code></pre> </div> <p>Now my module is versioned! Anyone can use it with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"webserver_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/123Origami/terraform-aws-webserver-cluster?ref=v0.0.1"</span> <span class="p">}</span> </code></pre> </div> <h3> Step 3: Make a Change, Tag New Version </h3> <p>I added a new feature (<code>custom_user_data</code>), committed it, and:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git tag <span class="nt">-a</span> <span class="s2">"v0.0.2"</span> <span class="nt">-m</span> <span class="s2">"Added custom user data support"</span> git push origin main <span class="nt">--tags</span> </code></pre> </div> <p>Now I have two versions:</p> <ul> <li> <strong>v0.0.1</strong> — stable, production-ready</li> <li> <strong>v0.0.2</strong> — new feature, needs testing</li> </ul> <h2> The Pattern: Dev Tests, Production Pins </h2> <p>This is where it gets good.</p> <p><strong>Dev environment uses v0.0.2:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/dev/services/webserver-cluster/main.tf</span> <span class="nx">module</span> <span class="s2">"webserver_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/123Origami/terraform-aws-webserver-cluster?ref=v0.0.2"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"webservers-dev"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="nx">custom_user_data</span> <span class="p">=</span> <span class="nx">file</span><span class="p">(</span><span class="s2">"${path.module}/dev-setup.sh"</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Production stays on v0.0.1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/services/webserver-cluster/main.tf</span> <span class="nx">module</span> <span class="s2">"webserver_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"github.com/123Origami/terraform-aws-webserver-cluster?ref=v0.0.1"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"webservers-production"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why this pattern:</strong></p> <ul> <li>Dev tests the new version immediately</li> <li>Production stays stable until I validate v0.0.2 in dev</li> <li>When I'm confident, I update production to v0.0.2</li> <li>If something breaks, I roll back to v0.0.1 in seconds</li> </ul> <h2> The terraform init Magic </h2> <p>When I run <code>terraform init</code> in dev:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Initializing modules... Downloading git::https://github.com/123Origami/terraform-aws-webserver-cluster.git?ref=v0.0.2 </span></code></pre> </div> <p>Production downloads v0.0.1:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">Initializing modules... Downloading git::https://github.com/123Origami/terraform-aws-webserver-cluster.git?ref=v0.0.1 </span></code></pre> </div> <p>Same module. Different versions. Different environments. This is how real teams work.</p> <h2> Why Version Pinning Is Non-Negotiable </h2> <p>Imagine this nightmare:</p> <p>Engineer A runs <code>terraform apply</code> at 9:00 AM — downloads module at v0.0.1, everything works.</p> <p>Engineer B runs <code>terraform apply</code> at 10:00 AM — module source has been updated to v0.0.2 (new feature, breaking change). Infrastructure now inconsistent.</p> <p>No one knows why. "It worked on my machine" becomes "it worked in my apply."</p> <p><strong>Without version pinning, you're gambling.</strong></p> <h2> The Module README: Your Contract with Users </h2> <p>Every shared module needs a README. It's not optional. Here's what I included:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># AWS Web Server Cluster Module</span> <span class="gu">## What it does</span> Creates a highly available web server cluster with ALB and ASG. <span class="gu">## Usage</span> module "webserver_cluster" { source = "github.com/your-username/terraform-aws-webserver-cluster?ref=v0.0.1" cluster_name = "my-app" } <span class="gu">## Inputs</span> | Name | Type | Default | Required | |------|------|---------|----------| | cluster_name | string | - | yes | | instance_type | string | t3.micro | no | | min_size | number | 1 | no | <span class="gu">## Outputs</span> | Name | Description | |------|-------------| | alb_url | URL to access the cluster | | asg_name | Name of the Auto Scaling Group | <span class="gu">## Known Gotchas</span> <span class="p">-</span> Use <span class="sb">`${path.module}`</span> for any file paths inside the module <span class="p">-</span> Security group rules are separate resources for flexibility </code></pre> </div> <p>A good README means users don't have to read your code to use it.</p> <h2> What I Learned </h2> <p><strong>The gotchas are subtle but deadly.</strong> File paths, dependency chains, and inline resources — all of them work fine until they don't. Fix them once, in the module, and everyone benefits.</p> <p><strong>Versioning is how modules become trustworthy.</strong> Without a version pin, you're sharing a moving target. With versioning, you're sharing a contract.</p> <p><strong>The dev-test-prod pattern is simple but powerful.</strong> Test new versions in dev. Let them bake. When they're stable, roll to staging, then production. If something breaks, roll back one version.</p> <h2> The Bottom Line </h2> <p>A module without versioning is just a folder of code. A module with versioning is a tool your whole team can rely on.</p> <p>Today I turned my web server module from a personal convenience into something I could share with anyone, anywhere, with confidence.</p> <p><strong>Version your modules. Pin your versions. Test in dev, trust in prod.</strong></p> <p><strong>Resources:</strong></p> <ul> <li><a href="https://github.com/123Origami/terraform-aws-webserver-cluster" rel="noopener noreferrer">My Versioned Module on GitHub</a></li> <li><a href="https://developer.hashicorp.com/terraform/language/modules/sources" rel="noopener noreferrer">Terraform Module Versioning Docs</a></li> </ul> 30daychallenge terraform beginners aws # Building Reusable Infrastructure with Terraform Modules ## Or: How I Finally Stopped Copy-Pasting the Same 200 Lines of Code Mukami Thu, 26 Mar 2026 08:36:19 +0000 https://dev.to/tink-origami/-building-reusable-infrastructure-with-terraform-modules-or-how-i-finally-stopped-copy-pasting-34nh https://dev.to/tink-origami/-building-reusable-infrastructure-with-terraform-modules-or-how-i-finally-stopped-copy-pasting-34nh <p><strong>Day 8 of the 30-Day Terraform Challenge</strong> — and today I learned the secret that separates people who "know Terraform" from people who actually build infrastructure at scale.</p> <p>Modules.</p> <p>You know that feeling when you've written the same security group configuration three times? Or when you're about to copy-paste your entire web server cluster for the fifth environment? That's the feeling modules were made to eliminate.</p> <h2> The Problem: Copy-Paste Engineering </h2> <p>Let me show you what I was doing before today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># dev/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"dev-web-alb"</span> <span class="c1"># ... 200 more lines ...</span> <span class="p">}</span> <span class="c1"># staging/main.tf </span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"staging-web-alb"</span> <span class="c1"># ... THE SAME 200 lines, different name ...</span> <span class="p">}</span> <span class="c1"># production/main.tf</span> <span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"prod-web-alb"</span> <span class="c1"># ... 200 lines, again ...</span> <span class="p">}</span> </code></pre> </div> <p>This is what we call <strong>Copy-Paste Engineering</strong>. It's fast. It works. And it's a nightmare to maintain.</p> <p>Change the health check path? That's 3 files. Fix a security group rule? 3 files. Update the AMI filter? You guessed it — 3 files. And if you forget one? Now dev and production are different, and nobody knows why.</p> <p>There had to be a better way.</p> <h2> The Solution: Modules </h2> <p>A module is just a folder of Terraform code that you can call from other Terraform configurations. That's it. No magic. No special syntax.</p> <p>But that simple concept changes everything.</p> <h3> The Module Structure </h3> <p>Here's what I built today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>modules/ └── services/ └── webserver-cluster/ ├── main.tf # The infrastructure (ALB, ASG, SG) ├── variables.tf # What you can configure ├── outputs.tf # What you get back └── README.md # How to use it </code></pre> </div> <h3> The Variables (What You Can Configure) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">variable</span> <span class="s2">"cluster_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name for all cluster resources"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="c1"># No default — caller MUST provide this</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"instance_type"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"EC2 instance type"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"min_size"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Minimum instances in ASG"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">1</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"max_size"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Maximum instances in ASG"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">number</span> <span class="nx">default</span> <span class="p">=</span> <span class="mi">5</span> <span class="p">}</span> <span class="nx">variable</span> <span class="s2">"environment"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Environment name (dev, staging, prod)"</span> <span class="nx">type</span> <span class="p">=</span> <span class="nx">string</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> </code></pre> </div> <p>Every configurable aspect of the infrastructure is an input variable. Nothing is hardcoded.</p> <h3> The Outputs (What You Get Back) </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">output</span> <span class="s2">"alb_dns_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"DNS name of the load balancer"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_lb</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">dns_name</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"alb_url"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Full URL to access the cluster"</span> <span class="nx">value</span> <span class="p">=</span> <span class="s2">"http://${aws_lb.web.dns_name}"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"asg_name"</span> <span class="p">{</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Name of the Auto Scaling Group"</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">aws_autoscaling_group</span><span class="p">.</span><span class="nx">web</span><span class="p">.</span><span class="nx">name</span> <span class="p">}</span> </code></pre> </div> <p>Callers get back exactly what they need — no more, no less.</p> <h3> The Main File (The Infrastructure) </h3> <p>Inside <code>main.tf</code> is all the code I've been writing all week. But now it uses variables instead of hardcoded values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_lb"</span> <span class="s2">"web"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"${var.cluster_name}-alb"</span> <span class="c1"># No hardcoding!</span> <span class="nx">security_groups</span> <span class="p">=</span> <span class="p">[</span><span class="nx">aws_security_group</span><span class="p">.</span><span class="nx">alb</span><span class="p">.</span><span class="nx">id</span><span class="p">]</span> <span class="nx">subnets</span> <span class="p">=</span> <span class="nx">data</span><span class="p">.</span><span class="nx">aws_subnets</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">ids</span> <span class="p">}</span> </code></pre> </div> <h2> The Magic: Calling the Module </h2> <p>Here's where it gets beautiful. For dev:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/dev/services/webserver-cluster/main.tf</span> <span class="nx">module</span> <span class="s2">"webserver_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../modules/services/webserver-cluster"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"webservers-dev"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.micro"</span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">1</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"dev"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"alb_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">webserver_cluster</span><span class="p">.</span><span class="nx">alb_url</span> <span class="p">}</span> </code></pre> </div> <p>For production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># live/production/services/webserver-cluster/main.tf</span> <span class="nx">module</span> <span class="s2">"webserver_cluster"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../modules/services/webserver-cluster"</span> <span class="nx">cluster_name</span> <span class="p">=</span> <span class="s2">"webservers-production"</span> <span class="nx">instance_type</span> <span class="p">=</span> <span class="s2">"t3.medium"</span> <span class="c1"># Bigger! </span> <span class="nx">min_size</span> <span class="p">=</span> <span class="mi">2</span> <span class="nx">max_size</span> <span class="p">=</span> <span class="mi">5</span> <span class="nx">environment</span> <span class="p">=</span> <span class="s2">"production"</span> <span class="p">}</span> <span class="nx">output</span> <span class="s2">"alb_url"</span> <span class="p">{</span> <span class="nx">value</span> <span class="p">=</span> <span class="nx">module</span><span class="p">.</span><span class="nx">webserver_cluster</span><span class="p">.</span><span class="nx">alb_url</span> <span class="p">}</span> </code></pre> </div> <p>Same module. Different inputs. Zero code duplication.</p> <p>When I need to update the health check path? I change it in ONE file — the module. Every environment gets the update automatically.</p> <h2> The Moment I Knew It Worked </h2> <p>I deployed dev first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cd </span>live/dev/services/webserver-cluster <span class="nv">$ </span>terraform init <span class="nv">$ </span>terraform apply Apply <span class="nb">complete</span><span class="o">!</span> Outputs: alb_url <span class="o">=</span> <span class="s2">"http://webservers-dev-alb-xxxxx.elb.amazonaws.com"</span> </code></pre> </div> <p>I opened the URL. There it was — my web page with "webservers-dev" on top.</p> <p>Then I looked at production (didn't deploy, just previewed):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span><span class="nb">cd </span>live/production/services/webserver-cluster <span class="nv">$ </span>terraform plan <span class="c"># Notice the instance type:</span> module.webserver_cluster.aws_launch_template.web instance_type <span class="o">=</span> <span class="s2">"t3.medium"</span> <span class="c"># Dev used t3.micro!</span> </code></pre> </div> <p>The same code, producing different infrastructure. This is how real teams work.</p> <h2> Module Design Decisions I Had to Make </h2> <h3> What to Expose vs What to Hide </h3> <p>I chose to expose:</p> <ul> <li> <strong>Cluster name</strong> — caller must provide it (no default)</li> <li> <strong>Instance type</strong> — different sizes for different environments</li> <li> <strong>Min/max sizes</strong> — dev can run with 1 instance, production needs 3+</li> <li> <strong>Environment</strong> — for tagging and naming</li> </ul> <p>I kept internal:</p> <ul> <li> <strong>AMI lookup</strong> — everyone gets the latest Amazon Linux 2</li> <li> <strong>VPC selection</strong> — always use the default VPC</li> <li> <strong>Security group structure</strong> — always the same pattern</li> </ul> <p>The rule: <strong>Expose what changes between environments. Hide what stays the same.</strong></p> <h3> What Happens If Someone Forgets a Required Variable? </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">module</span> <span class="s2">"broken"</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"../../../../modules/services/webserver-cluster"</span> <span class="c1"># No cluster_name provided!</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Missing required argument The argument "cluster_name" is required, but no definition was found. </code></pre> </div> <p>Terraform catches it. The caller knows exactly what they missed. This is why required variables are so important — they prevent silent failures.</p> <h2> Chapter 4 Learnings </h2> <p><strong>Root Module vs Child Module:</strong></p> <p>The configuration you run is the <strong>root module</strong>. Any module you call is a <strong>child module</strong>. There's no technical difference — just who's calling who.</p> <p><strong>What <code>terraform init</code> Does:</strong></p> <p>When you add a new module source, <code>terraform init</code> downloads the module code into <code>.terraform/modules/</code>. It doesn't apply anything — just makes the code available.</p> <p><strong>Module Outputs in State:</strong></p> <p>Module outputs are stored in the state file under the module's name. If you look in <code>terraform.tfstate</code>, you'll see:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"outputs"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alb_url"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"value"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://webservers-dev-alb-xxxxx.elb.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This is how other configurations can read outputs from your module.</p> <h2> Challenges I Hit (And How I Fixed Them) </h2> <p><strong>Challenge 1: Relative Paths</strong></p> <p>I kept getting <code>source path does not exist</code> errors. The problem? I was counting wrong.</p> <p>From <code>live/dev/services/webserver-cluster/</code> to <code>modules/services/webserver-cluster/</code>:</p> <ul> <li> <code>../</code> = back to <code>live/dev/services/</code> </li> <li> <code>../../</code> = back to <code>live/dev/</code> </li> <li> <code>../../../</code> = back to <code>live/</code> </li> <li> <code>../../../../</code> = back to project root, then into <code>modules/</code> </li> </ul> <p>Fix: Print your current directory and count carefully!</p> <p><strong>Challenge 2: Variable Type Mismatch</strong></p> <p>I passed <code>min_size = "2"</code> (string) but my variable expected a number. Terraform gave me:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Error: Incorrect attribute value type Inappropriate value for attribute "min_size": number required. </code></pre> </div> <p>Fix: Always use the right type — numbers without quotes, lists with brackets.</p> <p><strong>Challenge 3: Missing Outputs</strong></p> <p>My module created an ALB, but I forgot to output its DNS name. The caller couldn't access anything!</p> <p>Fix: Ask yourself "what does someone using this module need to know?" Output those things.</p> <h2> The Difference Between a Good Module and a Painful Module </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Good Module</th> <th>Painful Module</th> </tr> </thead> <tbody> <tr> <td>Clear, specific variable names</td> <td>Vague names like <code>var1</code>, <code>var2</code> </td> </tr> <tr> <td>Every variable has a description</td> <td>No descriptions — guess what it does</td> </tr> <tr> <td>Sensible defaults for optional values</td> <td>Everything is required</td> </tr> <tr> <td>Useful outputs (DNS names, IDs)</td> <td>No outputs — caller can't get anything</td> </tr> <tr> <td>Has a README</td> <td>"Just read the code"</td> </tr> <tr> <td>One clear purpose</td> <td>Tries to do everything</td> </tr> </tbody> </table></div> <h2> Best Practices I Learned </h2> <ol> <li><p><strong>Use the <code>source</code> parameter with relative paths</strong> — absolute paths break when other people clone your repo.</p></li> <li><p><strong>Always add descriptions to variables</strong> — future you will thank present you.</p></li> <li><p><strong>Provide sensible defaults</strong> — if 90% of use cases use <code>t3.micro</code>, make that the default.</p></li> <li><p><strong>Output everything a caller might need</strong> — DNS names, ARNs, IDs, URLs.</p></li> <li><p><strong>Version your modules</strong> — when you change a module, bump the version so callers upgrade intentionally.</p></li> <li><p><strong>Keep modules focused</strong> — one module = one responsibility. Don't create a "everything" module.</p></li> </ol> <h2> The Bottom Line </h2> <p>Modules are how Terraform scales from "my infrastructure" to "our infrastructure."</p> <p>Before modules, I had 200 lines of copy-pasted code per environment. After modules, I have one module and 20 lines of configuration per environment.</p> <p>When I need to update the health check path, I change one file — not three. When I need to add a new environment, I copy the calling configuration — not 200 lines of infrastructure.</p> <p><strong>Modules don't just save time. They save mistakes. And when you're managing production infrastructure, that's worth everything.</strong></p> <p><em>P.S. I spent 5 days writing the same infrastructure over and over. Today I spent 2 hours writing it once. The math is clear: modules pay for themselves the second you need a second environment.</em> </p> beginners terraform aws ec2 # State Isolation: Workspaces vs File Layouts — When to Use Each Mukami Mon, 23 Mar 2026 14:47:39 +0000 https://dev.to/tink-origami/-state-isolation-workspaces-vs-file-layouts-when-to-use-each-4hm https://dev.to/tink-origami/-state-isolation-workspaces-vs-file-layouts-when-to-use-each-4hm <p><strong>Day 7 of the 30-Day Terraform Challenge</strong> — and today I faced the million-dollar question: How do you manage dev, staging, and production without accidentally nuking production?</p> <p>Terraform gives you two answers. One is quick and easy. One is boring and safe. Let me tell you which one I'm choosing.</p> <h2> The Problem: One State to Rule Them All </h2> <p>Yesterday I had one state file. One. For everything.</p> <p>That's fine for a personal project. But imagine a team of 10 people all running Terraform on the same state file. Dev changes. Staging changes. Production changes. All mixed together like a smoothie of chaos.</p> <p>Someone adds a tag in dev. Someone else deletes a bucket in staging. Suddenly production is down and nobody knows why.</p> <p>I needed isolation. Real isolation.</p> <h2> Option 1: Workspaces (The Quick Fix) </h2> <p>Workspaces are Terraform's built-in solution. Same code. Different state files.</p> <h3> How It Works: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace new dev terraform workspace new staging terraform workspace new production </code></pre> </div> <p>Then in your code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">resource</span> <span class="s2">"aws_s3_bucket"</span> <span class="s2">"app"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"myapp-${terraform.workspace}"</span> <span class="nx">tags</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">Environment</span> <span class="p">=</span> <span class="nx">terraform</span><span class="p">.</span><span class="nx">workspace</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>When you're in dev, you get a dev bucket. In production, you get a production bucket. Same code, different resources.</p> <h3> What Workspaces Get Right: </h3> <ul> <li> <strong>Dead simple</strong> — one command and you're done</li> <li> <strong>No code duplication</strong> — change one file, all environments get the update</li> <li> <strong>Fast switching</strong> — <code>terraform workspace select dev</code> and go</li> </ul> <h3> Where Workspaces Fall Short: </h3> <p><strong>No Code Isolation</strong></p> <p>Same code means same bugs everywhere. I fixed something in dev? That change applies to production too. Unless you're using Git branches carefully, one bad commit breaks everything.</p> <p><strong>Too Easy to Misconfigure</strong></p> <p>I did this three times today:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>terraform workspace <span class="k">select </span>production <span class="c"># Wait, I meant dev!</span> terraform apply <span class="c"># Oops, I just deployed to prod</span> </code></pre> </div> <p>No warning. No confirmation. Just me and my mistake.</p> <p><strong>Team Pain</strong></p> <p>Everyone works on the same codebase. Merge conflicts. Coordination headaches. Sarah's dev change blocks John's production deployment.</p> <p><strong>Workspaces are like using the same recipe for all three meals — breakfast, lunch, and dinner. Sure, it's simple, but you probably don't want pancakes for dinner.</strong></p> <h2> Option 2: File Layouts (The Grown-Up Way) </h2> <p>Different folders. Different code. Different state. Complete isolation.</p> <h3> How It Works: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>environments/ ├── dev/ │ ├── backend.tf # points to dev state │ └── main.tf # dev resources ├── staging/ │ ├── backend.tf # points to staging state │ └── main.tf # staging resources └── production/ ├── backend.tf # points to prod state └── main.tf # prod resources (with extra protections) </code></pre> </div> <h3> What File Layouts Get Right: </h3> <p><strong>Complete Isolation</strong></p> <p>Dev folder has dev code. Production folder has production code. They never touch. I can delete the entire dev folder and production keeps running.</p> <p><strong>Hard to Misconfigure</strong></p> <p>To break production, I have to:</p> <ol> <li><code>cd environments/production</code></li> <li>Run Terraform</li> <li>Type <code>yes</code> </li> </ol> <p>Three conscious decisions. No accidental deploys.</p> <p><strong>Team-Friendly</strong></p> <p>Dev team works in dev folder. Prod team works in prod folder. Different branches, different approvals, no stepping on toes.</p> <p><strong>Environment-Specific Logic</strong></p> <p>Production can have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">lifecycle</span> <span class="p">{</span> <span class="nx">prevent_destroy</span> <span class="p">=</span> <span class="kc">true</span> <span class="c1"># Can't delete prod resources!</span> <span class="p">}</span> </code></pre> </div> <p>Dev can be reckless. Production can be locked down. Different needs, different code.</p> <h3> Where File Layouts Add Friction: </h3> <p><strong>More Directory Management</strong></p> <p>Five folders. Ten files. Backend configs everywhere. It's organized, but it's also... a lot.</p> <p><strong>Repeated Backend Config</strong></p> <p>Every environment needs its own <code>backend.tf</code>. Copy-paste the same thing three times:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-state-bucket"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"environments/dev/terraform.tfstate"</span> <span class="c1"># Only this changes</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"us-east-1"</span> <span class="p">}</span> </code></pre> </div> <p>One line changes per environment. The rest is identical. Feels repetitive.</p> <p><strong>More Setup</strong></p> <p>Each environment needs its own <code>terraform init</code>. More commands, more waiting, more chances to forget something.</p> <p><strong>File layouts are like having separate kitchens for breakfast, lunch, and dinner. More work to set up, but you never accidentally serve breakfast food at a dinner party.</strong></p> <h2> The Comparison Table </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Aspect</th> <th>Workspaces</th> <th>File Layouts</th> </tr> </thead> <tbody> <tr> <td><strong>Setup Time</strong></td> <td>5 seconds</td> <td>5 minutes</td> </tr> <tr> <td><strong>Code Duplication</strong></td> <td>None</td> <td>Some (backend.tf)</td> </tr> <tr> <td><strong>Accidental Prod Deploy Risk</strong></td> <td>High</td> <td>Low</td> </tr> <tr> <td><strong>Team Collaboration</strong></td> <td>Hard (one codebase)</td> <td>Easy (separate folders)</td> </tr> <tr> <td><strong>Environment-Specific Code</strong></td> <td>Complex (if statements)</td> <td>Simple (different files)</td> </tr> <tr> <td><strong>Learning Curve</strong></td> <td>Easy</td> <td>Moderate</td> </tr> </tbody> </table></div> <h2> When to Use Workspaces </h2> <p><strong>You're working alone or in a small team.</strong> Two people? Workspaces are fine.</p> <p><strong>You're testing or prototyping.</strong> Spin up dev, test something, destroy it. Quick and dirty.</p> <p><strong>Your environments are nearly identical.</strong> Same resources, just different names. Workspaces handle that perfectly.</p> <p><strong>You value speed over safety.</strong> Sometimes that's the right tradeoff.</p> <h2> When to Use File Layouts </h2> <p><strong>You work in a team.</strong> I don't care if it's 3 people or 300 — separate folders save relationships.</p> <p><strong>You have production infrastructure.</strong> If customers depend on it, use file layouts. Protect your sleep schedule.</p> <p><strong>Your environments differ.</strong> Dev uses t3.micro, prod uses t3.large? Different monitoring? Different backups? Separate code.</p> <p><strong>You need approvals.</strong> Prod requires code review. Dev doesn't. Separate folders make that easy.</p> <h2> My Recommendation </h2> <p><strong>Workspaces for personal projects and testing. File layouts for everything else.</strong></p> <p>I know file layouts feel like more work. But here's the thing: that "more work" is actually the friction that prevents disaster.</p> <p>Every time I <code>cd environments/production</code>, I pause. I check. I think. That pause is what keeps me from running <code>terraform destroy</code> on production by accident.</p> <p><strong>Workspaces are a sledgehammer. File layouts are a scalpel. Both can build infrastructure. Only one belongs in surgery.</strong></p> <h2> The Bottom Line </h2> <p>Today I learned that infrastructure isolation isn't just about state files. It's about creating boundaries that protect you from yourself and your team.</p> <p>Workspaces are clever. File layouts are boring. In production, boring wins every time.</p> <p>Tomorrow I'll probably complain about managing all these folders. But tonight, I'll sleep knowing my dev experiments can't touch production.</p> <p><strong>What would you choose?</strong> I'm genuinely curious — drop your thoughts in the comments.</p> <p><em>P.S. If you're using workspaces in production and it's working for you — I'm genuinely impressed. Tell me your secrets. I need them.</em> 😅</p> terraform hashicorp aws 30dayschallenge # Managing Terraform State: Best Practices for DevOps ## How to Stop Fighting State Files and Start Collaborating Mukami Sun, 22 Mar 2026 17:45:53 +0000 https://dev.to/tink-origami/-managing-terraform-state-best-practices-for-devops-how-to-stop-fighting-state-files-and-start-4jad https://dev.to/tink-origami/-managing-terraform-state-best-practices-for-devops-how-to-stop-fighting-state-files-and-start-4jad <p><strong>Day 6 of the 30-Day Terraform Challenge</strong> — and today I learned something that every DevOps engineer eventually discovers the hard way: <strong>Terraform state is like your infrastructure's diary, and if you don't protect it, your team will pay the price.</strong></p> <p>Remember when I thought storing <code>terraform.tfstate</code> locally was fine? That was Day 1 me. Naive. Innocent. About to learn a valuable lesson.</p> <h2> Part 1: What's Actually in That State File? </h2> <p>Before today, I treated <code>terraform.tfstate</code> like a mysterious black box. "It's there, it works, don't touch it." But today, I opened it. And what I found surprised me.</p> <p><strong>Here's what a state file actually contains:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="mi">4</span><span class="p">,</span><span class="w"> </span><span class="nl">"resources"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aws_s3_bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"demo"</span><span class="p">,</span><span class="w"> </span><span class="nl">"instances"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nl">"attributes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"arn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-demo-bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"bucket"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-demo-bucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eu-north-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tags"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Environment"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Learning"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What I found inside:</strong></p> <ul> <li> <strong>Resource ARNs</strong> — the unique identifiers AWS assigns</li> <li> <strong>IP addresses</strong> — public and private IPs of every instance</li> <li> <strong>Tags</strong> — all the metadata I thought was just for organization</li> <li> <strong>Dependencies</strong> — Terraform knows which resources depend on which</li> <li> <strong>Sensitive data</strong> — secrets, keys, and credentials (in plaintext!)</li> </ul> <p><strong>The scary part:</strong> If I committed this to Git (which I was doing before Day 6), anyone with access to my repo would have seen everything about my infrastructure. Every IP. Every ARN. Every. Single. Detail.</p> <h2> Part 2: The Bootstrap Problem — Terraform's Chicken-and-Egg </h2> <p>Here's a fun paradox: You need Terraform to create the infrastructure that stores Terraform's state. But you need state to run Terraform.</p> <p><strong>The Bootstrap Problem:</strong> How do you create the S3 bucket and DynamoDB table for remote state without already having remote state?</p> <p><strong>The Solution:</strong> Create them manually (or with a separate, simpler Terraform configuration) first.</p> <p>I created a <strong>bootstrap configuration</strong> that deployed just the S3 bucket and DynamoDB table with local state. Once those were up, I could reconfigure my main infrastructure to use them as a remote backend.</p> <p>It's like building a ladder to build a house. You need something to stand on while you construct the real thing.</p> <h2> Part 3: Remote State — Your Infrastructure's Safe Haven </h2> <p><strong>Before (Local State):</strong></p> <ul> <li>State lived on my laptop</li> <li>Team members couldn't see it</li> <li>Concurrent runs = corruption</li> <li>If my laptop died, state died</li> <li>Secrets in plaintext on my hard drive</li> </ul> <p><strong>After (Remote State with S3 + DynamoDB):</strong></p> <ul> <li>State lives in S3 (versioned, encrypted)</li> <li>Team members share the same state</li> <li>Locking prevents concurrent runs</li> <li>Versioning means I can recover from mistakes</li> <li>Encryption keeps secrets safe</li> </ul> <h3> My Remote Backend Configuration: </h3> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="nx">terraform</span> <span class="p">{</span> <span class="nx">backend</span> <span class="s2">"s3"</span> <span class="p">{</span> <span class="nx">bucket</span> <span class="p">=</span> <span class="s2">"my-team-terraform-state"</span> <span class="nx">key</span> <span class="p">=</span> <span class="s2">"terraform.tfstate"</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-north-1"</span> <span class="nx">dynamodb_table</span> <span class="p">=</span> <span class="s2">"terraform-state-locks"</span> <span class="nx">encrypt</span> <span class="p">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>What each argument does:</strong><br> | Argument | Purpose |<br> |----------|---------|<br> | <code>bucket</code> | Where the state file lives (S3) |<br> | <code>key</code> | The path/filename in the bucket |<br> | <code>region</code> | Where the bucket lives |<br> | <code>dynamodb_table</code> | Locking mechanism (critical for teams) |<br> | <code>encrypt</code> | Server-side encryption at rest |</p> <h2> Part 4: State Locking — The Team Player's Best Friend 🔒 </h2> <p>Remember the school project where two people edited the same Google Doc at the same time? Chaos, right?</p> <p>State locking prevents that exact scenario.</p> <p><strong>I tested it with two terminals:</strong></p> <p><strong>Terminal 1:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform apply <span class="c"># Running...</span> </code></pre> </div> <p><strong>Terminal 2 (while apply was running):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>terraform plan ╷ │ Error: Error acquiring the state lock │ │ Lock Info: │ ID: abc123-def456-ghi789 │ Path: my-bucket/terraform.tfstate │ Operation: OperationTypeApply │ Who: user@computer │ Created: 2026-03-22 10:30:45 UTC │ │ Terraform acquires a state lock to protect the state from being written │ by multiple <span class="nb">users </span>at the same time. ╵ </code></pre> </div> <p><strong>What this means:</strong></p> <ul> <li>Terraform knows when someone else is already working</li> <li>It refuses to run until the lock is released</li> <li>No two people can corrupt the state simultaneously</li> </ul> <p><strong>In a team environment, this is non-negotiable.</strong> Without locking, you're one simultaneous <code>terraform apply</code> away from infrastructure chaos.</p> <h2> Part 5: Why State Files Should NEVER Go in Git 🚫 </h2> <p>I used to commit <code>terraform.tfstate</code> to Git. I was wrong. Here's why:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Problem</th> <th>Explanation</th> </tr> </thead> <tbody> <tr> <td><strong>Secrets in Plaintext</strong></td> <td>State files contain passwords, access keys, and database credentials in plaintext</td> </tr> <tr> <td><strong>Merge Conflicts</strong></td> <td>Two engineers committing state = unresolvable conflicts</td> </tr> <tr> <td><strong>No Locking</strong></td> <td>Git doesn't prevent concurrent writes</td> </tr> <tr> <td><strong>Large Files</strong></td> <td>State files grow huge and bloat the repository</td> </tr> <tr> <td><strong>Audit Issues</strong></td> <td>Git history doesn't reflect actual infrastructure changes</td> </tr> </tbody> </table></div> <p><strong>The correct approach:</strong></p> <ul> <li>Store state in <strong>S3</strong> (encrypted, versioned)</li> <li>Use <strong>DynamoDB</strong> for locking</li> <li>Commit only your <strong>code</strong> to Git</li> <li>Let the state live safely in the cloud</li> </ul> <h2> Part 6: The Migration Experience 🚀 </h2> <p>When I added the backend configuration and ran <code>terraform init</code>, something magical happened:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Initializing the backend... Do you want to copy existing state to the new backend? Pre-existing state was found while migrating the previous "local" backend to the newly configured "s3" backend. Enter "yes" to copy and "no" to start empty. Enter a value: yes Successfully configured the backend "s3"! </code></pre> </div> <p>Terraform detected my local state and offered to migrate it to S3. I said yes, and seconds later, my state file was safely in the cloud, encrypted, versioned, and ready for team collaboration.</p> <p><strong>No manual copying. No complex scripts. Just Terraform being Terraform.</strong></p> <h2> Part 7: What I Learned About State That Changed Everything 💡 </h2> <ol> <li><p><strong>State is the source of truth</strong> — Not your code, not the AWS console. The state file is what Terraform believes exists.</p></li> <li><p><strong>Drift detection is automatic</strong> — If someone manually changes infrastructure, <code>terraform plan</code> will show you exactly what's different.</p></li> <li><p><strong>S3 versioning is your safety net</strong> — Accidentally corrupted your state? Roll back to the previous version. It's like <code>git revert</code> for your infrastructure.</p></li> <li><p><strong>Encryption isn't optional</strong> — State files contain secrets. <code>encrypt = true</code> should be the default, always.</p></li> <li><p><strong>The bootstrap problem is solvable</strong> — Create your backend infrastructure first (manually or with a separate config), then migrate.</p></li> </ol> <h2> Best Practices Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Practice</th> <th>Why It Matters</th> </tr> </thead> <tbody> <tr> <td><strong>Store state remotely (S3)</strong></td> <td>Team access, disaster recovery</td> </tr> <tr> <td><strong>Enable versioning</strong></td> <td>Roll back from mistakes</td> </tr> <tr> <td><strong>Enable encryption</strong></td> <td>Protect secrets</td> </tr> <tr> <td><strong>Use DynamoDB for locking</strong></td> <td>Prevent concurrent corruption</td> </tr> <tr> <td><strong>Never commit state to Git</strong></td> <td>Avoid secrets exposure and merge conflicts</td> </tr> <tr> <td><strong>Protect the bucket with <code>prevent_destroy</code></strong></td> <td>Accidental bucket deletion = lost state</td> </tr> <tr> <td><strong>Block public access</strong></td> <td>State should never be publicly readable</td> </tr> </tbody> </table></div> <h2> The Bottom Line </h2> <p>Day 6 taught me that Terraform isn't just about writing code — it's about managing the <strong>state</strong> that code creates. </p> <p>Local state is fine for learning. But the moment you work with a team (or even just a second laptop), you need remote state with locking.</p> <p>I started today thinking "state is just a file." I'm ending today with a full S3 + DynamoDB backend that:</p> <ul> <li>✅ Stores state securely</li> <li>✅ Prevents concurrent corruption</li> <li>✅ Encrypts everything</li> <li>✅ Keeps version history</li> <li>✅ Never touches Git</li> </ul> <p><strong>If you're still storing state locally in a team environment, you are one concurrent run away from disaster. Fix it today.</strong></p> <p><em>P.S. If you're wondering why I didn't just use <code>terraform apply</code> for the bootstrap — that's the bootstrap problem! You can't use Terraform to create the infrastructure that Terraform itself needs. I had to create the bucket and table first (manually), then migrate. Mind-bending, but it works. 🧠</em></p> beginners terraform tutorial tfstate