Terraform Best Practices — At Scale

Terraform is a powerful tool for infrastructure automation that allows teams to manage infrastructure as code. Learning terraform may seem easy in the beginning but deploying architectures at scale can be a daunting task, even for experienced professionals.

Here are a few tips and tricks we follow at SquareOps, that have proven to be useful in the long run for managing large-scale infrastructure using Terraform.

Forget .tfvars, Sometimes

We try to leverage the true power of Terraform local variables. The easiest way to get started is to create a directory for each of your environments in your Terraform git repository. e.g. env/staging, env/production. For example, this VPC reference file uses local variables. Benefit? you can avoid defining each and every variable, plus you can manage every configuration in one place in git.

Write Modules

modules need to be independent and reusable pieces of code. We create custom modules on top of base modules available publicly. A good example can be our network module. It uses a public vpc module published by AWS and then creates an EC2 instance for Pritunl VPN. So the resultant module can create VPC with a VPN appliance. Example on GitHub. 

Follow a Consistent Directory Structure

Using a consistent directory structure is essential for maintaining a clean and organized Terraform project. You should structure your Terraform code in a way that is easy to understand and navigate. A common directory structure for Terraform projects includes:

• main.tf: contains the core infrastructure configuration.
• variables.tf: contains input variables that can be passed to the main configuration.
• outputs.tf: contains output variables that can be referenced by other resources.
• modules/: contains reusable modules that can be used in the main configuration.
• providers.tf: contains provider configuration.

Use Control Flags

Use flags in module code to customize your architecture. Referring to the same example of Pritunl VPN, we have a variable named — deploy_vpn = true. So that if we are deploying a development vpc or a network just for Proof Of Concept purposes, we do not need to deploy NAT Gateways or VPN appliances; hence we can disable these.

Refer Remote State

Even if you start as a 2-person team or one-man army, it is advisable to use a remote state. Also, it makes sense to refer to the outputs of other modules from a remote state. E.g. when you plan to deploy an RDS instance, you can get the VPC ID and subnet information from the remote state of the network module. This way, your infrastructure deployment becomes loosely coupled.

Pre-Commit Hooks

Git pre-commit hooks are a great savior when it comes to maintaining the coding standards in your IaaC repo. Our pre-commit hook configuration takes care of:

• Terraform linting using tflint.
• Generating/Updating Readme files using tfdocs.
• Formatting terraform code using terraform fmt (It’s an obsession).

PR Based on Workflow for Development

When all the Infrastructure definition is stored in version control, then it becomes easy to implement an infrastructure change management process. For any change, create a branch from a mainline branch, make the changes, and review these via a Pull request before approving and applying. Refer to the Pipeline Workflow section here for a more detailed walkthrough.

Static Code Analysis

Use Terraform Static code analysis tools, like Tfsec, to spot potential misconfigurations in code, even before it is used to deploy the resources on the cloud.

Cost Projections

Cost is paramount to any deployment, and organizations often pay for what they don’t need (or use).

A tool like Infracost can be integrated into your infrastructure deployment pipeline. It can generate projections for any new deployment or even changes to an existing deployment

Conclusion

Terraform is easy to get started, but not at all easy to do the right way. These techniques are adopted from our real-life challenges and experience while building 100+ Architecture deliveries using Terraform.

Happy Terraforming !!