Collaboration
- Use remote state and state locking
- For certain backends like AWS S3, enable versioning to make it easier to recover your state if needed
- Agree on naming convention
- Use meaningful tags to easily identify resources: environment, owner, project keys are must
- You can also add cloud-custdodian for components which are out of terrarfom/IaC tools, which could automatically tag your manually created resources with Owner Creator based on CloudTrail events
Don’t reinvent the wheel
Use existing shared and community modules. As a common sense, it’s highly recommended to reuse matured modules such as VPC. Look for these modules in Terraform Registry
Explicit definition
- Keep your providers, modules versioned properly
- Keep each module in a separate repo. Usually it depends on project size, and we can use monorepo or single modules repo as well.
Avoid variables hard-coding
Check if you can get the value of an attribute via a data source instead of setting it explicitly. For example, instead of finding our AWS account id from the console and setting it in terraform.tfvars as
aws_account_id=”99999999999”
we can get it from a data source
data "aws_caller_identity" "current" {}
locals {
account_id = data.aws_caller_identity.current.account_id
}
Automate
-
Use pre-commit https://pre-commit.com/#install https://github.com/antonbabenko/pre-commit-terraform
-
Must have hooks:
- terraform_fmt
- terraform_validate
- terraform_docs
- terraform_tflint
- checkov
-
DRY (Don’t repeat yourself)
- Consider using terragrunt if you need advanced dependency management. It’s also suitable if you need advanced dependency management and want to simplify remote state management
-
CICD
- For PRs collaboration use Atlantis
- For infrastructure drifts detection use https://github.com/snyk/driftctl