Terraform at Scale: 7 Patterns That Saved Us From Config Hell

1) Module structure: DRY but not too DRY

Create reusable modules but don't over-abstract. Each module should have a clear purpose.

• ✓Separate root modules (environments) from child modules (components).
• ✓Version your modules and pin versions in prod.
• ✓Keep modules focused: network, compute, database—not "everything".

2) State management that prevents disasters

• ✓Use remote state (S3 + DynamoDB locks, GCS, Terraform Cloud).
• ✓One state file per environment/service, not one giant state.
• ✓Enable state locking and versioning.
• ✓Never commit state files or .terraform directories.

3) Secrets management (never in plain text)

• ✓Use AWS Secrets Manager, HashiCorp Vault, or similar.
• ✓Reference secrets via data sources, never hardcode.
• ✓Rotate secrets regularly and track usage.

4) CI/CD for Terraform: plan on PR, apply on merge

Automate terraform plan on every PR, require approval, then auto-apply on merge to main.

• ✓Run terraform plan and post results as PR comment.
• ✓Block merges if plan fails or shows unexpected changes.
• ✓Use CODEOWNERS for sensitive resource changes.

5) Drift detection and reconciliation

• ✓Run scheduled terraform plan to detect drift.
• ✓Alert on unexpected changes (manual modifications).
• ✓Use policy-as-code (Sentinel/OPA) for compliance checks.

6) Testing: don't skip it

Use tools like Terratest or kitchen-terraform to validate module behavior.

• ✓Test modules in isolated accounts/projects.
• ✓Validate resource creation, configuration, and deletion.
• ✓Run tests in CI before merging.

7) Documentation and naming conventions

• ✓Document every module with examples and required variables.
• ✓Use consistent naming: {env}-{service}-{resource}.
• ✓Tag all resources with owner, env, cost-center.