Terraform IaC

Module structure, state management, naming conventions, and plan/apply workflow

Language / Topic

_UUniversal

Rules

Terraform IaC · balanced balanced

- Organize code into reusable modules (`modules/`) and environment-specific roots (`environments/staging/`, `environments/production/`).

- Use remote state backends (S3 + DynamoDB, GCS, Terraform Cloud) with state locking to prevent concurrent modifications.

- Run `terraform fmt`, `terraform validate`, and `terraform plan` in CI on every pull request.

- Never store secrets in `.tf` files or state — use vault references, SSM parameters, or environment variables.

- Use `variable` blocks with `type`, `description`, and `validation` rules — never leave variables untyped or undocumented.

- Apply consistent tagging on all resources (environment, team, project, managed-by) for cost tracking and governance.

- Use `data` sources to reference existing infrastructure — avoid hardcoding IDs, ARNs, or IP addresses.

- Use `terraform plan -out=plan.tfplan` and `terraform apply plan.tfplan` to ensure the exact reviewed plan is applied.

- Pin provider versions with `required_providers` and use a `.terraform.lock.hcl` lock file committed to the repo.