TF
Terraform Testing
Infrastructure testing with terraform test, Terratest, and policy validation
Details
Language / Topic
TerraformCategory
Testing
Rules
balanced
- Use terraform validate and tflint in CI for every pull request — catches syntax and provider errors fast
- Write terraform test (native HCL) tests for module input validation and plan-time assertions
- Use checkov or tfsec for policy validation: enforce encryption, public access blocks, tagging requirements
- Test modules with real infrastructure in isolated test accounts — mock tests miss provider-specific issues
- Run terraform plan in CI and post the output as a PR comment for human review before merge
- Run terraform validate + tflint in CI on every PR — catches syntax errors and provider-specific issues
- Use native terraform test (.tftest.hcl) for module validation: test variable constraints, plan assertions, apply/destroy
- Run checkov or tfsec for security policy checks: detect unencrypted resources, public access, missing tags
- Test modules with real infrastructure in isolated accounts — use temporary resources with auto-cleanup
- Post terraform plan output as PR comments (tfcmt, atlantis) for human review before merge
- Layer testing: static analysis (fmt, validate, tflint) → policy (checkov) → plan review → integration (terraform test)
- Use test-only variables and mock providers in terraform test to avoid cloud costs for unit-level checks
- Write integration tests in Terratest (Go) for complex multi-module scenarios that need custom assertions
- Set up nightly drift detection: scheduled terraform plan that alerts on unexpected infrastructure changes
- Clean up test resources aggressively — use test timeouts and AWS Nuke/cloud-nuke for orphaned resources