@tank/terraform-mastery
1.0.0Description
Production-grade Terraform and OpenTofu for any cloud. Covers HCL syntax, providers, modules, state management, testing, CI/CD pipelines, Terragrunt, security, and cost estimation.
Triggered by
terraformterraform moduleterraform stateHCLopentofuterragrunt
Download
Review Recommended
tank install @tank/terraform-masteryTerraform Mastery
Core Philosophy
- State is the source of truth -- Terraform's state file maps configuration to real infrastructure. Protect it with remote backends, encryption, and locking. Never edit state manually unless using
terraform statecommands. - Modules are the unit of reuse -- Compose infrastructure from focused, single-responsibility modules. Pin module versions. Publish to a registry for organization-wide sharing.
- Plan before apply, always -- Treat
terraform planoutput as a code review artifact. Automate plan-on-PR, require human approval before apply. Never auto-apply to production. - Blast radius drives structure -- Split state files by change frequency and risk. Networking changes rarely; application resources change often. Separate them to limit damage from any single apply.
- Prefer
for_eachovercount--for_eachcreates stable resource addresses keyed by string.countuses numeric indices -- removing an item from the middle forces recreation of all subsequent resources.
Quick-Start: Common Problems
"How do I structure a Terraform project?"
| Layer | Contents | Change Frequency |
|---|---|---|
global/ | IAM, DNS, shared resources | Rarely |
network/ | VPC, subnets, peering | Rarely |
data/ | RDS, ElastiCache, S3 | Occasionally |
compute/ | ECS, Lambda, EC2 | Often |
app/ | App-specific resources | Very often |
-> See references/project-structure.md
"How do I manage state safely?"
- Configure a remote backend with encryption and locking (S3+DynamoDB, GCS, azurerm)
- Use one state file per environment per layer (e.g.,
prod/network,prod/compute) - Never store state in version control
- Use
terraform state mvfor refactoring,terraform importfor adoption -> Seereferences/state-management.md
"How do I write reusable modules?"
- One module = one logical component (VPC module, RDS module, not "infrastructure" module)
- Expose inputs via
variables.tf, outputs viaoutputs.tf - Add variable validation rules as contract tests
- Version with Git tags, publish to a registry
-> See
references/module-design.md
"How do I test Terraform code?"
terraform validate+terraform fmt -checkfor syntaxterraform testwithcommand = planfor unit tests (no real resources)terraform testwithcommand = applyfor integration tests- Terratest (Go) for complex multi-resource validation
-> See
references/testing-validation.md
"How do I set up CI/CD for Terraform?"
- PR triggers: fmt check, validate, tflint, plan, cost estimate
- Plan output posted as PR comment for review
- Merge triggers: apply with approval gate
- Use OIDC for cloud authentication -- no long-lived credentials
-> See
references/cicd-pipelines.md
Decision Trees
Backend Selection
| Situation | Backend | Locking |
|---|---|---|
| AWS infrastructure | S3 + DynamoDB | DynamoDB table |
| GCP infrastructure | GCS | Built-in |
| Azure infrastructure | azurerm | Built-in |
| Multi-cloud or team | HCP Terraform / Terraform Cloud | Built-in |
| Local development only | local | None |
Module Source
| Need | Source |
|---|---|
| Organization-wide reuse | Private registry (HCP Terraform, Artifactory) |
| Team-level reuse | Git repo with version tags |
| Prototyping | Local path (./modules/) |
| Community standard | Terraform Registry (registry.terraform.io) |
Workspace vs Directory
| Signal | Approach |
|---|---|
| Same config, different variable values (dev/staging/prod) | Workspaces or Terragrunt |
| Different resources per environment | Separate directories |
| Need independent state per tenant | Workspaces with dynamic backend keys |
| Complex multi-environment with DRY config | Terragrunt with terragrunt.hcl hierarchy |
Reference Index
| File | Contents |
|---|---|
references/hcl-language.md | HCL syntax, expressions, functions, type system, dynamic blocks, meta-arguments |
references/state-management.md | Remote backends, locking, encryption, migration, workspaces, state surgery, import, moved blocks |
references/module-design.md | Module structure, composition patterns, versioning, registry publishing, variable validation |
references/provider-patterns.md | Provider configuration, multi-region, multi-account, aliases, authentication patterns (OIDC, assume role) |
references/testing-validation.md | terraform test framework, Terratest, tflint, contract tests, policy as code (Sentinel, OPA) |
references/cicd-pipelines.md | GitHub Actions, GitLab CI, Atlantis, plan-on-PR, apply-on-merge, OIDC auth, cost estimation |
references/security-secrets.md | Secrets management, sensitive variables, encryption, least-privilege IAM, drift detection, compliance scanning |
references/project-structure.md | Directory layout, file naming, environment separation, Terragrunt DRY patterns, monorepo vs polyrepo |