CodcompassCodcompass
Back to KB
Difficulty
Intermediate
Read Time
7 min

Infrastructure as Code with Terraform

By Codcompass Team··7 min read

Infrastructure as Code with Terraform

Current Situation Analysis

Manual infrastructure provisioning, often termed "click-ops," remains the primary vector for configuration drift, deployment failures, and security vulnerabilities in modern cloud environments. Despite the maturity of Infrastructure as Code (IaC), engineering teams frequently treat infrastructure setup as a one-time setup task rather than a continuous lifecycle process. This mindset leads to environments that diverge over time, making recovery from incidents unpredictable and audits impossible.

The industry pain point is not the lack of tools but the misapplication of them. Teams often adopt Terraform but replicate manual workflows by storing state locally, hardcoding credentials, or managing resources outside the IaC lifecycle. This creates a "hybrid" state where the code does not reflect reality, negating the benefits of declarative management.

Data from the DORA (DevOps Research and Assessment) reports consistently shows that high-performing organizations using robust IaC practices deploy 208 times more frequently and have 106 times faster recovery from failures than low performers. However, a survey by HashiCorp indicated that over 60% of organizations still struggle with configuration drift, and nearly 40% of cloud security incidents are linked to misconfigured infrastructure. The cost of manual intervention is quantifiable: every manual change increases the probability of outages by an average of 15%, and mean time to resolution (MTTR) increases by 300% when infrastructure state is unknown.

WOW Moment: Key Findings

The transition to mature Terraform practices yields compounding returns that go beyond simple automation. The data reveals that the value of Terraform is not just in provisioning speed, but in the elimination of cognitive load and the enforcement of consistency.

ApproachDeployment FrequencyChange Failure RateMTTRConfiguration Drift
Manual / Click-opsWeekly18-22%>4 HoursHigh / Untracked
Ad-hoc ScriptsBi-weekly12-15%2-3 HoursModerate / Partial
Terraform IaC (Mature)On-Demand / Daily<5%<15 MinutesZero / Enforced

Why this matters: The comparison highlights that Terraform's impact on Change Failure Rate and MTTR is disproportionate to the effort required. Mature IaC implementation shifts the failure mode from "runtime configuration errors" to "code review errors," which are caught before deployment. The elimination of drift ensures that the disaster recovery process is identical to the deployment process, reducing risk to near zero.

Core Solution

Implementing Terraform effectively requires architectural discipline. The solution involves moving beyond basic resource definitions to a structured workflow emphasizing remote state, modularity, and pipeline integration.

1. Remote State Management

The Terraform state file (terraform.tfstate) is the source of truth. Storing this locally is a critical anti-pattern for any team larger than one. Remote state enables collaboration, state locking, and versioning.

Architecture Decision: Use S3 with DynamoDB for locking in AWS environments. This provides durability, encryption at rest, and prevents concurrent writes that corrupt state.

# backend.tf
terraform {
  required_version = ">= 1.5.0"

  backend "s3" {
    bucket         = "my-company-terraform-state"
    key            = "prod/networking/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

2. Modular Design

Monolithic state files create bottlenecks. As the state grows, terraform plan and apply times degrade, and lock contention increases. Decompose infrastructure into logical modules.

Rationale: Modules enforce encapsulation. A vpc module should not care about ec2 instances. This allows teams to version modules independently and reuse patterns across environments.

# modules/vpc/main.tf
resource "aws_vpc" "this" {
  cidr_block           = var.cidr
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = merge(var.tags, {
    Name = "${var.environment}-vpc"
  })
}

output "vpc_id" {
  value = aws_vpc.this.id
}

# modules/vpc/variables.tf
variable "cidr" {
  type        = string
  description = "CIDR block for the VPC"
}

variable "environment" {
  type        = string
  description = "Deployment environment"
}

variable "tags" {
  type        = map(string)
  default     = {}
  description = "Tags to apply to resources"
}

3. Variable Management and Secrets

Never hardcode secrets. Use variable files for environment-specific configuration and integrate with secret managers for sensitive data.

Implementation: Use .tfvars files excluded from version control for local development. In CI/CD, inject variables via environment variables or secret managers.

# variables.tf
variable "db_password" {
  type        = string
  sensitive   = true
  description = "Database master password"
}

resource "aws_db_instance" "main" {
  allocated_storage    = 20
  engine     

      = "mysql"

instance_class = "db.t3.micro" username = "admin" password = var.db_password skip_final_snapshot = true }


### 4. CI/CD Integration
Terraform operations must be automated. The pipeline should run `terraform init`, `terraform fmt`, `terraform validate`, `terraform plan`, and `terraform apply` (on merge to main).

**Pipeline Logic:**
1.  **Plan Stage:** Generates the execution plan. Comment the plan back to the Pull Request for review.
2.  **Apply Stage:** Triggered only on merge. Requires approval for production environments.
3.  **Drift Detection:** Scheduled job running `terraform plan` to detect manual changes.

### 5. State Import Strategy
Legacy resources must be imported into Terraform control. Use `terraform import` or the newer `import` blocks to bring existing infrastructure under management without recreation.

```hcl
# import.tf
import {
  to = aws_instance.existing_web_server
  id = "i-0123456789abcdef0"
}

Pitfall Guide

1. Local State Storage

Mistake: Keeping terraform.tfstate in the repository or on local disks. Impact: Team members overwrite each other's changes. Secrets in state are exposed. No state locking leads to corruption. Fix: Always configure a remote backend with locking immediately after initialization.

2. Monolithic State Files

Mistake: Defining all resources (network, compute, database, IAM) in a single state file. Impact: terraform plan takes minutes. Locking prevents parallel deployments. A small change to a tag requires scanning the entire graph. Fix: Split state by logical component (e.g., network, app, data) using separate backend configurations or directory structures.

3. Hardcoding Secrets

Mistake: Embedding API keys or passwords directly in .tf files. Impact: Secrets are committed to git history. Audit trails are compromised. Rotation requires code changes. Fix: Use sensitive = true on variables. Integrate with AWS Secrets Manager, HashiCorp Vault, or GitHub Secrets. Never commit .tfvars containing secrets.

4. Ignoring lifecycle Rules

Mistake: Creating resources without prevent_destroy or create_before_destroy where appropriate. Impact: terraform apply deletes production databases or load balancers during refactoring. Fix: Apply lifecycle { prevent_destroy = true } to critical stateful resources. Use create_before_destroy for resources that cannot tolerate downtime.

resource "aws_db_instance" "production" {
  # ... config ...
  
  lifecycle {
    prevent_destroy = true
  }
}

5. The depends_on Trap

Mistake: Overusing explicit depends_on to force ordering. Impact: Terraform's graph is disrupted. Parallelism is lost. Plans become fragile and slow. Fix: Rely on implicit dependencies via references. Use depends_on only for external dependencies not visible to Terraform (e.g., provisioners accessing DNS that isn't managed by Terraform).

6. Managing Resources Outside Terraform

Mistake: Manually tweaking security groups or scaling instances via console. Impact: Drift occurs. Next apply may revert manual changes or fail due to state mismatch. Fix: Enforce "IaC Only" policies. Use SCPs (Service Control Policies) to deny console changes to managed resources. Run drift detection regularly.

7. Lack of State Versioning

Mistake: Backend configuration does not support versioning. Impact: If state is corrupted, there is no rollback path. Fix: Enable versioning on S3 buckets. Use Terraform Cloud/Enterprise which provides built-in state history and rollback.

Production Bundle

Action Checklist

  • Initialize Remote Backend: Configure S3/DynamoDB or Terraform Cloud backend with state locking and encryption.
  • Enable Versioning: Ensure state bucket has versioning enabled to allow rollback of state files.
  • Implement Module Structure: Decompose infrastructure into reusable, versioned modules. Avoid monolithic configs.
  • Add Linting and Security: Integrate tflint for syntax/style and tfsec or checkov for security scanning in CI/CD.
  • Configure Sensitive Variables: Mark all secret variables as sensitive = true and inject via CI/CD secrets.
  • Define Lifecycle Rules: Apply prevent_destroy to stateful resources and create_before_destroy where uptime is critical.
  • Establish Drift Detection: Schedule automated terraform plan runs to detect configuration drift weekly or daily.
  • Document Outputs: Ensure modules expose necessary outputs for inter-module communication and external consumption.

Decision Matrix

ScenarioRecommended ApproachWhyCost Impact
Solo Developer / PoCLocal State + GitSimplicity; no backend overhead.Free
Small Team (2-5 devs)Remote S3 + DynamoDBCollaboration, locking, versioning at low cost.Low (~$1-2/mo)
Enterprise / ComplianceTerraform Cloud/EnterpriseSSO, audit logs, policy as code, managed state.High (Subscription)
Multi-Region DeploymentDirectory Structure per RegionIsolation of state; parallel execution; blast radius containment.Low
High Churn ResourcesEphemeral State / CI/CD OnlyState managed only in pipeline; no local state risk.Medium (Pipeline compute)

Configuration Template

This template provides a production-ready structure for an AWS environment with remote state, module usage, and variable handling.

# main.tf
terraform {
  required_version = ">= 1.5.0"

  backend "s3" {
    bucket         = "acme-corp-terraform-state"
    key            = "prod/vpc/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.30"
    }
  }
}

provider "aws" {
  region = var.aws_region

  default_tags {
    tags = {
      ManagedBy   = "Terraform"
      Environment = var.environment
      Team        = "platform-eng"
    }
  }
}

# Network Module
module "vpc" {
  source      = "./modules/vpc"
  environment = var.environment
  cidr        = var.vpc_cidr
  tags        = local.common_tags
}

# Application Module
module "app" {
  source      = "./modules/app"
  environment = var.environment
  vpc_id      = module.vpc.vpc_id
  subnet_ids  = module.vpc.private_subnet_ids
  db_password = var.db_password
}

# Variables
variable "aws_region" {
  type    = string
  default = "us-east-1"
}

variable "environment" {
  type = string
  validation {
    condition     = contains(["dev", "staging", "prod"], var.environment)
    error_message = "Environment must be dev, staging, or prod."
  }
}

variable "vpc_cidr" {
  type    = string
  default = "10.0.0.0/16"
}

variable "db_password" {
  type      = string
  sensitive = true
}

# Locals
locals {
  common_tags = {
    Project = "AcmePlatform"
  }
}

Quick Start Guide

  1. Install Terraform: Download the binary from HashiCorp or use a package manager (brew install terraform, choco install terraform). Verify with terraform -version.
  2. Initialize Project: Create a directory and run terraform init. This downloads providers and configures the backend.
  3. Write Configuration: Create main.tf with provider and resource blocks. Use the template above as a baseline.
  4. Plan Execution: Run terraform plan. Review the output carefully. Ensure no unexpected deletions or modifications.
  5. Apply Changes: Run terraform apply. Confirm the execution. Terraform will create resources and update the state file.
  6. Verify and Destroy: Check resources in the cloud console. When done, run terraform destroy to tear down resources and avoid costs.

Note: For production, never run apply locally. Use the CI/CD pipeline defined in the Core Solution to ensure auditability and state safety.

Sources

  • ai-generated