Engineering Playbook
IaC

Terraform (HCL)

Modules, State, Terragrunt, and the OpenTofu fork.

Terraform

Terraform is the industry standard for Declarative Infrastructure. You describe what you want (Desired State), and Terraform figures out how to get there (Current State -> API Calls).

The Core Workflow

  1. Write: Define resources in HCL (.tf).
  2. Init: Download providers from the Terraform Registry.
  3. Plan: Terraform calculates the "Diff" between your code and the real world. Always review the plan.
  4. Apply: Terraform executes the API calls to build the infra.

The State File (terraform.tfstate)

This is the most dangerous file in your infrastructure. It maps your code to real-world Resource IDs.

State Management Rules

  1. Never commit state to Git. It contains secrets (DB passwords) in plain text.
  2. Use Remote State. Store it in S3 (AWS) or GCS (Google).
  3. Use GitOps. I recommend running terraform apply through GitOps workflows to prevent concurrent executions entirely.

GitOps for Terraform

Stop running terraform apply manually.

GitOps uses a Git repository as the "Source of Truth" for infrastructure changes.

  1. Repo: Contains your Terraform code.
  2. CI/CD Pipeline: Automatically runs terraform plan and terraform apply when code is merged.
  3. Single Executor: Only the CI/CD system can execute infrastructure changes, eliminating concurrency issues.

The GitOps Workflow

  1. Developer creates a pull request with infrastructure changes
  2. CI runs terraform plan and shows the plan as a PR comment
  3. Team reviews the plan and approves the PR
  4. CI merges and runs terraform apply automatically
  5. No manual terraform apply execution = No concurrency issues

Key Benefits of GitOps

  • Concurrency Prevention: Only the CI/CD pipeline can execute changes, eliminating race conditions
  • Complete Audit Trail: Every infrastructure change is tracked through pull requests and reviews
  • Zero Human Error: No one can accidentally run terraform apply with wrong parameters
  • Drift Detection: GitOps tools can detect when infrastructure diverges from Git and auto-correct

Modules: DRY Infrastructure

Don't copy-paste your VPC config 10 times. Wrap it in a Module.

  • Root Module: The folder where you run terraform apply. It calls child modules.
  • Child Module: A folder with input variables.tf and output outputs.tf.

Folder Structure:

modules/
  vpc/
    main.tf
    variables.tf
    outputs.tf
environments/
  prod/
    main.tf  <-- Calls modules/vpc
  staging/
    main.tf  <-- Calls modules/vpc

Terragrunt

Terragrunt is a wrapper tool that keeps your backend configuration DRY.

  • It auto-generates the backend.tf file.
  • It allows you to define dependencies between stacks (e.g., "Pass the VPC ID from the Network Stack to the App Stack").

Flaw

The backend configuration (S3 bucket name for state) cannot use variables. This forces you to copy-paste backend config for Dev, Stage, and Prod.

Terraform vs. OpenTofu

In 2023, HashiCorp changed Terraform's license to BSL (Business Source License). It is no longer strictly Open Source.

OpenTofu is the open-source fork created by the Linux Foundation in response.

Which one to choose?

  • Personal / Open Source Projects: Use OpenTofu. It guarantees freedom and community governance.
  • Enterprise: Terraform is still the standard, but be aware of licensing costs if you are building a product that competes with HashiCorp.
  • Compatibility: For now, they are near-identical. Migration is usually just replacing the binary.

RFCs & ADRs

Request for Comments, Architectural Decision Records, and decision logs.

Pulumi

Infrastructure as Real Software using TypeScript, Python, or Go.

On this page

TerraformThe Core WorkflowThe State File (terraform.tfstate)GitOps for TerraformThe GitOps WorkflowModules: DRY InfrastructureTerragruntTerraform vs. OpenTofu