Minimal practices and changes on terraform can improve your experience on IaC

4 min readOct 4, 2022

In the knowledge and discovery of terraform there are some sites that teach you how to use the tool as such, however some parts teach you how to implement, but everything that comes later you must know on the way, this is why I wanted to share with you my experience and use of terraform and how to help you work on it based in a few points:

Always set a repository.
Order your requirements.
Differentiate your providers.
Use locals.
Don’t forget about the security.
Costs are very important.
Differentiate your environments.

Use an repository to order your projects

A repository called from github, gitlab, bitbucket or whatever is where you should always start your projects.
Your infrastructure as code should not be treated from a local environment and moreover, the stages of testing, planning and validation of both security and your code should always be attended from a space where you can collaborate both with your team and at some point think about how to open your tools and teach the knowledge you have for the public.

Order your paths and requirements

You should work with directory structures that allow you to organize both the resources to be deployed and the different environments with which they will work.

A little visual how to order your paths into your tf-project

Providers use in a separate file

Your infrastructure providers as a whole code should go in a file where you declare your providers, so use the providers.tf file and declare the different ones in this file.

If you use required_providers don’t forget declare your providers to use like this:

A big image for you understand the importance of providers.

Use “.tfstates” files to save your data

You need a place to store all the plan and the large terraform object that stores the infrastructure data, so getting a place where the tf-states files are stored and can be version-controlled is important.
A good strategy is to use cloud provider storage services and work with it.

You should also review the .tfstates files to understand the structure of them and in turn they allow you to solve some problems you may encounter along the way.

I recommend this documentation for understand this:

Use locals instead variables in files different than variables.tf

Variables are necessary to modularize and to work with values that can be assigned and referenced, but by weight and assignment, working with variables can make the work more expensive than it should be.
It is not bad to work with variables that reference your code, but in order to be able to converse the scope of the code you are dealing with use “local”.
Local objects will allow you to better manage the objects you are working with, in fact, you can even merge the values you assigned with your variables and use them consecutively as needed.

Uses variables and transform into locale object

Remember, in terraform exist different types of variables to manage and the official documentation explain about this (https://www.terraform.io/language/expressions/types).

Security first

Use tools such as kyverno, tfsec or OPA rules to help review and understand what vulnerabilities you have in your code or simply set your rules to define what is secure and what is not using OPA or kyverno.

For example, if you choice is OPA:

Create an tfplan.
Create an OPA (terraform-cost-optimization.rego file) validation like this:

Example from Anton Babenko for use a little rule for cost-optimization

Samples from https://www.openpolicyagent.org/docs/latest/terraform/

Costs are important

What you deploy to the different environments generates costs and that is why you need to not only resort to the documentation of the different cloud providers or resources to know how much the impact on the organization’s budget is, but it is also important to work with tools that help you to have a preview of what we are impacting.
Terracost is a tool that when properly configured it is possible to take advantage of this with reports that show how much you could spend by impacting resources.

For example, a simple plan of terracost had.

version: 0.1
resource_type_default_usage:
  aws_lambda_function:
    monthly_requests: 100000 # Monthly requests to the Lambda function.
    request_duration_ms: 500 # Average duration of each request in milliseconds.

Sample from https://github.com/infracost/infracost/blob/master/infracost-usage-example.yml

Responsibilities in different environments

You must know how to differentiate your environments, I know it sounds quite obvious but it is necessary that through your directory and file structures you know how to differentiate your environments.