Terraform best practices multiple environments


What is Terraform?

Terraform is an open-source, vendor-neutral infrastructure as code (IaC) tool created by HashiCorp that enables developers to define, provision, and manage cloud and on-premises infrastructure using declarative configuration files. It uses HashiCorp Configuration Language (HCL) to automate the lifecycle of resources like servers, networks, and databases across providers (e.g., AWS, Azure, GCP).


How to Install Terraform?

HashiCorp distributes Terraform as an executable CLI that you can install on supported operating systems, including Microsoft Windows, macOS, and several Linux distributions. You can also compile the Terraform CLI from source if a pre-compiled binary is not available for your system.

Homebrew is a free and open-source package management system for macOS. If you have Homebrew installed, use it to install Terraform from your command line.

First, install the HashiCorp tap, which is Hashicorp's official repository of all our Homebrew packages.

$ brew tap hashicorp/tap

Now, install Terraform from hashicorp/tap/terraform.

$ brew install hashicorp/tap/terraform

Verify the Installation

Verify that the installation worked by opening a new terminal session and listing Terraform's available subcommands.

$ terraform -help
Usage: terraform [global options] <subcommand> [args]

The available commands for execution are listed below.
The primary workflow commands are given first, followed by
less common or more advanced commands.

Main commands:
##...

Add -help to any Terraform command to learn more about what it does and available options.

$ terraform plan -help


Key Features and Benefits
  • Infrastructure as Code (IaC): Instead of manual, manual configuration, infrastructure is defined in version-controlled text files, promoting collaboration and repeatability.
  • Declarative Approach: Users define the desired end state (e.g., "I need two servers"), and Terraform automatically determines the actions needed to achieve that state, unlike imperative scripting which requires defining specific, manual steps.
  • Cloud-Agnostic: A single tool and workflow can be used to manage multiple providers, reducing vendor lock-in.
  • State Management: Terraform maintains a terraform.tfstate file, which tracks the actual, deployed infrastructure, allowing it to detect "drift" and safely update or destroy resources.
  • Lifecycle Management: Automates the creation, modification, and deletion of infrastructure components.
How Terraform Works
  1. Write: Define infrastructure in .tf configuration files using HCL.
  2. Plan: Run terraform plan to compare the desired configuration with the current state and see a preview of changes.
  3. Apply: Run terraform apply to execute the planned actions and make the actual infrastructure match the configuration.
Key Components
  • Providers: Plugins (e.g., AWS, Azure, Google Cloud) that communicate with cloud provider APIs.
  • Modules: Reusable, shared configuration templates that simplify complex, repetitive deployments

Terraform is widely used in DevOps pipelines to manage complex, multi-cloud, and hybrid environments efficiently and securely.


Terraform Project and  Components
    Within a single directory (a module), the following file naming conventions are recommended by HashiCorp for clarity:
    • main.tf: Contains the primary resource and data source definitions, as well as module calls.
    • variables.tf: Declares input variables with descriptions.
    • outputs.tf: Declares output values from the resources created.
    • providers.tf: Configures the required providers and their versions.
    • locals.tf: Contains local values for cleaner, more readable configurations.
    • backend.tf: Configures the remote backend for storing the state file securely and enabling collaboration.
    • terraform.tfvars: An optional file that assigns values to variables for the current environment.
    Terraform automatically loads all .tf and .tfvars files in the working directory and processes them as a single configuration.
    Common Project Structures
    For multi-environment projects, teams typically use one of two main approaches:
    1. Environment-based with consistent components
    This approach uses a single set of configuration files for all environments but separates the variable values using specific tfvars files.
    terraform/
├── main.tf
├── variables.tf
├── outputs.tf
├── providers.tf
├── backend.tf
├── environments/
│   ├── dev.tfvars
│   ├── staging.tfvars
│   └── prod.tfvars
└── modules/
    ├── network/
    │   ├── main.tf
    │   ├── variables.tf
    │   └── outputs.tf
    └── compute/
        ├── main.tf
        ├── variables.tf
        └── outputs.tf
    • Usage: You run Terraform commands from the root directory, specifying the environment's variable file (e.g., terraform plan -var-file="environments/dev.tfvars").
    • Pros: Keeps code DRY (Don't Repeat Yourself) as the main configuration is shared.
    • Cons: Less flexibility for per-environment customization (e.g., a resource existing in prod but not dev).
    2. Environment-based with flexible components per environment
    This structure provides complete isolation by using separate directories for each environment, with its own full set of .tf files and dedicated state file.
    terraform/
├── modules/
│   ├── network/
│   └── compute/
├── dev/
│   ├── main.tf
│   ├── variables.tf
│   ├── terraform.tfvars
│   └── backend.tf
├── staging/
│   ├── main.tf
│   ├── variables.tf
│   ├── terraform.tfvars
│   └── backend.tf
└── prod/
    ├── main.tf
    ├── variables.tf
    ├── terraform.tfvars
    └── backend.tf
    • Usage: You navigate into the specific environment's directory to run commands (e.g., cd terraform/dev; terraform apply).
    • Pros: Limits the "blast radius" of changes to a single environment and allows for vastly different configurations or even different providers.
    • Cons: Involves code duplication, requiring more effort to manage consistency across environments.
    Important Directories and Files to Ignore
    When using version control (like Git), you must exclude certain files to prevent sensitive data exposure or conflicts:
    • .terraform/: A hidden directory used by Terraform to store cached plugins, modules, and other metadata. This is automatically managed by Terraform.
    • *.tfstate: The local state file. In real-world scenarios, remote backends should be used, but this file should still be ignored locally.
    • *.tfstate.backup: Backup state files created during operations.
    • *.tfvars or *.tfvars.json: Files containing sensitive variables should be kept out of source control. Environment variables or a secure vault should be used to manage secrets.
    • .terraform.lock.hcl: The dependency lock file, which should be committed to ensure consistent provider versions across runs.

    Your summary is absolutely aligned with how Terraform must be run in enterprise environments.
    Let me refine it into a production-grade reference architecture and add the missing piece most interviewers expect: cross-account access using AssumeRole on Amazon Web Services.

    Enterprise Terraform Operating Model (Large Teams)

    1. Remote State Is Non-Negotiable

    Use a centralized backend to ensure:

    • Single source of truth

    • State locking (prevents concurrent applies)

    • Auditability

    • Disaster recovery via versioning

    Recommended Backend (AWS Example)

    • S3 Bucket → State storage (versioned + encrypted)

    • DynamoDB Table → State locking

    • KMS Key → Encryption

    • Bucket Policy → Restricted to CI roles only

    Backend Configuration

    terraform {
  backend "s3" {
    bucket         = "org-terraform-state"
    key            = "network/prod.tfstate"
    region         = "us-east-1"
    dynamodb_table = "terraform-locks"
    encrypt        = true
  }
}

    2. Multi-Account Strategy (Real Enterprise Pattern)

    Large organizations NEVER deploy everything from one AWS account.

    Recommended Layout

    AWS Organization
│
├── Shared Services Account
│     ├── Terraform State Bucket
│     ├── CI/CD Runners
│     └── Logging / Security Tools
│
├── Network Account
│     └── VPC / Transit Gateway
│
├── Dev Account
├── Staging Account
└── Prod Account

    Terraform runs from Shared Services Account and assumes roles into target accounts.

    3. Cross-Account Access Using AssumeRole (Critical)

    Instead of storing credentials, Terraform uses STS AssumeRole.

    Provider Configuration

    provider "aws" {
  region = "us-east-1"

  assume_role {
    role_arn = "arn:aws:iam::123456789012:role/TerraformExecutionRole"
  }
}

    Target Account IAM Role

    Allow only the CI system to assume:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SHARED_ACCOUNT_ID:role/ci-runner"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    Benefits:

    • No static credentials

    • Full audit trail (CloudTrail)

    • Easy revocation

    • Works across 100+ accounts

    4. State Separation Strategy (Avoid Monolithic State)

    Never keep everything in one state file.

    Split by Responsibility

    StackOwns
    networkVPC, subnets, routing
    securityIAM, guardrails
    platformEKS, databases
    appsApplication resources

    This reduces:

    • Apply time

    • Blast radius

    • Merge conflicts

    • Risk during failure

    5. Mandatory Modular Design

    Reusable modules must be versioned like software.

    modules/
 ├── vpc/
 ├── eks/
 ├── rds/
 └── observability/

    Each module:

    • Has inputs/outputs only

    • Contains no environment logic

    • Is version tagged (Git release)

    6. CI/CD-Only Execution Model

    Humans must never run terraform apply locally.

    Pipeline should:

    terraform fmt        → formatting gate
terraform validate   → syntax gate
security scan        → checkov / terrascan
terraform plan       → PR visibility
manual approval      → required
terraform apply      → controlled execution

    This enforces:

    • Change traceability

    • Peer review culture

    • Compliance alignment

    7. Secrets Must Come From Secret Managers

    Never allow this:

    password = "Hardcoded123"

    Instead:

    data "aws_secretsmanager_secret_version" "db" {
  secret_id = "prod/db/password"
}

    Secrets never enter state as plain text when designed correctly.

    8. Policy & Governance Layer

    Large teams enforce guardrails using platforms from HashiCorp (Sentinel) or OPA.

    Example Rules:

    • Deny public S3 buckets

    • Enforce tagging

    • Restrict instance sizes

    • Block unapproved regions

    This converts Terraform into a governed platform, not just IaC.

    9. Observability & Drift Detection

    Add scheduled jobs:

    terraform plan -detailed-exitcode

    Detects:

    • Manual infra changes

    • Security drift

    • Cost leaks

    10. Reference Architecture (What “Good” Looks Like)

                    Developers
                    │
              Pull Request
                    │
                CI Pipeline
                    │
        ┌─────────────────────────┐
        │ Terraform Runner (Shared)
        └─────────────────────────┘
                    │ AssumeRole
   ┌───────────────┼────────────────┐
   │               │                │
Network Account  Dev Account     Prod Account
   │               │                │
   └──── Remote State (S3 + Locking)┘


    What Interviewers Want to Hear

    If you explain Terraform for large teams, they expect these keywords:

    • Remote state with locking
    • Cross-account AssumeRole model
    • CI-driven applies (no local execution)
    • State isolation by stack
    • Versioned reusable modules
    • Policy enforcement
    • Secret externalization
    • Drift detection strategy


    Below is a complete enterprise-ready reference you can use in real implementation.

    1. Reference Architecture Diagram + Repo Structure

    Enterprise Terraform Architecture (Multi-Account Model)

                             Developers
                             │
                      Pull Request (Review)
                             │
                     CI/CD Pipeline Runner
                             │
                   (Assumes Deployment Role)
                             │
        ┌────────────────────────────────────────┐
        │        Shared Services Account         │
        │  - Remote State (S3)                   │
        │  - Lock Table (DynamoDB)               │
        │  - CI Runner / Audit Logs              │
        └────────────────────────────────────────┘
                   │            │             │
        AssumeRole │            │             │
                   ▼            ▼             ▼
            Network Account   Dev Account   Prod Account
            (VPC / TGW)       (Apps)        (Live Infra)

    Key Idea:
    Terraform runs centrally and assumes roles into each environment — no credentials stored anywhere.

    Used heavily in enterprises running on Amazon Web Services.

    Recommended Repository Layout

    terraform-platform/
│
├── modules/                     # Reusable building blocks
│   ├── vpc/
│   ├── eks/
│   ├── rds/
│   └── iam/
│
├── live/                        # Environment-specific configs
│   ├── dev/
│   │   ├── network/
│   │   └── app/
│   │
│   ├── staging/
│   └── prod/
│
├── global/
│   └── backend-bootstrap/       # Creates S3 + locking table
│
└── policies/                    # Security guardrails

    Module Design Principles

    Each module must:

    • Be stateless

    • Accept only variables

    • Never reference environments

    • Be version tagged (v1.2.0)

    • Be reusable across accounts

    Remote State Bootstrap (Run Once)

    You create the backend first, then everything else consumes it.

    This prevents circular dependency problems — a detail many candidates miss.

    2. CI/CD Pipeline Example (Production Safe)

    Terraform should always run via automation like GitHub Actions, not laptops.

    Deployment Workflow

    Developer Change → PR → Plan → Approval → Apply → Audit Log

    Example Pipeline (terraform.yml)

    name: Terraform Deploy

on:
  pull_request:
    branches: [ main ]

jobs:
  terraform-plan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Init
        run: terraform init

      - name: Terraform Format Check
        run: terraform fmt -check

      - name: Terraform Validate
        run: terraform validate

      - name: Security Scan
        run: |
          pip install checkov
          checkov -d .

      - name: Terraform Plan
        run: terraform plan -out=tfplan

    Apply Stage (After Manual Approval)

      terraform-apply:
    needs: terraform-plan
    runs-on: ubuntu-latest
    environment: production

    steps:
      - uses: actions/checkout@v4

      - name: Terraform Init
        run: terraform init

      - name: Terraform Apply
        run: terraform apply -auto-approve tfplan

    Why This Matters

    This ensures:

    • No uncontrolled changes

    • Full audit trail

    • RBAC via CI permissions

    • Zero credential leakage

    • Repeatable deployments

    3. Migration Roadmap (Manual Infra → Terraform at Scale)

    This is the real-world transformation plan companies expect senior engineers to know.

    Phase 1 — Discovery (Do NOT Write Code Yet)

    Inventory everything:

    • VPCs

    • Databases

    • IAM roles

    • Clusters

    • DNS

    • Secrets

    Use read-only access to map dependencies.

    Goal: Avoid breaking hidden integrations.

    Phase 2 — Establish Terraform Foundation

    Create only:

    • Remote backend

    • CI pipeline

    • IAM deployment roles

    No resources managed yet.

    This creates the “landing zone”.

    Phase 3 — Import Existing Infrastructure

    Bring resources under Terraform control safely:

    terraform import aws_vpc.main vpc-xxxx
terraform import aws_db_instance.prod db-xxxx

    Then write matching configuration.

    Golden Rule: Import first, modify later.

    Phase 4 — Modularization

    Refactor imported configs into modules:

    Before:

    5000-line main.tf ❌

    After:

    modules/network
modules/data
modules/compute

    Phase 5 — Introduce Guardrails

    Add:

    • Policy checks (block public exposure)

    • Drift detection jobs

    • Cost visibility tags

    • Change approval workflow

    Now Terraform becomes a governance system, not just IaC.

    Phase 6 — Gradual Ownership Transition

    Teams move from:

    ClickOps → Controlled IaC → Self-Service Platform

    Application teams consume modules instead of writing infra.

    Common Migration Failure (Interview Trick Question)

    Many teams try:

    “Rewrite everything in Terraform.”

    That causes outages.

    Correct strategy:

    Adopt → Import → Stabilize → Improve

    How to Explain (30-Second Answer)

    “For large-scale Terraform adoption we centralize remote state with locking, run all applies through CI using cross-account roles, split infrastructure into isolated stacks to limit blast radius, and migrate existing environments via import before modularizing into reusable, versioned components.”


    Top 50 Terraform Interview Questions and Answers

    https://shyam.kubeify.com/2025/12/top-50-terraform-interview-questions.html


    Need Help is System Design Using Terrorform over AWS / GCP / Azure / DO etc.

    https://kubeify.com/schedule-meeting





    Popular posts from this blog

    What is the Difference Between K3s and K3d

    Image
      What is K3d? What is K3s? and What is the Difference Between Both? Table of Contents Introduction What is K3s? Features of K3s Benefits of K3s Use Cases of K3s What is K3d? Features of K3d Benefits of K3d Use Cases of K3d Key Differences Between K3s and K3d K3s vs. K3d: Which One Should You Choose? How to Install K3s and K3d? Frequently Asked Questions (FAQs) 1. Introduction Kubernetes is the leading container orchestration tool, but its complexity and resource demands can be overwhelming. This led to the creation of K3s and K3d , two lightweight alternatives designed to simplify Kubernetes deployment and management. If you're wondering "What is K3d? What is K3s? and What is the difference between both?" , this in-depth guide will provide a clear understanding of these tools, their features, benefits, and use cases. By the end, you'll be able to decide which one is best suited for your needs. 2. What is K3s? K3s...
    Read more

    DevOps Learning Roadmap Beginner to Advanced

    Image
      Here’s a detailed DevOps learning roadmap with estimated hours for each section, guiding you from beginner to advanced level. This plan assumes 10-15 hours per week of study and hands-on practice. 1. Introduction to DevOps ✅ What is DevOps? ✅ DevOps principles and culture  ✅ Benefits of DevOps  ✅ DevOps vs Traditional IT Operations  2. Linux Basics & Scripting ✅ Linux commands and file system  ✅ Process management & user permissions  ✅ Shell scripting (Bash, Python basics)  3. Version Control Systems (VCS) ✅ Introduction to Git and GitHub  ✅ Branching, merging, and rebasing  ✅ Git workflows (GitFlow, Trunk-based development)  ✅ Hands-on GitHub projects  4. Continuous Integration & Continuous Deployment (CI/CD) ✅ What is CI/CD?  ✅ Setting up a CI/CD pipeline  ✅ Jenkins basics ✅ GitHub Actions  CI/CD  ✅ Automated testing in CI/CD 5. Containerization & Orchestration ✅ Introduction to Docker  ✅...
    Read more

    Lightweight Kubernetes Options for local development on an Ubuntu machine

    Image
      Kubernetes is the de facto standard for container orchestration, but running a full-fledged Kubernetes cluster locally can be resource-intensive. Thankfully, there are several lightweight Kubernetes distributions perfect for local development on an Ubuntu machine. In this blog, we’ll explore the most popular options—Minikube, K3s, MicroK8s, and Kind—and provide a step-by-step guide for getting started with them. 1. Minikube: The Most Popular and Beginner-Friendly Option https://minikube.sigs.k8s.io/docs/ Use Case: Local development and testing Pros: Easy to set up Supports multiple drivers (Docker, KVM, VirtualBox) Works seamlessly with Kubernetes-native tooling Cons: Slightly heavier when using virtual machines Requires Docker or another driver Installing Minikube on Ubuntu: curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 sudo install minikube-linux-amd64 /usr/local/bin/minikube Starting a Cluster: minikube start --driver=...
    Read more

    How to Transfer GitHub Repository Ownership

    Image
    How to Transfer GitHub Repository Ownership (Step-by-Step Guide) Transferring ownership of a GitHub repository might sound technical, but it’s a simple and straightforward process. Whether you’re moving a project to an organization, handing it off to a teammate, or just reorganizing, GitHub makes it easy. In this guide, we’ll walk you through the exact steps to transfer repository ownership, with a bonus video tutorial for visual learners. Why Transfer GitHub Repository Ownership? Before we dive into the steps, let’s quickly discuss why you might want to transfer ownership: Project Handoff: Moving a project to a new maintainer. Organization Management: Centralizing repositories under an organization account. Role Changes: Shifting responsibilities within a team. Whatever your reason, transferring ownership ensures the right person or entity has control over the repo’s settings and permissions. Prerequisites for Transferring Ownership Before you start, make sure: You’re an admin...
    Read more

    Open-Source Tools for Kubernetes Management

    Image
    Open-Source Tools for Kubernetes Management Kubernetes has become the de facto standard for container orchestration, but managing it efficiently requires the right set of tools. Fortunately, the open-source community has built a vast ecosystem of tools to simplify Kubernetes management, covering cluster management, monitoring, security, networking, autoscaling, cost management, and deployment automation. This blog explores some of the best open-source tools for Kubernetes management. Here are some open-source tools for Kubernetes management across different aspects like monitoring, security, CI/CD, and cluster management: 1. Kubernetes Cluster Management K9s – Terminal-based UI for interacting with Kubernetes clusters. Lens – A powerful Kubernetes dashboard with real-time cluster insights. kubectl – Official Kubernetes CLI for managing clusters and workloads. kind – Tool for running Kubernetes clusters locally using Docker. kops – Automates Kubernetes cluster creation in cl...
    Read more

    Cloud Native Devops with Kubernetes-ebooks

    Image
      Container-Native DevOps Steps Containerization This step involves packaging applications and their dependencies into containers, ensuring consistency across different environments. Containers allow developers to create lightweight, portable, and scalable applications. Popular tools include Docker and Podman. Docker Free eBook :   Beginning DevOps: A Guide to Containers, Kubernetes & More - FREE Kindle Edition                                                                                          Docker for Beginner: Practical Guide to Containerization Mastery FREE Kindle Edition              "Docker for Beginners - Practical Guide to Containerization Mastery" is a comprehensive g...
    Read more

    DevOps Engineer Tech Stack: Junior vs Mid vs Senior

    Image
      Cloud / DevOps Engineer Tech Stack: Junior vs Mid vs Senior (And What to Expect in Interviews) Table of Contents Introduction The Evolution of a Cloud / DevOps Engineer Entry-Level (0 - 2 Years Experience) Tools and Technologies Interview Expectations Mid-Level (3 - 6 Years Experience) Tools and Technologies Interview Expectations Senior-Level (7 - 10+ Years Experience) Tools and Technologies Interview Expectations Key Differences Across Experience Levels System Design Over Tool Familiarity Common Interview Questions Final Thoughts FAQs 1. Introduction The role of a Cloud / DevOps Engineer has evolved significantly over the past decade. With the increasing adoption of cloud-native technologies and the DevOps culture, the responsibilities, tools, and expectations from DevOps professionals vary greatly depending on their experience level. Whether you are an aspiring DevOps engineer or a seasoned professional looking to benchmar...
    Read more

    Apache Kafka: The Definitive Guide

    Image
      Table of Contents Introduction to Apache Kafka Why Use Kafka? Core Architecture of Kafka Brokers Producers Consumers Topics & Partitions Kafka Components and Their Roles Kafka Broker Kafka Zookeeper Kafka Producer Kafka Consumer How Kafka Works Message Publishing Message Consumption Offset Management Kafka Use Cases Real-time Data Streaming Log Aggregation Event Sourcing Messaging Queue Setting Up Kafka Installation Guide Configuration Running Kafka Locally Kafka Performance Tuning Best Practices Configurations for High Performance Kafka Security & Monitoring Authentication & Authorization Monitoring Tools FAQs about Kafka 1. Introduction to Apache Kafka Apache Kafka is an open-source distributed event streaming platform used for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications. It was originally developed by LinkedIn and later open-sourced as part of the ...
    Read more

    Setting Up a Kubernetes Dashboard on a Local Kind Cluster

    Image
      Setting Up a Kubernetes Dashboard on a Local Kind Cluster Ever wanted to visualize your Kubernetes cluster but found the command-line a bit tedious? The Kubernetes Dashboard offers a slick, web-based UI to manage your applications, monitor resource usage, and troubleshoot issues. In this blog post, we'll walk you through the process of setting up the Kubernetes Dashboard on a local Kind cluster and accessing it from your browser. Prerequisites: What You'll Need Before we start, make sure you have the following installed on your machine: Docker : Kind uses Docker to run the Kubernetes cluster. Kind : The kind CLI tool for creating and managing your cluster. kubectl : The command-line tool for interacting with your cluster. Helm : A package manager for Kubernetes, which is the easiest way to install the Dashboard. If you don't have a Kind cluster running, you can create one with a simple command: kind create cluster . Step 1: Install the Kubernetes Dashboard with Helm In...
    Read more

    Use of Kubernetes in AI/ML Related Product Deployment

    Image
      What is Kubernetes, Why Do We Need It, and What is the Use of Kubernetes in AI/ML Related Product Deployment? Table of Contents Introduction What is Kubernetes? Why Do We Need Kubernetes? Core Components and Architecture of Kubernetes Kubernetes in AI/ML Product Deployment Benefits of Kubernetes for AI/ML Workloads Real-World Use Cases Challenges and Considerations Conclusion FAQ 1. Introduction In the rapidly evolving digital era, deploying applications quickly, reliably, and at scale is more important than ever. With AI and machine learning (ML) becoming integral to modern applications, the complexity of managing infrastructure grows exponentially. Enter Kubernetes —an open-source platform revolutionizing the way developers deploy, scale, and manage containerized applications, especially in the AI/ML domain. This comprehensive guide aims to demystify Kubernetes, explain its necessity, and explore its growing role in deploying AI/ML products....
    Read more