Two years, 200+ Terraform modules, 3 cloud providers. We share our lessons learned from an enterprise Terraform setup.
Module Architecture¶
Hierarchy: root modules (per-environment, per-project) call shared modules (reusable components). Shared modules in a private Terraform Registry. Versioned, tested, documented.
State Management¶
Azure Storage Account + state locking. Separate state files per environment. Never manual terraform apply — everything goes through CI/CD. State backup every 6 hours.
Drift Detection¶
Someone changes a resource manually in the portal → drift. A daily
terraform plan in CI detects drift and sends a notification.
Zero tolerance: drift is fixed within 24 hours.
CI/CD Pipeline¶
PR → terraform plan → review → merge → terraform apply. Plan output as a PR comment — the reviewer sees exactly what will change. Sentinel policies: block unsafe changes (e.g., public S3 bucket).
IaC = Discipline, Not a Tool¶
Terraform is powerful, but without processes (review, testing, drift detection) it’s just another way to break infrastructure.
Need help with implementation?
Our experts can help with design, implementation, and operations. From architecture to production.
Contact us