Blog
Thoughts on engineering, design, and building great products.
Composing Modules, the Terraform Registry, and Pinning Versions
Wire modules together by feeding one module's output into another's input, pull shared modules from the Terraform Registry with a properly pinned source and version, and understand why locking module versions matters for stability. Live demo: one Registry module wired together with two local modules.
Writing Your First Module
A module packages a group of resources behind a clean input/output interface, to reuse in many places without copying code. This article writes a 'secure-bucket' module that wraps an S3 bucket along with versioning, encryption and public-access blocking into a single concept, then calls it twice from the root with different inputs.
count and for_each: The Index Trap, Conditionals, templatefile
Two ways to create multiple resources: count by index and for_each by key. This article shows the real-world trap of using count with a list — dropping a middle element shifts the indexes and wrongly destroys-and-recreates a whole row of resources — with a live demo, then shows how for_each avoids it. Plus conditional resource creation and templatefile.
Data Sources, Functions, for Expressions and Dynamic Blocks
Read existing information on AWS with data sources (latest AMI, available zones, current account), transform and filter data with for expressions, then generate repeated nested blocks with dynamic blocks. A security group with ingress rules auto-generated from a list of ports serves as the running example.
Variables, Outputs, Locals and Catching Bad Values Early
Parameterize configuration so the same code runs for multiple environments: variables take input, outputs return results, locals name derived expressions. More important is catching errors early — validation blocks bad input right at plan, precondition and postcondition check assumptions around each resource.
Secrets: sensitive, ephemeral, and Write-Only Arguments
State stores secrets in plaintext — this article tackles exactly that. sensitive only hides output but still writes to state; ephemeral resources and write-only arguments (Terraform 1.10/1.11) actually keep secrets out of state. Live demo: with the same password, the old way leaks into state while write-only does not.
State Operations: import Block, state mv, state rm
Working with state day to day: bring existing infrastructure under management with the import block and auto-generate configuration with -generate-config-out, rename a resource in state with state mv, and remove a resource from management without deleting it with state rm. All run live against a bucket built by hand beforehand.