Blog
Thoughts on engineering, design, and building great products.
Capstone: A Complete Multi-Tier Web Infrastructure
The final article assembles everything in the series into a complete web infrastructure: VPC, ALB, an Auto Scaling Group running nginx, RDS PostgreSQL and S3 — organized into three connected modules. Apply for real, access the application through the ALB, verify the DB password never leaks into state, then a clean teardown. Closes with a roadmap for what to learn next.
Testing: terraform test, mock_provider, and Terratest
Test Terraform code before it stands up real infrastructure. terraform test (GA since 1.6) with .tftest.hcl files runs run/assert to check logic, mock_provider (1.7) lets tests run without real AWS. Real demo of three passing tests and one failing test, then an introduction to Terratest for deep integration testing.
CI/CD for Terraform: GitHub Actions, OIDC, and Quality Scanning
Put Terraform into a pipeline: automatic plan on pull requests, apply on merge, AWS authentication via OIDC with no stored access key. Bolt the quality scanners fmt, validate, tflint, Trivy and Checkov into the pipeline — with real output showing what holes they catch.
Advanced Lifecycle and Providers
Features that control resource and provider lifecycle: create_before_destroy, prevent_destroy, ignore_changes, replace_triggered_by; provider alias to run multi-region in one configuration; terraform_data replacing null_resource; provisioners as a last resort; and the check block that only warns. Each feature comes with a real demo.
Reading Another State and Refactoring: remote_state, moved, removed
When you split infrastructure across multiple states, terraform_remote_state lets one config read the output of another. And when reorganizing code, the moved block renames a resource without destroy-recreate, the removed block drops a resource from state without destroying it — both declared right in the configuration instead of the manual state mv/rm commands from Article 7.
Multiple Environments: Workspaces and Directory Layout
Dev, staging, prod need separate state. There are two ways: workspaces keep multiple states in the same backend, and directory layout splits each environment into its own directory with its own backend. This article demos both, and shows clearly why workspaces are NOT a good fit for strong separation between prod and dev — exactly the docs' warning.
A Real Network Module: VPC, Subnet, and EC2
Assemble everything from Part IV into a useful foundational infrastructure module: a VPC with public subnets across multiple zones, an internet gateway and route table, generating CIDRs with cidrsubnet and subnets with for_each. Then place an EC2 on the Internet inside that network. This is the kind of foundational module nearly every project needs.