Terraform Config Root Setups

We use a single codebase to deploy to multiple environments. The setup looks like this:<p><pre><code> - root -- &#x2F;envs --- &#x2F; dev.tfvars --- &#x2F; prod.tfvars - main.tf </code></pre> When it gets deployed by the CICD, the right tfvars file is passed in via the -var-file parameter. A standard `env` var is also passed in, and used as a basis for a naming convention. Backend is also set by the pipeline.<p>The rationale here is that our environments should be almost the same between them, and any variations should be accomplished by parameterization.<p>Modules are kept either in separate repos, if they need to be shared between many workspaces, or under the `modules` subfolder.

This is terrible. All options seem to assume state is stored locally (not, say, in S3). Many options are just the same as others but only one environment, or with some project-specific difference like &#x27;there is a backend and a frontend&#x27; or &#x27;a few services&#x27; which has nothing to do with how you structure the terraform side of it.<p><i>All</i> of them either don&#x27;t address or use multiple directories to handle multiple environments (and assume a static list). What?! No, use terraform workspaces, or a single module that you instantiate for each environment. Or terragrunt if you really want. TFA is just a blogspam mess from either AI or someone that&#x27;s spent about 20 minutes with a Youtube video to learn terraform &amp; push out their latest deep dive content guys.

This is ever evolving but we currently do;<p>Composable modules such as `terraform-aws-lambda&#x2F;modules&#x2F;standard-function`, `terraform-aws-iam&#x2F;moduls&#x2F;role-for-aws-lambda`, etc, which get composed for a specific usecase in a root module (which we call stacks). The stack has directories under it such as `dev&#x2F;main&#x2F;primary&#x2F;` `dev&#x2F;sandbox-a&#x2F;primary&#x2F;` `dev&#x2F;sandbox-a&#x2F;test-a&#x2F;`, etc, where `dev` is environment, `main&#x2F;sandbox-a` is tenant and the `primary&#x2F;test-a` is the namespace. The namespaces contain a `tfvars` file and potentially some namespace specific assets, readme&#x27;s, documentation, etc. The CD system then deploys the root module for each namespace present.<p>Stacks are then optionally (sometimes deeply) nested under parent directories, which are used for change control purposes, variable inference and consistency testing.<p>OpenTofu &gt;1.8.0 is required for all of this to keep it nice and tidy.

Terragrunt goes a long way to providing a near-perfect way to structure Terraform repos.

I spend a lot of time speaking with clients and have found myself partially understanding organizational structure so I dove in to collect my thoughts and put myself closer to the customer on what they are navigating.<p>This gave myself a refresher on how they are organizing their cloud infrastructure within their source control systems. I took a lense from the world of terraform since that’s mostly the world i live in today and the last few years.<p>I explored 10 different ways to structure your Terraform config roots, each promising scalability but delivering varying degrees of chaos. From single-environment simplicity to multi-cloud madness, customers are stuck navigating spaghetti directories and state file hell.<p>I probably missed things. Might have gotten things wrong. Take a look and let me know what you think.<p>What patterns are you using that I missed?

The client I&#x27;m contracted to is all-in on Terraform Cloud. (TFC)<p>TFC uses workspaces, which annoyingly aren&#x27;t the same thing as <i>terraform</i> workspaces. I&#x27;ve divided up our workspaces into dev, qa, staging, and prod, and each group of workspaces has the OIDC setup to allow management of a specific cloud account. So dev workspaces can only access the dev account, etc etc. Each grouping of workspaces also has a specific role that can access them. Each role then has its own API key.<p>The issues I&#x27;ve run into are mostly management of workspace variables. So now I have a manager repo and matching workspace that controls all the vars for the couple hundred TFC workspaces. I use a TFC group API key for the terraform enterprise provider, one provider per group. This prevents potential mistakes where dev vars could get written to qa, etc etc.<p><pre><code> Manager repo - dev TFE provider - qa TFE provider - staging TFE provider - prod TFE provider </code></pre> Workspace variables are set by a single directory of terraform, so there&#x27;s good sharing of the data and locals blocks.<p>I use lists of workspaces categorized by &quot;pipeline deployers&quot; and &quot;application resource deployers&quot;, along with lists of dev, qa, staging, and prod workspaces. I then use terraform&#x27;s &quot;setintersection&quot; function to give me &quot;dev pipeline&quot; workspaces, &quot;prod app&quot; workspaces, etc. I also do the same with groups of variables, as there&#x27;s some that are specific to pipeline workspaces, and so on. It works well, and it&#x27;s nice to have an almost 100% terraform control of vars and workspaces.<p>I split app and pipeline workspaces based on historical decisions, I&#x27;m not sure if I&#x27;d replicate that on a new project. The workflow there is that an app workspace creates the resources for a given deployment, then saves pertinent details to a couple of parameters. The pipeline workspace then pulls those parameters and uses them to create a pipeline that builds and deploys the code.<p>Unfortunately I can&#x27;t share code from this particular setup, but I do intend to write about it &quot;someday&quot;.

This is all besides the point that Terraform&#x27;s biggest weakness is refactoring large workspaces into multiple smaller workspaces. Transitioning IDs from one workspace to another, at scale, is <i>annoying</i> to say the least. The only remotely feasible generic solution here would be to treat statefiles as tables, write migrations as SQL, and use pre-existing tooling for database migrations and rollbacks... Maybe I&#x27;ll write something like that someday.

The method I go to almost always is<p>&gt; Multi-Environment Setup with Shared Modules<p>But the con of saying versioning is tricky across modules is damn near impossible to reliably manage.. especially because if I&#x27;m introducing a new variable to a shared module A) I need to also add this variable in the inputs of each of the environment.<p>I haven&#x27;t found a way to manage multiple versions of the modules across environments if all using the same shared modules. Is it even possible?

Good overview of potential options. Which is most appropriate really depends.<p>I am a big fan of modularisation, it is possible to extend this approach to divide logically your infrastructure and mirror that by separating out the terraform state files too.<p>Number of TF deployment increases but they each have smaller blast radiuses and you now need to manage making available outputs of builds to those which are dependent on them.

What&#x27;s the craziest terraform repo you have seen? Is it okay to mix code (ex: Java) and terraform in a large mono repo?

Terraform is such a weird product and it’s hard to describe why, really. It has really awesome things about it like a functional way to pull in support for just about any providers crazy thing. And the crazy part is somehow terraform can easily configure local infrastructure, cloud infrastructure on almost any host, set up repos in GitHub, and then create a new auth provider in Auth0. The language is flexible enough to support all of it.<p>Yet as a language, it’s quirky as heck. For example how modules are basically wrappers on providers and how different modules can all most “see inside” other modules to iron out dependency ordering but yet also can’t. And speaking of, circular dependencies suck to work around in a modular way without tearing half your structure apart.<p>Like I said, I am not anywhere close to an expert on terraform and can only describe my limited experience building a fairly simple stack on top of it. The whole thing is just… both amazing and also weird and a bit frustrating. And I have yet to “grow” into multiple environments… lots of my complaints are probably down to my limited experience with it and, honestly, not much out there in terms of best practices for maintaining scalable configuration (or maybe my ADD brain refuses to dive into that, who knows?)<p>My last adventure into infrastructure as code was with Puppet and Salt. All of that was provisioning on top of bare metal. It was all file operations and the “provider specific modules” were really just wrappers to nicely encapsulate things like nginx or apt. Perhaps it is because of Puppet or Salt’s much more limited scope that didn’t have me feeling the same way.<p>I mean terraform can be used to configure just about anything that has an API if you wanted. Maintaining a declarative language around that is bound to have its quirks.

Please, please, please use Terraform workspaces: One workspace per environment.<p>For environment specific things use conditionals:<p><pre><code> nodes = terraform.workspace == &quot;prod&quot; ? 2 : 1</code></pre>