Best Practices
July 11, 2025 ยท View on GitHub
This document outlines the best practices for developing and maintaining Terraform modules in this repository.
๐ New Module Pattern: For detailed information about our standardized module development pattern, see Module Development Pattern
Module Design
General Principles
-
Single Responsibility
- Each module should do one thing well
- Keep modules focused and composable
- Avoid creating "kitchen sink" modules
-
Reusability
- Design modules to be reusable across projects
- Use variables for customization
- Avoid hardcoding values
-
Composability
- Make modules work well together
- Use consistent naming conventions
- Design for composition from the start
Input Variables
-
Naming
- Use clear, descriptive names
- Follow consistent naming patterns
- Use snake_case for variable names
-
Types
- Always specify variable types
- Use complex types when appropriate
- Validate input with type constraints
-
Defaults
- Provide sensible defaults
- Document default values
- Make defaults secure by default
-
Validation
- Add validation rules
- Use custom validation blocks
- Validate security-related inputs
Outputs
-
Completeness
- Output all useful attributes
- Include computed values
- Output resource IDs and ARNs
-
Naming
- Use consistent naming
- Make names descriptive
- Follow the same pattern as inputs
-
Documentation
- Document all outputs
- Include usage examples
- Explain computed values
Security
General Security
-
Least Privilege
- Use minimal IAM permissions
- Follow security best practices
- Document security requirements
-
Encryption
- Enable encryption by default
- Use KMS for sensitive data
- Document encryption settings
-
Network Security
- Use security groups properly
- Implement network isolation
- Document network requirements
AWS-Specific
-
IAM
- Use IAM roles and policies
- Follow AWS best practices
- Document IAM requirements
-
VPC
- Use private subnets
- Implement proper routing
- Document network architecture
-
Secrets
- Use AWS Secrets Manager
- Never hardcode secrets
- Document secret management
Tagging
AWS Resources
-
Required Tags
- Environment (dev, staging, prod)
- Project/Application name
- Owner/Team
- Cost Center
- Managed By (Terraform)
-
Optional Tags
- Version
- Description
- Compliance requirements
- Backup requirements
-
Tagging Strategy
- Consistent across resources
- Automated tagging
- Document tagging requirements
Testing
Module Testing
-
Unit Tests
- Test variable validation
- Test output values
- Test error conditions
-
Integration Tests
- Test with real providers
- Test module composition
- Test error handling
-
Security Tests
- Run tfsec
- Check IAM permissions
- Validate encryption
Documentation
Module Documentation
-
README.md
- Clear description
- Usage examples
- Input/output documentation
- Requirements
-
Examples
- Basic usage
- Common scenarios
- Security configurations
- Integration examples
-
Comments
- Document complex logic
- Explain design decisions
- Reference external docs
Versioning
Semantic Versioning
-
Major Version
- Breaking changes
- Incompatible updates
- Major feature changes
-
Minor Version
- New features
- Backward compatible
- Minor improvements
-
Patch Version
- Bug fixes
- Security updates
- Documentation updates