Refactoring Terraform for Production-Grade AWS Infrastructure

Creating Production-Grade Infrastructure with Terraform

Mary Mutua refactored her infrastructure into modular components to transition from functional to production-grade code. This architectural shift includes implementing variable validation and automated testing with Terratest to verify successful HTTP 200 responses.

Why This Matters

Technical reality often involves monolithic Terraform code where a single file manages all resources, leading to high blast radii and difficult maintenance. Transitioning to modular, validated code reduces the risk of misconfiguration and ensures that infrastructure can be tested and reused by other engineers safely, preventing common production failures like accidental service exposure or resource collisions.

Key Insights

• Variable validation using the HCL validation block prevents invalid inputs, such as unauthorized instance types, from reaching the provisioning stage.
• The create_before_destroy lifecycle hook enables safer rolling replacements of resources like launch templates to minimize service disruption during updates.
• Centralized tagging via locals and the merge function ensures consistent billing and operational visibility across all AWS resources.
• Automated testing with Terratest provides repeatable regression checks by programmatically verifying ALB DNS outputs and HTTP status codes.
• Least-privilege networking is achieved by replacing wide 0.0.0.0/0 CIDR blocks with referenced security group IDs for specific port ingress.

Working Examples

Variable validation for EC2 instance types

variable "instance_type" {
  description = "EC2 instance type for the app cluster"
  type = string
  validation {
    condition = can(regex("^t[23]\\.", var.instance_type))
    error_message = "Instance type must be a t2 or t3 family type."
  }
}

Safer rolling replacements with lifecycle hooks

resource "aws_launch_template" "this" {
  # ...
  lifecycle {
    create_before_destroy = true
  }
}

Automated infrastructure testing with Terratest

func TestHelloWorldApp(t *testing.T) {
  t.Parallel()
  terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
    TerraformDir: "../examples/hello-world-app",
    Vars: map[string]interface{}{
      "cluster_name": "test-cluster",
      "instance_type": "t3.micro",
      "environment": "dev",
      "server_text": "Hello from Day 16",
    },
  })
  defer terraform.Destroy(t, terraformOptions)
  terraform.InitAndApply(t, terraformOptions)
  albDnsName := terraform.Output(t, terraformOptions, "alb_dns_name")
  url := "http://" + albDnsName
  http_helper.HttpGetWithRetryWithCustomValidation(t, url, nil, 60, 10*time.Second, func(statusCode int, body string) bool {
    return statusCode == 200 && strings.Contains(body, "Hello from Day 16")
  })
}

Practical Applications

• System: AWS Cost Management. Use case: Centralized tagging for resources to improve cost-center tracking. Pitfall: Hardcoding tags in every resource leads to inconsistent metadata and billing inaccuracies.
• System: Auto Scaling Groups. Use case: Implementing create_before_destroy to ensure zero-downtime updates. Pitfall: Default resource destruction before creation can cause service outages during rolling updates.
• System: CI/CD Pipelines. Use case: Using Go-based Terratest for automated validation of infrastructure state before merge. Pitfall: Relying only on manual ‘terraform apply’ checks fails to catch regressions in complex environments.

References:

• https://dev.to/mary_mutua_9d55b3c269f343/creating-production-grade-infrastructure-with-terraform-255