Terraform

Terraform for Environment Management

Terraform is an infrastructure-as-code (IaC) tool that lets you define, provision, and change environments through declarative files. Instead of clicking through cloud consoles, you model everything—networks, compute, databases, DNS, even some SaaS resources—in version-controlled code. Teams adopt it because it’s repeatable, reviewable, and auditable across dev, test, staging, and prod.

Core building blocks (what you need to know first)

Terraform is an infrastructure-as-code tool that lets you define, provision, and change environments through declarative files. Instead of clicking through cloud consoles, you model everything—networks, compute, databases, DNS, even some SaaS resources—in version-controlled configurations. Teams adopt it because it’s repeatable, reviewable, and auditable across development, test, staging, and production.

Core building blocks (what you need to know first)

Configuration uses the HashiCorp Configuration Language (HCL). You’ll create one or more Terraform files that declare which providers (AWS, Azure, GCP, Kubernetes, Datadog, and so on) you need, which resources to create, what variables you’ll pass in, and which outputs to publish for downstream use.

Providers are plugins that talk to external APIs. You declare the providers you require and configure them, typically with a region and credentials. Each provider offers its own set of resources and arguments.

Terraform tracks the real-world objects it manages in a state file. For team use, store that state remotely (for example, in an object store or a managed Terraform service) so everyone sees the same truth and concurrent edits are locked.

The day-to-day loop is simple: initialize to install providers and configure the backend; plan to see the diff between your code and reality; and apply to make changes.

Designing your environment strategy

Most teams choose one of three patterns for multiple environments (development, staging, production) and stick to it:

1. Workspaces in the CLI. You reuse the same configuration for all environments but keep separate state per workspace. Switching workspaces also switches state, which prevents cross-talk.
2. A directory per environment (sometimes called multiple roots). You keep envs/dev, envs/stage, and envs/prod as separate roots with their own backends and variables. This maximizes isolation and gives you explicit, per-environment reviews—popular in regulated settings.
3. Managed platform workspaces. If you use a hosted or self-managed Terraform platform, create one workspace per environment and run plans/applies remotely with RBAC, VCS integrations, and policy gates.

No matter which pattern you pick, the non-negotiable is separate state per environment and guardrails that prevent mistakes from spilling across environments.

Remote state and backends (collaboration, safety, and locks)

Configure a backend in your root module so state lives in a shared, resilient location. Backends determine where state is stored and, in many cases, how it is locked to prevent concurrent modification. Some remote backends can also execute plans and applies on the server side while streaming logs to your terminal.

As a mental example, an S3-style backend would point at a bucket named “my-company-tfstate,” store an object at a path like “network/terraform.tfstate,” and set a region such as “us-east-1.” For locking, you could add a DynamoDB table (or the equivalent in your platform) to prevent two engineers from applying at the same time.

Backends exist for many stores—object storage in each cloud, managed Terraform services, and others—so pick what your platform team supports and can secure.

Modules (reusable building blocks)

As your footprint grows, factor repeated patterns (for example, VPCs, AKS/EKS clusters, monitoring) into modules. A module is simply a directory with your configuration, inputs, and outputs. You reference it from other configurations and pin it to a specific version or tag. This keeps environments consistent, reduces copy-paste, and lets you roll upgrades deliberately.

Good module hygiene looks like this: a standard structure; clear variable names and sensible defaults; as few required inputs as possible; documented outputs; and a short, human-readable README so other teams can adopt it safely.

A concrete example of “calling” a module without showing code: imagine a VPC module stored in your organization’s Git repository at a tag named v1.4.2. When you reference it, you pass parameters such as “name” set to the environment name, “cidr” set to the VPC CIDR block, and “az_count” set to 3.

Variables, tfvars, and secrets (parameterizing environments)

Variables let you reuse the same configuration with different inputs by environment—regions, CIDR blocks, instance sizes, and so on. Declare variables in a variables file, then provide values via separate tfvars files, command-line flags, or environment variables prefixed with TF_VAR_. A common pattern is to keep dev.tfvars, stage.tfvars, and prod.tfvars and load the appropriate file when planning and applying.

For example, you might define variables named env, region, vpc_cidr, and db_pass (marking db_pass as sensitive). In the dev.tfvars file, env would be “dev,” region might be “us-central1,” and vpc_cidr something like “10.50.0.0/16.” At runtime, you could export TF_VAR_db_pass from a secure secret manager so it never appears in plaintext files.

Two useful reminders: variables are inputs into modules and root configurations, while outputs are like return values; and TF_VAR-prefixed environment variables are read automatically by the CLI.

A minimal, end-to-end workflow

1. Scaffold a repository. Create a main Terraform file, a variables file, and configure your backend. In the main file, declare your required provider (for instance, the AWS provider at a specific major version), configure it with a region variable, and declare a trivial resource such as a storage bucket whose name includes the environment. The provider block ensures Terraform can install the plugin, and the provider’s documentation tells you exactly which arguments it supports.
2. Initialize and validate. Run initialization to download providers and set up the backend, then format and validate the configuration. This catches obvious configuration errors early and standardizes the file layout.
3. Create environment state.
   • With CLI workspaces: create a new workspace for “dev,” then run a plan and an apply while supplying dev.tfvars. Because each workspace maintains its own state, development will not collide with production.
   • With directory roots: run the same plan/apply flow from the envs/dev directory (which has its own backend and variables), then repeat from envs/prod.
   • With a managed platform: create one workspace per environment, connect your repository, and enable remote plans/applies with approvals if needed.
4. Promote safely. Pin module versions (for example, a module reference at tag v1.4.2) and pin provider versions (for example, “any 5.x version”). Promote the same code from development to staging to production by reusing it with different variable files. Version pins make rollbacks predictable.
5. Operate and iterate. Run plans regularly to detect drift between code and reality. Keep state remote and locked to avoid parallel-apply accidents. If something ever goes truly sideways, you can pull and push state manually—just treat manual edits as a last resort with proper peer review.

Workspaces vs. directories: how to choose

Prefer workspaces when environments are nearly identical and you want the smallest surface area of files to maintain. You’ll have one configuration and isolated state per workspace, which keeps things simple.

Prefer directories (or separate repositories) when environments differ meaningfully in topology, policies, or dependencies—or when you need stricter blast-radius control and independent change cadence.

Prefer managed workspaces if you want remote execution, RBAC, policy checks, and approvals without building that glue yourself.

Many enterprises blend these ideas: they keep separate roots for major stacks (for example, network, platform, applications) and then use workspaces within each root for development, staging, and production.

Guardrails and good habits

• Use remote state everywhere. Local state is fine for experiments, but teams should store state remotely with locking in place.
• Be disciplined about modules. Factor shared patterns into modules, document inputs and outputs, and adopt naming and layout conventions so others can reuse them confidently.
• Parameterize differences. Keep environment-specific values in tfvars files or workspace variables, not hard-coded in the configuration, and mark secrets as sensitive while passing them via secure mechanisms.
• Pin versions. Pin providers and modules to avoid surprise upgrades and to make rollbacks simple.
• Document the contract. A short README that explains inputs, outputs, prerequisites, and how to run plan/apply saves hours and reduces misconfigurations.

Putting it all together

Managing environments with Terraform boils down to a handful of practices used together. Declare your infrastructure in code. Keep state separate per environment—whether that’s via workspaces, directories, or a managed platform—and store it remotely with locking. Parameterize differences through variables and tfvars files. Reuse battle-tested modules and pin versions so promotions are predictable. When you follow this approach, you gain repeatability for daily work, traceability for audits, and the confidence to promote the exact same, versioned code from development all the way to production.