Terraform Module Library for Production Environments

Terraform Module Library for Production Environments

🌍 Infrastructure as Code Written for the Third Time Around

There is a pattern to how teams develop Terraform code. The first time, they write everything from scratch: flat, monolithic configurations that work but aren’t reusable. The second time, they start to modularize, but modules are inconsistently designed, poorly documented, and accumulate workarounds rather than principled interfaces. The third time, after enough production incidents and scaling pains, they write it the right way: opinionated, well-bounded modules with validated inputs, documented outputs, security-appropriate defaults, and interfaces designed for long-term maintainability rather than immediate convenience.

Most teams don’t have the luxury of three iterations before their infrastructure needs to be production-grade. They’re operating production systems from the first version of their Terraform code, which means the quality of that first version has real operational consequences. Misconfigured S3 bucket policies become data exposure incidents. Missing state locking causes corruption from concurrent applies. Hardcoded AMI IDs fail silently after they’re deregistered. These are not theoretical risks. They are documented production failure modes that teams encounter regularly.

The Terraform Module Library for Production Environments gives teams the output of the third iteration without having to go through the first two. Every module in this library was designed with the lessons of production operation in mind: opinionated secure defaults, escape hatches for when defaults need to be overridden, validation blocks that fail at plan time rather than silently deploying wrong configuration, and documentation that explains the reasoning behind every non-obvious decision. This is infrastructure code built to survive real conditions.

---

📦 Full Digital Download Contents

100% digital. Instant delivery. No physical product. Your download contains:

Core Terraform Module Collection (25 modules organized into 5 domain directories)

Compute Modules (5 modules):

ec2-autoscaling-group: A complete Auto Scaling Group module with launch template (not deprecated launch configuration), configurable scaling policies (target tracking, step scaling, scheduled scaling variants via variables), instance refresh configuration for rolling updates without downtime, instance metadata service v2 enforcement, detailed monitoring toggle, EBS volume encryption enforcement, and IAM instance profile wiring. Input variables include: AMI ID, instance type, desired/min/max capacity, VPC subnet IDs, security group IDs, user data, tags, and toggle variables for optional features.

ecs-fargate-service: ECS Fargate service module with task definition management, service auto-scaling via Application Auto Scaling, ALB target group attachment, service discovery via Cloud Map (optional), execution role and task role creation with least-privilege policies pre-built, environment variable and secret injection patterns (direct and from Secrets Manager), and health check configuration. Supports both awsvpc and bridge network modes.

lambda-function: Lambda function module covering function deployment from S3 or local archive source, IAM execution role with configurable additional policy attachments, environment variable management, dead letter queue configuration (SQS or SNS), VPC attachment (optional, with security group and subnet input), reserved concurrency configuration, X-Ray tracing toggle, and event source mapping support for SQS, DynamoDB streams, and Kinesis.

eks-node-group: Managed node group module for EKS with launch template integration, node group IAM role with required EKS policies and configurable additional policies, taint and label configuration, multiple instance type support for Spot capacity optimization, SSH key optional attachment, and AMI type selection (AL2, Bottlerocket, Windows).

batch-compute-environment: AWS Batch compute environment module for batch workload automation, with managed and unmanaged compute environment support, spot fleet configuration, job queue creation, and compute environment scaling parameters.

Networking Modules (5 modules):

vpc-tiered-subnets: A comprehensive VPC module creating public, private, and isolated (no internet access) subnet tiers across configurable availability zones, with: Internet Gateway, NAT Gateways (configurable per-AZ for high availability vs. single for cost optimization), route tables per tier, VPC flow logs to S3 or CloudWatch Logs, DHCP options configuration, and secondary CIDR block support. Input-validated CIDR block assignments with conflict detection.

security-group-factory: A security group module designed for composable, least-privilege security group creation. Supports programmatic ingress and egress rule definition via variable map inputs rather than individual resource blocks, security group rule referencing (allow from another security group, not just CIDR), and description enforcement on every rule.

alb-with-listeners: Application Load Balancer module with listener rule management, target group creation (with configurable health check parameters), HTTPS redirect rule, WAF ACL association (optional), access logging to S3, connection idle timeout configuration, and cross-zone load balancing control.

route53-management: Route53 zone and record management module with private hosted zone support, alias record creation for AWS services (ALB, CloudFront, S3), health check configuration, and weighted routing policy support.

cloudfront-distribution: CloudFront distribution module for static site and API acceleration with S3 origin and ALB origin support, custom cache behavior rules, origin access identity for S3 private bucket access, custom error response pages, price class configuration, and ACM certificate association.

Data and Storage Modules (5 modules):

rds-postgres: RDS PostgreSQL module with Multi-AZ toggle, read replica creation support, parameter group management, option group configuration, automated backup retention, deletion protection toggle, performance insights enablement, enhanced monitoring, CloudWatch log export configuration, IAM database authentication toggle, and subnet group creation. Storage encrypted with KMS CMK by default, with key ID input variable.

elasticache-redis: ElastiCache Redis module supporting both cluster mode disabled (replication group) and cluster mode enabled configurations, automatic failover, at-rest and in-transit encryption enforcement, auth token management via Secrets Manager, snapshot retention, maintenance window configuration, and parameter group management.

s3-bucket-opinionated: An S3 bucket module with production-appropriate defaults enforced and explicit overrides required to relax them: versioning enabled by default, server-side encryption with KMS by default, public access block all-true by default, access logging to a companion bucket, lifecycle rule management for storage class transitions and expiration, object lock configuration (optional), and event notification configuration for Lambda/SNS/SQS triggers.

dynamodb-autoscaling: DynamoDB table module with on-demand and provisioned capacity modes, Application Auto Scaling for read and write capacity when in provisioned mode, TTL configuration, global secondary index management via variable map input, point-in-time recovery enforcement, stream configuration, and server-side encryption with CMK.

secretsmanager-secret: Secrets Manager secret module with automatic rotation configuration (Lambda rotation function ARN input), resource policy for cross-account access, KMS key association, and replica creation for multi-region secret availability.

Security and IAM Modules (5 modules):

iam-role-factory: A reusable IAM role module accepting a trust policy document input and a list of managed policy ARNs plus inline policy document inputs, with automatic naming convention enforcement, permissions boundary support, and role session duration configuration.

kms-key-with-rotation: KMS CMK module with automatic rotation enabled by default, key policy template generation from input parameters (admin principals, user principals, service principals), multi-region key support (optional), and alias creation.

vpc-endpoint-gateway: VPC endpoint module for S3 and DynamoDB gateway endpoints, reducing data transfer costs and security surface for private subnet traffic to these services.

config-rule-pack: A set of AWS Config rules for compliance monitoring, covering: S3 public access, EBS encryption, RDS Multi-AZ, required tags, IAM password policy, CloudTrail enablement, and VPC flow logs. Configurable as a group via a single module call.

security-hub-baseline: AWS Security Hub enablement module with CIS AWS Foundations Benchmark standard activation, AWS Foundational Security Best Practices standard activation, and finding aggregation configuration for multi-account environments.

Observability Modules (5 modules):

cloudwatch-log-group: Log group module with KMS encryption by default, configurable retention period (validated against AWS-allowed values), subscription filter for Lambda log processing, and metric filter with alarm creation for common patterns (error rate, exception frequency).

cloudwatch-dashboard-scaffold: A CloudWatch dashboard module generating a standardized service dashboard with pre-built widget templates for: request count, error rate, latency percentiles, CPU/memory utilization, and a configurable custom metric widget section.

sns-alerting-topic: SNS topic module with KMS encryption, email and PagerDuty subscription support, and a companion CloudWatch alarm-to-SNS integration pattern for common alarm types.

cloudwatch-composite-alarm: Composite CloudWatch alarm module for building alarm hierarchies (page only when multiple related alarms fire simultaneously, reducing alert noise from correlated events).

xray-sampling-rules: X-Ray sampling rule management module for configuring trace sampling rates by service name, URL path, and HTTP method, enabling cost-controlled distributed tracing in production environments.

Terraform Variable Convention Library (.tf + .pdf documentation, 18 pages) A complete variable naming and typing convention reference with three components:

• variables.tf convention file: A reference variables.tf demonstrating every convention: naming patterns (resource type prefix, descriptive name, unit suffix where applicable), type constraints (using object() types for complex inputs rather than multiple flat variables), validation blocks with descriptive error messages, sensitive variable marking, and description field standards
• outputs.tf convention file: Reference output file demonstrating naming conventions, value vs. sensitive output distinctions, and description standards
• Convention PDF: A 18-page written guide explaining every convention decision, the rationale behind it, and examples of compliant and non-compliant usage

Remote State Configuration Templates (.tf, 4 backend variants) Production-ready backend configuration blocks for four state management approaches:

• S3 + DynamoDB (standard AWS): State bucket with versioning and encryption, DynamoDB lock table, workspace-keyed state paths
• S3 + DynamoDB (cross-account, for centralized state management): Assumes role in dedicated state account, with IAM policy examples for cross-account access
• Terraform Cloud: Workspace-aware configuration with organization and workspace name variables
• GitLab-managed Terraform state: HTTP backend configuration for GitLab’s built-in state management

Each template includes a companion terraform.tf versions file with provider version constraints and Terraform version requirements.

Terragrunt DRY Scaffold Structure (directory template) A fully populated Terragrunt directory structure for managing multiple environments and regions without root module duplication. Includes: account-level terragrunt.hcl with remote state configuration, environment-level terragrunt.hcl with environment-specific inputs, and module-level terragrunt.hcl files demonstrating the dependency block pattern for inter-module value passing. Accompanied by a “Terragrunt vs. Workspaces” decision guide explaining when each approach is appropriate.

CI/CD Pipeline Templates (.yaml, GitHub Actions + GitLab CI) Four complete pipeline configuration files:

• GitHub Actions: PR Plan: Runs terraform init, validate, and plan on every PR, posts plan output as a PR comment using tfcmt, runs tflint and checkov security scan
• GitHub Actions: Merge Apply: Runs terraform apply on merge to main, with manual approval gate for production environment, posts apply summary as commit status
• GitLab CI: Plan + Apply: Equivalent GitLab CI pipeline with plan on MR, apply on merge with environment-protected manual trigger for production
• Drift Detection Workflow: Scheduled GitHub Actions workflow running plan against all configured workspaces weekly, creating a GitHub Issue with drift details when drift is detected

Terraform Best Practices Reference (.pdf, 42 pages) A comprehensive written reference covering every dimension of production-grade Terraform practice:

• State management philosophy (what belongs in state, state isolation strategy, state migration procedures)
• Module versioning and the registry pattern (using Git tags for version pinning, semantic versioning discipline)
• Secret handling patterns and what never to put in Terraform state
• Testing approaches for Terraform (Terratest patterns, terraform validate automation, plan snapshot testing)
• The upgrade path from Terraform 1.x to OpenTofu (feature parity reference, migration steps, compatibility notes)
• Cost estimation integration (Infracost setup and CI integration patterns)
• Tagging strategy and the business case for consistent resource tagging

---

✅ Key Features

Opinionated Defaults, Never Locked In: Every secure default in every module is implemented as a variable with a hardcoded secure default value that can be overridden with an explicit variable assignment. No module forces you into a configuration you can’t change; every module documents clearly what the default is and why it was chosen. Security discipline is enforced through defaults, not through rigidity.

Validated Inputs That Fail Fast: Critical inputs throughout the library include validation blocks with descriptive error messages. CIDR blocks are validated against format patterns. Instance type variables are validated against allowed value lists. Retention period inputs are validated against service-accepted values. This means misconfiguration errors surface at terraform plan time with a clear explanation, not at terraform apply time with a cryptic API error.

Complete Documentation at Every Layer: Every module directory includes a README.md auto-generated from the variable and output definitions using terraform-docs conventions. The README documents every input variable (name, type, description, default, required/optional), every output (name, description, sensitive), all resource types created, and usage examples. The documentation is a first-class artifact, not an afterthought.

---

🎯 Who This Library Is Built For

• Platform engineers building an internal Terraform module registry for self-service infrastructure provisioning
• DevOps engineers provisioning AWS infrastructure for production and needing a production-quality starting point
• SRE teams standardizing infrastructure patterns and enforcing security baselines across a service portfolio
• Backend engineers who write their own Terraform code and want a reference implementation to compare against and learn from
• Teams preparing for compliance reviews where infrastructure configuration is subject to audit and needs to be defensible

---

📈 What “Production-Ready” Infrastructure Actually Buys You

The difference between infrastructure that works and infrastructure that works reliably in production is measurable in incidents, audit findings, and engineering hours. Infrastructure built from this library starts with encryption enabled, least-privilege IAM configured, monitoring wired, and state management correct. These are not things that can be retrofitted cheaply. Changing encryption on an existing RDS instance requires replacement. Restructuring IAM permissions on running services is disruptive. Getting state management right after state corruption has occurred is expensive and sometimes impossible.

• Encryption defaults prevent the class of data exposure incidents caused by unencrypted storage
• Least-privilege IAM patterns limit the blast radius of credential compromise
• State locking prevents corruption from concurrent applies, which happens more often than teams expect
• Drift detection catches manual console changes before they cause plan/apply conflicts or security regressions
• Tagging enforcement makes cost attribution, incident scoping, and access auditing tractable from day one

---

💾 Digital Delivery and File Formats

Delivered as a structured ZIP archive with subdirectories organized by module domain, immediately upon purchase. No login, no subscription, no expiry.