Infrastructure as Code for Landing Zones

Introduction

Managing cloud infrastructure at scale has taught me that manual deployments simply don't scale beyond a handful of accounts.

Working with organizations rapidly growing their cloud footprint, I've seen the limitations of manual console-based configuration:

Inconsistent configurations across accounts
No audit trail of infrastructure changes
Changes deployed directly to production without validation
Difficult rollback when mistakes occur
Slow provisioning times (hours or days per account)
Configuration drift over time
Compliance audit failures due to inconsistencies

The root problem was treating infrastructure as something to click through rather than code to manage. What works for 5 accounts becomes unmanageable at 50+ accounts.

Through implementing Infrastructure as Code (IaC) across various landing zone projects, I've learned that IaC is the only sustainable way to manage cloud infrastructure at scale. It provides consistency, auditability, testability, and automation that manual processes cannot achieve.

This article shares the IaC patterns and practices I've developed - covering Terraform module architecture, state management strategies, CI/CD pipelines for infrastructure, testing approaches, and how to maintain configuration consistency across many accounts.

Why IaC for Landing Zones

The Problems IaC Solves

Problem

Manual Approach

IaC Approach

Consistency

Each account different

Identical configuration

Auditability

No change history

Git commit history

Testing

Test in production

Validate before deploy

Rollback

Manual, error-prone

git revert + redeploy

Scale

Linear effort (40h × N)

Constant effort (15min regardless of N)

Documentation

Outdated wikis

Code is documentation

Collaboration

Ticket-driven

Pull request workflow

Compliance

Manual audits

Automated validation

IaC Benefits for Landing Zones

1. Consistency at Scale

# Deploy identical configuration to 100 accounts
module "landing_zone" {
  source = "./modules/landing-zone-account"
  
  for_each = var.accounts
  
  account_name = each.value.name
  environment  = each.value.environment
  cost_center  = each.value.cost_center
}

2. Version Control

# Complete history of all infrastructure changes
git log --oneline modules/landing-zone-account/

a3c8f91 Enable GuardDuty with S3 protection
b2d7e82 Add encryption requirements to S3 buckets
c1e6f73 Implement VPC flow logs retention policy
d0f5g64 Configure CloudTrail with multi-region support

3. Automated Testing

# Validate before deploying
terraform validate
terraform plan
tflint
checkov -d .
terratest

4. Rapid Rollback

# Rollback in 5 minutes
git revert HEAD
terraform apply -auto-approve

Terraform Module Architecture

Modular Structure

landing-zone-terraform/
├── modules/
│   ├── account-baseline/           # Core account configuration
│   │   ├── main.tf
│   │   ├── variables.tf
│   │   ├── outputs.tf
│   │   ├── cloudtrail.tf
│   │   ├── guardduty.tf
│   │   ├── config.tf
│   │   └── README.md
│   ├── network-baseline/           # Standard VPC configuration
│   │   ├── main.tf
│   │   ├── vpc.tf
│   │   ├── subnets.tf
│   │   ├── route-tables.tf
│   │   ├── transit-gateway-attachment.tf
│   │   └── README.md
│   ├── security-baseline/          # IAM, SCPs, security services
│   │   ├── main.tf
│   │   ├── iam-roles.tf
│   │   ├── scps.tf
│   │   ├── kms.tf
│   │   └── README.md
│   ├── logging-baseline/           # Centralized logging
│   │   ├── main.tf
│   │   ├── cloudwatch.tf
│   │   ├── log-aggregation.tf
│   │   └── README.md
│   └── compliance-baseline/        # Config rules, compliance
│       ├── main.tf
│       ├── config-rules.tf
│       ├── security-hub.tf
│       └── README.md
├── environments/
│   ├── production/
│   │   ├── main.tf
│   │   ├── accounts.tf
│   │   ├── backend.tf
│   │   └── terraform.tfvars
│   ├── staging/
│   └── development/
├── organization/
│   ├── main.tf
│   ├── organizational-units.tf
│   ├── accounts.tf
│   ├── scps.tf
│   └── service-control-policies/
│       ├── require-encryption.json
│       ├── restrict-regions.json
│       └── prevent-public-access.json
├── shared-services/
│   ├── transit-gateway/
│   ├── log-archive/
│   └── dns/
└── tests/
    ├── account_baseline_test.go
    ├── network_baseline_test.go
    └── security_baseline_test.go

Root Module Pattern

# environments/production/main.tf

terraform {
  required_version = ">= 1.5.0"
  
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
  
  backend "s3" {
    bucket         = "company-terraform-state"
    key            = "production/landing-zone/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-state-lock"
    
    # Assume role in central account
    role_arn = "arn:aws:iam::123456789012:role/TerraformStateMgmt"
  }
}

provider "aws" {
  region = var.region
  
  assume_role {
    role_arn = "arn:aws:iam::${var.account_id}:role/OrganizationAccountAccessRole"
  }
  
  default_tags {
    tags = {
      ManagedBy   = "Terraform"
      Environment = "production"
      Repository  = "landing-zone-terraform"
    }
  }
}

# Deploy account baseline to all production accounts
module "production_accounts" {
  source = "../../modules/account-baseline"
  
  for_each = var.production_accounts
  
  account_name = each.value.name
  account_id   = each.value.id
  environment  = "production"
  cost_center  = each.value.cost_center
  
  # Security configuration
  enable_guardduty    = true
  enable_security_hub = true
  enable_cloudtrail   = true
  enable_config       = true
  
  # Networking
  vpc_cidr             = each.value.vpc_cidr
  transit_gateway_id   = var.transit_gateway_id
  dns_resolver_endpoints = var.dns_resolver_endpoints
  
  # Compliance
  config_rules        = var.compliance_config_rules
  required_tags       = var.required_tags
  log_retention_days  = 2555  # 7 years
}

# Deploy network baseline
module "production_networks" {
  source = "../../modules/network-baseline"
  
  for_each = var.production_accounts
  
  account_id         = each.value.id
  vpc_cidr           = each.value.vpc_cidr
  availability_zones = var.availability_zones
  
  # Transit Gateway attachment
  transit_gateway_id = var.transit_gateway_id
  route_to_on_prem   = true
  
  # Network security
  enable_vpc_flow_logs = true
  flow_log_retention   = 90
  
  # Subnetting
  public_subnets  = each.value.public_subnets
  private_subnets = each.value.private_subnets
  database_subnets = each.value.database_subnets
}

Account Baseline Module

# modules/account-baseline/main.tf

variable "account_name" {
  description = "Name of the AWS account"
  type        = string
}

variable "account_id" {
  description = "AWS Account ID"
  type        = string
}

variable "environment" {
  description = "Environment (production, staging, development)"
  type        = string
}

variable "enable_guardduty" {
  description = "Enable AWS GuardDuty"
  type        = bool
  default     = true
}

variable "enable_cloudtrail" {
  description = "Enable AWS CloudTrail"
  type        = bool
  default     = true
}

variable "log_retention_days" {
  description = "CloudWatch Logs retention in days"
  type        = number
  default     = 90
}

# CloudTrail configuration
resource "aws_cloudtrail" "main" {
  count = var.enable_cloudtrail ? 1 : 0
  
  name                          = "${var.account_name}-trail"
  s3_bucket_name               = var.central_log_bucket
  include_global_service_events = true
  is_multi_region_trail        = true
  enable_log_file_validation   = true
  
  event_selector {
    read_write_type           = "All"
    include_management_events = true
    
    data_resource {
      type   = "AWS::S3::Object"
      values = ["arn:aws:s3:::*/*"]
    }
  }
  
  cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.cloudtrail[0].arn}:*"
  cloud_watch_logs_role_arn  = aws_iam_role.cloudtrail_cloudwatch[0].arn
}

# GuardDuty
resource "aws_guardduty_detector" "main" {
  count = var.enable_guardduty ? 1 : 0
  
  enable = true
  
  datasources {
    s3_logs {
      enable = true
    }
    kubernetes {
      audit_logs {
        enable = true
      }
    }
    malware_protection {
      scan_ec2_instance_with_findings {
        ebs_volumes {
          enable = true
        }
      }
    }
  }
}

# AWS Config
resource "aws_config_configuration_recorder" "main" {
  name     = "${var.account_name}-config-recorder"
  role_arn = aws_iam_role.config.arn
  
  recording_group {
    all_supported                 = true
    include_global_resource_types = true
  }
}

resource "aws_config_delivery_channel" "main" {
  name           = "${var.account_name}-config-delivery"
  s3_bucket_name = var.config_s3_bucket
  
  snapshot_delivery_properties {
    delivery_frequency = "TwentyFour_Hours"
  }
  
  depends_on = [aws_config_configuration_recorder.main]
}

resource "aws_config_configuration_recorder_status" "main" {
  name       = aws_config_configuration_recorder.main.name
  is_enabled = true
  
  depends_on = [aws_config_delivery_channel.main]
}

# Security Hub
resource "aws_securityhub_account" "main" {
  count = var.enable_security_hub ? 1 : 0
}

resource "aws_securityhub_standards_subscription" "cis" {
  count         = var.enable_security_hub ? 1 : 0
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
  
  depends_on = [aws_securityhub_account.main]
}

resource "aws_securityhub_standards_subscription" "pci_dss" {
  count         = var.enable_security_hub ? 1 : 0
  standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
  
  depends_on = [aws_securityhub_account.main]
}

# Default encryption for EBS volumes
resource "aws_ebs_encryption_by_default" "main" {
  enabled = true
}

# S3 account-level public access block
resource "aws_s3_account_public_access_block" "main" {
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# CloudWatch Log Group for CloudTrail
resource "aws_cloudwatch_log_group" "cloudtrail" {
  count             = var.enable_cloudtrail ? 1 : 0
  name              = "/aws/cloudtrail/${var.account_name}"
  retention_in_days = var.log_retention_days
  
  kms_key_id = aws_kms_key.cloudwatch_logs.arn
}

# KMS key for CloudWatch Logs encryption
resource "aws_kms_key" "cloudwatch_logs" {
  description             = "KMS key for CloudWatch Logs encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true
  
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "Enable IAM User Permissions"
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::${var.account_id}:root"
        }
        Action   = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "Allow CloudWatch Logs"
        Effect = "Allow"
        Principal = {
          Service = "logs.${data.aws_region.current.name}.amazonaws.com"
        }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:ReEncrypt*",
          "kms:GenerateDataKey*",
          "kms:CreateGrant",
          "kms:DescribeKey"
        ]
        Resource = "*"
        Condition = {
          ArnLike = {
            "kms:EncryptionContext:aws:logs:arn" = "arn:aws:logs:${data.aws_region.current.name}:${var.account_id}:*"
          }
        }
      }
    ]
  })
}

resource "aws_kms_alias" "cloudwatch_logs" {
  name          = "alias/${var.account_name}-cloudwatch-logs"
  target_key_id = aws_kms_key.cloudwatch_logs.key_id
}

# Outputs
output "cloudtrail_arn" {
  description = "ARN of the CloudTrail"
  value       = var.enable_cloudtrail ? aws_cloudtrail.main[0].arn : null
}

output "guardduty_detector_id" {
  description = "GuardDuty detector ID"
  value       = var.enable_guardduty ? aws_guardduty_detector.main[0].id : null
}

output "config_recorder_id" {
  description = "AWS Config recorder ID"
  value       = aws_config_configuration_recorder.main.id
}

State Management Strategies

Remote State with S3 + DynamoDB

# Create S3 bucket for Terraform state
resource "aws_s3_bucket" "terraform_state" {
  bucket = "company-terraform-state"
  
  lifecycle {
    prevent_destroy = true
  }
}

resource "aws_s3_bucket_versioning" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "terraform_state" {
  bucket = aws_s3_bucket.terraform_state.id
  
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

# DynamoDB table for state locking
resource "aws_dynamodb_table" "terraform_state_lock" {
  name           = "terraform-state-lock"
  billing_mode   = "PAY_PER_REQUEST"
  hash_key       = "LockID"
  
  attribute {
    name = "LockID"
    type = "S"
  }
  
  server_side_encryption {
    enabled = true
  }
  
  point_in_time_recovery {
    enabled = true
  }
  
  lifecycle {
    prevent_destroy = true
  }
}

State Isolation Strategies

Strategy 1: Separate State Files per Account

# Production Account 1
backend "s3" {
  bucket = "company-terraform-state"
  key    = "accounts/production/account-001/terraform.tfstate"
  region = "us-east-1"
}

# Production Account 2
backend "s3" {
  bucket = "company-terraform-state"
  key    = "accounts/production/account-002/terraform.tfstate"
  region = "us-east-1"
}

Strategy 2: Workspaces

# Create workspaces
terraform workspace new production-account-001
terraform workspace new production-account-002

# Switch workspace
terraform workspace select production-account-001

# State file: company-terraform-state/env:/production-account-001/terraform.tfstate

Strategy 3: Separate Backends per Layer

State File Strategy:
├── organization.tfstate          # Organization, OUs, SCPs
├── shared-services/
│   ├── transit-gateway.tfstate   # Transit Gateway
│   ├── log-archive.tfstate       # Central logging
│   └── dns.tfstate               # Route53 DNS
└── accounts/
    ├── prod-001.tfstate          # Account baseline
    ├── prod-002.tfstate
    └── dev-001.tfstate

CI/CD Pipelines for Infrastructure

GitHub Actions Pipeline

# .github/workflows/terraform-deploy.yml
name: Terraform Deploy

on:
  push:
    branches: [main]
    paths:
      - 'environments/**'
      - 'modules/**'
  pull_request:
    branches: [main]
    paths:
      - 'environments/**'
      - 'modules/**'

env:
  TF_VERSION: 1.6.0
  AWS_REGION: us-east-1

jobs:
  validate:
    name: Validate Terraform
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: ${{ env.TF_VERSION }}
      
      - name: Terraform Format Check
        run: terraform fmt -check -recursive
      
      - name: Terraform Init
        run: |
          cd environments/production
          terraform init -backend=false
      
      - name: Terraform Validate
        run: |
          cd environments/production
          terraform validate
  
  tflint:
    name: TFLint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - uses: terraform-linters/setup-tflint@v3
        with:
          tflint_version: latest
      
      - name: Initialize TFLint
        run: tflint --init
      
      - name: Run TFLint
        run: tflint -f compact
  
  checkov:
    name: Checkov Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
          output_format: sarif
          output_file_path: checkov-results.sarif
      
      - name: Upload Checkov results
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: checkov-results.sarif
  
  plan:
    name: Terraform Plan
    runs-on: ubuntu-latest
    needs: [validate, tflint, checkov]
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v3
      
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: ${{ env.TF_VERSION }}
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsTerraform
          aws-region: ${{ env.AWS_REGION }}
      
      - name: Terraform Init
        run: |
          cd environments/production
          terraform init
      
      - name: Terraform Plan
        id: plan
        run: |
          cd environments/production
          terraform plan -no-color -out=tfplan
          terraform show -no-color tfplan > plan-output.txt
      
      - name: Comment Plan on PR
        uses: actions/github-script@v6
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const fs = require('fs');
            const plan = fs.readFileSync('environments/production/plan-output.txt', 'utf8');
            const output = `#### Terraform Plan 📖
            
            <details><summary>Show Plan</summary>
            
            \`\`\`terraform
            ${plan}
            \`\`\`
            
            </details>
            
            *Triggered by: @${{ github.actor }}*`;
            
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            });
  
  apply:
    name: Terraform Apply
    runs-on: ubuntu-latest
    needs: [validate, tflint, checkov]
    if: github.ref == 'refs/heads/main'
    environment:
      name: production
      url: https://console.aws.amazon.com
    steps:
      - uses: actions/checkout@v3
      
      - uses: hashicorp/setup-terraform@v2
        with:
          terraform_version: ${{ env.TF_VERSION }}
      
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsTerraform
          aws-region: ${{ env.AWS_REGION }}
      
      - name: Terraform Init
        run: |
          cd environments/production
          terraform init
      
      - name: Terraform Apply
        run: |
          cd environments/production
          terraform apply -auto-approve
      
      - name: Notify Slack
        uses: slackapi/slack-github-action@v1
        if: always()
        with:
          webhook-url: ${{ secrets.SLACK_WEBHOOK }}
          payload: |
            {
              "text": "Terraform deployment completed",
              "blocks": [
                {
                  "type": "section",
                  "text": {
                    "type": "mrkdwn",
                    "text": "✅ *Terraform Apply Successful*\n\nCommit: ${{ github.sha }}\nActor: ${{ github.actor }}"
                  }
                }
              ]
            }

Atlantis for Pull Request Automation

# atlantis.yaml
version: 3
automerge: false
delete_source_branch_on_merge: true

projects:
  - name: production-accounts
    dir: environments/production
    workspace: default
    terraform_version: v1.6.0
    autoplan:
      when_modified:
        - "**/*.tf"
        - "**/*.tfvars"
      enabled: true
    apply_requirements:
      - approved
      - mergeable
    workflow: production
  
  - name: staging-accounts
    dir: environments/staging
    workspace: default
    terraform_version: v1.6.0
    autoplan:
      when_modified:
        - "**/*.tf"
        - "**/*.tfvars"
      enabled: true
    workflow: staging

workflows:
  production:
    plan:
      steps:
        - init
        - plan:
            extra_args: ["-lock=false"]
    apply:
      steps:
        - run: echo "Deploying to production..."
        - apply
        - run: |
            curl -X POST $SLACK_WEBHOOK \
              -H 'Content-Type: application/json' \
              -d '{"text":"Production infrastructure updated"}'
  
  staging:
    plan:
      steps:
        - init
        - plan
    apply:
      steps:
        - apply

Testing Infrastructure Code

Terraform Validate and Plan

# Syntax validation
terraform validate

# Plan (dry run)
terraform plan

# Plan with specific var file
terraform plan -var-file=prod.tfvars

TFLint for Best Practices

# Install TFLint
curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash

# .tflint.hcl
plugin "aws" {
  enabled = true
  version = "0.27.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

rule "aws_instance_invalid_type" {
  enabled = true
}

rule "aws_instance_previous_type" {
  enabled = true
}

rule "terraform_deprecated_interpolation" {
  enabled = true
}

rule "terraform_documented_variables" {
  enabled = true
}

# Run TFLint
tflint --init
tflint

Checkov for Security

# Install Checkov
pip install checkov

# Scan Terraform code
checkov -d .

# Scan specific directory
checkov -d modules/account-baseline

# Output to SARIF for GitHub integration
checkov -d . --framework terraform --output sarif > results.sarif

Terratest for Integration Testing

// tests/account_baseline_test.go
package test

import (
    "testing"
    "github.com/gruntwork-io/terratest/modules/terraform"
    "github.com/stretchr/testify/assert"
)

func TestAccountBaseline(t *testing.T) {
    t.Parallel()
    
    terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
        TerraformDir: "../modules/account-baseline",
        Vars: map[string]interface{}{
            "account_name":      "test-account",
            "account_id":        "123456789012",
            "environment":       "test",
            "enable_guardduty":  true,
            "enable_cloudtrail": true,
        },
        NoColor: true,
    })
    
    defer terraform.Destroy(t, terraformOptions)
    
    terraform.InitAndApply(t, terraformOptions)
    
    // Validate outputs
    cloudtrailArn := terraform.Output(t, terraformOptions, "cloudtrail_arn")
    assert.Contains(t, cloudtrailArn, "test-account-trail")
    
    guarddutyId := terraform.Output(t, terraformOptions, "guardduty_detector_id")
    assert.NotEmpty(t, guarddutyId)
}

func TestNetworkBaseline(t *testing.T) {
    t.Parallel()
    
    terraformOptions := &terraform.Options{
        TerraformDir: "../modules/network-baseline",
        Vars: map[string]interface{}{
            "account_id": "123456789012",
            "vpc_cidr":   "10.100.0.0/16",
            "availability_zones": []string{"us-east-1a", "us-east-1b"},
        },
    }
    
    defer terraform.Destroy(t, terraformOptions)
    
    terraform.InitAndApply(t, terraformOptions)
    
    vpcId := terraform.Output(t, terraformOptions, "vpc_id")
    assert.Regexp(t, "^vpc-", vpcId)
}

Run Tests:

cd tests
go test -v -timeout 30m

What I Learned About IaC

After that $280K manual deployment disaster and dozens of IaC implementations:

Lesson 1: IaC is Non-Negotiable at Scale

Manual deployments don't scale beyond 10-15 accounts.

Action: Terraform for all infrastructure, no exceptions.

Lesson 2: Modular Architecture Enables Reuse

Copy-paste Terraform code creates technical debt.

Action: Build reusable modules, version them, test them independently.

Lesson 3: State Management Makes or Breaks IaC

Lost state files = disaster. Corrupted state = hours of recovery.

Action: Remote state (S3), state locking (DynamoDB), versioning enabled, backups automated.

Lesson 4: CI/CD Prevents Production Incidents

Manual terraform apply in production = eventual disaster.

Action: All changes via pull requests, automated testing, approval requirements, automated deployment.

Lesson 5: Testing Infrastructure Code is Critical

Untested infrastructure changes cause outages.

Action: terraform validate, TFLint, Checkov, Terratest before production deployment.

Lesson 6: Versioning Modules Enables Safe Updates

Updating modules without versioning breaks everything.

Action: Semantic versioning for modules, module registry, changelog for breaking changes.

Lesson 7: Documentation in Code is Best Documentation

Wiki documentation goes stale immediately.

Action: Terraform code with comments, module READMEs, examples directory, ADRs in Git.

Lesson 8: Rollback Strategy Must Exist

Failed deployments without rollback plan = extended outages.

Action: Git-based rollback (git revert), tested rollback procedures, automated rollback for critical failures.

Next Up: Subscription/Account Vending

In Article 8, we'll cover account vending machines, self-service portals, automated provisioning workflows, and approval processes.

Ready to automate account creation? Let's go! 🏗️

PreviousMonitoring, Logging, and Operational Excellence NextAccount and Subscription Vending

Last updated 1 month ago

hashtagTable of Contents

hashtagIntroduction

hashtagWhy IaC for Landing Zones

hashtagThe Problems IaC Solves

hashtagIaC Benefits for Landing Zones

hashtagTerraform Module Architecture

hashtagModular Structure

hashtagRoot Module Pattern

hashtagAccount Baseline Module

hashtagState Management Strategies

hashtagRemote State with S3 + DynamoDB

hashtagState Isolation Strategies

hashtagCI/CD Pipelines for Infrastructure

hashtagGitHub Actions Pipeline

hashtagAtlantis for Pull Request Automation

hashtagTesting Infrastructure Code

hashtagTerraform Validate and Plan

hashtagTFLint for Best Practices

hashtagCheckov for Security

hashtagTerratest for Integration Testing

hashtagWhat I Learned About IaC

hashtagLesson 1: IaC is Non-Negotiable at Scale

hashtagLesson 2: Modular Architecture Enables Reuse

hashtagLesson 3: State Management Makes or Breaks IaC

hashtagLesson 4: CI/CD Prevents Production Incidents

hashtagLesson 5: Testing Infrastructure Code is Critical

hashtagLesson 6: Versioning Modules Enables Safe Updates

hashtagLesson 7: Documentation in Code is Best Documentation

hashtagLesson 8: Rollback Strategy Must Exist

Table of Contents