Terraform Conventions
We use Terraform to maintain infrastructure as code.
State Backends
On AWS, we use the S3 backend for Terraform state. We create a separate backend bucket for each AWS account. Terraform state should be encrypted using unique, customer-managed KMS keys. The key for each module's state should reflect that module's path within the infrastructure repository.
You can use the Terraform state backend Cloudformation template to create a secure Terraform state backend for each AWS account. When using Control Tower, you can use customizations for Control Tower to create a Terraform state backend as part of the baseline for each account.
The landing zone template repository comes with configuration for Terraform state backends.
Filenames
| Configuration for the state backend |
| Resources, data sources, modules, and locals |
| Outputs |
| Configuration for Terraform providers |
| Variables |
| Required Terraform and provider versions |
Formatting
All files should be formatted using terraform fmt
.