IaC on Ansuman Satapathyhttps://ansuman-satapathy.github.io/categories/iac/Recent content in IaC on Ansuman SatapathyHugoen-usSun, 25 Jan 2026 20:30:00 +0530Terraform Best Practices: How to Not Nuke Productionhttps://ansuman-satapathy.github.io/blog/terraform-best-practices-how-not-to-nuke-production/Sun, 25 Jan 2026 20:30:00 +0530https://ansuman-satapathy.github.io/blog/terraform-best-practices-how-not-to-nuke-production/<p>Writing Terraform is easy. Managing Terraform at scale without destroying your company’s infrastructure is hard.</p> <p>If your idea of &ldquo;state management&rdquo; is a file on your laptop named <code>terraform.tfstate.backup2</code>, stop. Here are some tips to not embarrass yourself in front of management.</p> <h3 id="1-remote-state-is-non-negotiable">1. Remote State is Non-Negotiable</h3> <p>If you work on a team (or ever plan to), your state file cannot live on your local machine.</p> <ul> <li><strong>The Problem:</strong> If two people run <code>terraform apply</code> at the same time with different local states, you get a race condition that corrupts everything.</li> <li><strong>The Fix:</strong> Use a <strong>Remote Backend</strong> (like AWS S3).</li> <li><strong>The Lock:</strong> Use <strong>DynamoDB</strong> for state locking. This prevents &ldquo;Person B&rdquo; from writing to the state while &ldquo;Person A&rdquo; is still deploying.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-hcl" data-lang="hcl"><span style="display:flex;"><span><span style="color:#75715e"># backend.tf </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">terraform</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">backend</span> <span style="color:#e6db74">&#34;s3&#34;</span> { </span></span><span style="display:flex;"><span> bucket <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;my-corp-terraform-state&#34;</span> </span></span><span style="display:flex;"><span> key <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;prod/app-server/terraform.tfstate&#34;</span> </span></span><span style="display:flex;"><span> region <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;us-east-1&#34;</span> </span></span><span style="display:flex;"><span> dynamodb_table <span style="color:#f92672">=</span> <span style="color:#e6db74">&#34;terraform-state-locks&#34;</span> </span></span><span style="display:flex;"><span> encrypt <span style="color:#f92672">=</span> <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><img src="fear.png" alt="Fear" style="width: 100%; height: auto; border-radius: 8px;"> *Fig: Actual footage of a DevOps engineer looking at a local state file.* <h3 id="2-keep-it-dry-dummy">2. Keep it DRY Dummy!</h3> <p>Stop Copy-Pasting resource blocks. If you need 5 web servers, do not write the <code>aws_instance</code> block 5 times. Use <strong>Modules</strong>.</p>