Terraform Best Practices

  • Home /
  • Terraform Best Practices


The mission of the LADOJ Experience Builder Terraform tool is twofold:

  • Collect Terraform DevOps contribution opportunities to a central place
  • Improve the consistency, quality, and security of publicly available Terraform code

If you search for “terraform best practices”, you will receive many results about how to structure a code repository, how to style the code, and what kind of workflows to use to deploy.

Searching for “terraform testing best practices” returns far fewer relevant results. There is a surprising lack of content on the best ways to test and validate Terraform code.

This lack of content translates to a lack of testing for a large majority of public Terraform repositories on GitHub. Luckily, that means there are many opportunities to contribute testing functionality to these projects.

The LADOJ Experience Builder Terraform repository module is an evaluation tool that interrogates public GitHub repositories. The purpose of the tool is to identify opportunities for aspiring DevOps engineers to contribute DevOps capabilities to Terraform repositories.


There are very few published DevOps best practices for Terraform. Many guides only focus on Terraform coding styles, patterns, and formats. The ones that do exist are typically written by the tool owners.

The bare minimum functionality of a code pipeline is to perform static code analysis (SCA). This can include linting, unit testing, and vulnerability scanning.

Given that Terraform is a domain specific language (DSL), linting is fairly straightforward and opinionated. Only a few tools exist that perform Terraform code linting.

Security scanning with Terraform is different than with typical programming languages. Instead of searching for vulnerabilities within the code, scanners identify Terraform code that would generate insecure infrastructure, such as a security group that is open to the world.

This tool evaluates common CICD framework configurations in a Terraform repository to determine if they are configured to execute security scanning and linting.

CICD Tool Configuration Files

GitHub’s GraphQL API is queried to return the contents of the following directories and files:

  • .github/workflows/
  • Jenkinsfile
  • .circleci/

The contents are evaluated to determine if any of the tools in the following sections are properly configured and being used to enforce best practices.

Security Scanning

Security scanning of Terraform HCL code prevents unwanted or undesired security configurations to occur within your infrastructure.

Some tools come with prebuilt policies. Others are highly configurable and require the administrator to define all their policies from scratch.

The most common example of why security scanning is important is the accidental creation of an S3 bucket with public access policies.

Security Scanning Tools

There are several tools that are scanned for a given repository:


Linting of Terraform HCL code is a very fast way to:

  • Find possible errors (like invalid instance types) for Major Cloud providers (AWS/Azure/GCP).
  • Warn about deprecated syntax and unused declarations.
  • Enforce best practices and naming conventions.

Linting Tools

The only supported Terraform linting tool is:

Use of the terraform fmt command is also evaluated.