Module 17, Enterprise Patterns
Terragrunt, DRY Multi-Environment Configs
Terragrunt reduces the repetition when managing many environments with the same modules:
infrastructure/
├── terragrunt.hcl ← root config (remote state, provider)
├── dev/
│ ├── terragrunt.hcl
│ └── finpay/
│ └── terragrunt.hcl ← inherits root, overrides env vars
└── production/
├── terragrunt.hcl
└── finpay/
└── terragrunt.hcl
# root terragrunt.hcl
remote_state {
backend = "s3"
generate = {
path = "backend.tf"
if_exists = "overwrite_terragrunt"
}
config = {
bucket = "company-terraform-state"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-state-lock"
}
}
Atlantis, Pull Request Automation
Atlantis runs terraform plan on every PR and posts the output as a GitHub comment. Reviewers see exactly what will change before approving. On merge, terraform apply runs automatically.
Developer opens PR
↓
Atlantis runs: terraform plan
↓
Plan output posted as PR comment
↓
Team reviews the plan
↓
Reviewer comments "atlantis apply"
↓
Atlantis runs: terraform apply
Checkov, Security Scanning
pip install checkov
checkov -d .
# Example findings:
# [FAILED] CKV_AWS_18: S3 Bucket does not have access logging enabled
# [FAILED] CKV_AWS_21: S3 Bucket does not have versioning enabled
# [FAILED] CKV_AWS_145: RDS instance is not encrypted
Add to CI pipeline:
- name: Security Scan
run: checkov -d . --soft-fail # soft-fail warns without blocking
Sentinel, Policy as Code (HCP Terraform)
# Enforce all S3 buckets must have encryption
import "tfplan/v2" as tfplan
s3_buckets = filter tfplan.resource_changes as _, rc {
rc.type is "aws_s3_bucket" and
rc.mode is "managed" and
(rc.change.actions contains "create")
}
bucket_encryption = rule {
all s3_buckets as _, bucket {
bucket.change.after.server_side_encryption_configuration is not null
}
}
main = rule { bucket_encryption }
Sentinel policies run after plan but before apply in HCP Terraform. A failing policy blocks the apply.
Knowledge Check
- What problem does Terragrunt solve that plain Terraform does not?
- How does Atlantis improve the Terraform code review process?
- What is the difference between Checkov and Sentinel?
- What does a Sentinel policy do when it fails?
- When would you choose HCP Terraform over running Terraform in GitHub Actions?