Skip to main content

Module 17, Enterprise Patterns

Terragrunt, DRY Multi-Environment Configs

Terragrunt reduces the repetition when managing many environments with the same modules:

infrastructure/
├── terragrunt.hcl ← root config (remote state, provider)
├── dev/
│ ├── terragrunt.hcl
│ └── finpay/
│ └── terragrunt.hcl ← inherits root, overrides env vars
└── production/
├── terragrunt.hcl
└── finpay/
└── terragrunt.hcl
# root terragrunt.hcl
remote_state {
backend = "s3"
generate = {
path = "backend.tf"
if_exists = "overwrite_terragrunt"
}
config = {
bucket = "company-terraform-state"
key = "${path_relative_to_include()}/terraform.tfstate"
region = "us-east-1"
encrypt = true
dynamodb_table = "terraform-state-lock"
}
}

Atlantis, Pull Request Automation

Atlantis runs terraform plan on every PR and posts the output as a GitHub comment. Reviewers see exactly what will change before approving. On merge, terraform apply runs automatically.

Developer opens PR

Atlantis runs: terraform plan

Plan output posted as PR comment

Team reviews the plan

Reviewer comments "atlantis apply"

Atlantis runs: terraform apply

Checkov, Security Scanning

pip install checkov
checkov -d .

# Example findings:
# [FAILED] CKV_AWS_18: S3 Bucket does not have access logging enabled
# [FAILED] CKV_AWS_21: S3 Bucket does not have versioning enabled
# [FAILED] CKV_AWS_145: RDS instance is not encrypted

Add to CI pipeline:

- name: Security Scan
run: checkov -d . --soft-fail # soft-fail warns without blocking

Sentinel, Policy as Code (HCP Terraform)

# Enforce all S3 buckets must have encryption
import "tfplan/v2" as tfplan

s3_buckets = filter tfplan.resource_changes as _, rc {
rc.type is "aws_s3_bucket" and
rc.mode is "managed" and
(rc.change.actions contains "create")
}

bucket_encryption = rule {
all s3_buckets as _, bucket {
bucket.change.after.server_side_encryption_configuration is not null
}
}

main = rule { bucket_encryption }

Sentinel policies run after plan but before apply in HCP Terraform. A failing policy blocks the apply.

Knowledge Check

  1. What problem does Terragrunt solve that plain Terraform does not?
  2. How does Atlantis improve the Terraform code review process?
  3. What is the difference between Checkov and Sentinel?
  4. What does a Sentinel policy do when it fails?
  5. When would you choose HCP Terraform over running Terraform in GitHub Actions?