Before answers have been very solid and informative, I will try to add
my 2 cents here
Common recommendations for structuring code
It is easier and faster to work with smaller number of resources:
- Cmds
terraform plan and terraform apply both make cloud API calls to verify the status of resources.
- If you have your entire infrastructure in a single composition this can take many minutes (even if you have several files in the same folder).
Blast radius is smaller with fewer resources:
- Insulating unrelated resources from each other by placing them in separate compositions (folders) reduces the risk if something goes wrong.
Start your project using remote state:
- Your laptop is no place for your infrastructure source of truth.
- Managing a
tfstate file in git is a nightmare.
- Later when infrastructure layers starts to grow in any direction (number of dependencies or resources).
- example module: https://github.com/cloudposse/terraform-aws-tfstate-backend
- ref tool: https://github.com/camptocamp/terraboard
Try to practice a consistent structure and naming convention:
- Like procedural code, Terraform code should be written for people to read first, consistency will help when changes happen six months from now.
- It is possible to move resources in Terraform state file but it may be harder to do if you have inconsistent structure and naming.
Keep resource modules as plain as possible.
Don't hard-code values which can be passed as variables or discovered using data sources.
Use data sources and terraform_remote_state specifically as a glue between infrastructure modules within composition.
(ref article: https://www.terraform-best-practices.com/code-structure)
Example:
It is easier and faster to work with smaller number of resources so
below we present a recommended code layout.
NOTE: just as reference not to be strictly follow since each project has it's own specific characteristics
.
├── 1_tf-backend #remote AWS S3 + Dynamo Lock tfstate
│ ├── main.tf
│ ├── ...
├── 2_secrets
│ ├── main.tf
│ ├── ...
├── 3_identities
│ ├── account.tf
│ ├── roles.tf
│ ├── group.tf
│ ├── users.tf
│ ├── ...
├── 4_security
│ ├── awscloudtrail.tf
│ ├── awsconfig.tf
│ ├── awsinspector.tf
│ ├── awsguarduty.tf
│ ├── awswaf.tf
│ └── ...
├── 5_network
│ ├── account.tf
│ ├── dns_remote_zone_auth.tf
│ ├── dns.tf
│ ├── network.tf
│ ├── network_vpc_peering_dev.tf
│ ├── ...
├── 6_notifications
│ ├── ...
├── 7_containers
│ ├── account.tf
│ ├── container_registry.tf
│ ├── ...
├── config
│ ├── backend.config
│ └── main.config
└── readme.md
