Blogs About Cloud, AWS, DevOps and Life

Terraform in AWS

Bill Hegazy April 17, 2022 #AWS #terraform

Tools and best practices, that makes your terraform life easier on AWS.

Originally published at on 19 June 2021

1) aws-vault

Although it's not exactly specific for Terraform aws-vault is a must-use tool for Terraform in AWS, especially when you have multiple AWS accounts.

aws-vault stores IAM credentials in your Os's secure Keystore and generates temporary credentials to be used in shell.

Using aws-vault with Terraform to easily switch between AWS accounts and avoid hard-coding AWS profile in Terraform backend state code.

Install aws-vault

brew install --cask aws-vault

Usage Example

# Run simple aws command
aws-vault exec aws_example_account -- aws s3 ls
# Login to aws console using temporary credentials
aws-vault login aws_example_account
# Use with terraform
aws-vault exec aws_example_account -- terraform apply

2) tfenv

tfenv is Terraform version manager similar to rbenv.

Install tfenv

brew install tfenv

Usage Example

# List tf remote versions
tfenv list-remote
# Install tf version
tfenv install 0.11.15
# Use tf version
tfenv use 0.11.15

tfenv automatic version switching

Add .terraform-version file to automatically switch between different Terraform versions and control versions between accounts.


├── .
├── aws_prodution_account
    ├── resource_1
    │   ├──
    |   ├──
    |   └── ...
    ├── resource_2
    │   ├──
    |   ├──
    |   └── ...
    ├── .terraform-version
├── aws_staging_account
    ├── resource_1
    │   ├──
    |   ├──
    |   └── ...
    ├── resource_2
    │   ├──
    |   ├──
    |   └── ...
    ├── .terraform-version
└── ...

3) pre-commit

Using pre-commit framework with terraform repository, will help your code to be kept clean, formated, updated document and checked for tf security issues (optional with tfsec) before committing and pushing the code to git source.

brew install pre-commit gawk terraform-docs tflint coreutils checkov terrascan

Install the pre-commit hook globally

git config --global init.templateDir ${DIR}
pre-commit init-templatedir -t pre-commit ${DIR}

Initialize git repo with terraform hooks

cd your_terraform_git_repo
git init # if new repo
cat <<EOF > .pre-commit-config.yaml
- repo: git://
  rev: <VERSION> # Get the latest from: <>
    - id: terraform_fmt
    - id: terraform_docs
pre-commit install
# Test pre commit
pre-commit run --all-

Now, whenever you run git commit on terraform repo, pre-commit will run the hooks

Auto generate Terraform docs with pre-commit

Using terraform-docs with terraform modules

cd terraform_example_module
cat <<EOF >
lines here will be replaced by terraform_docs when pre-commit runs
pre-commit run --all-files

4) tfsec

Want static analysis for your terraform code to help spot potential security issues? then all you need is tfsec.

Install tfsec

brew install tfsec

Usage Example

cd terraform_folder
tfsec .

Add tfsec to your pre-commit config

Add terraform_tfsec hook to .pre-commit-config.yaml Example:

- repo: git://
    - ...
    - id: terraform_tfsec

Ignoring some tfsec rules

You may wish to ignore some warnings from tfsec. you can simply add a comment containing tfsec:ignore:<RULE> to the offending line in your templates.

For example, to ignore an open security group rule:

resource "aws_security_group_rule" "my-rule" {
    type = "ingress"
    cidr_blocks = [""]

Other best practices:

# Simple Example
resource "random_password" "db-password" {
  length  = 16
  special = false
resource "aws_db_instance" "default" {
  engine           = "mysql"
  engine_version = "5.7"
  instance_class       = "db.t3.micro"
  name                 = "mydb"
  username             = "foo"
  password             = random_password.db-password.result

Back to top