Terraform at Scale: Modules, Remote State, and CI/CD Pipelines, Lavkesh Dwivedi

Terraform adoption has scaled beyond individual engineers using it to provision personal resources. Managing Terraform at organisational scale requires module governance, remote state management, and automated pipeline execution.

Module structure and governance

Terraform modules should be versioned and published to a private module registry (Terraform Cloud, Artifactory, or a Git tag-based registry). Module versioning prevents unexpected changes when upstream modules update. A module library maintained by the platform team provides verified, standard implementations of common infrastructure patterns (AKS cluster, App Service with Application Insights, Event Hub with consumer groups) that application teams consume by reference.

Remote state backends

Terraform state should be stored remotely (Azure Blob Storage with state locking via Azure Blob Storage leases, S3 + DynamoDB, or Terraform Cloud) rather than locally. Remote state enables team collaboration, provides state locking to prevent concurrent applies, and provides state history. The state file contains the resource IDs of every managed resource and is sensitive, it should be stored in a backend with appropriate access controls and encryption.

The workspace pattern

Terraform workspaces (or separate state files per environment) allow the same Terraform configuration to manage multiple environments (dev, staging, prod) with environment-specific variable values. The monorepo pattern (one Terraform root module per environment, shared child modules) provides environment isolation and explicit environment promotion via separate apply commands. The workspace pattern (one root module, multiple workspaces) is simpler but provides less isolation between environments.

Pipeline execution and approval gates

Terraform runs in CI/CD should follow: terraform plan on PR creation (output stored as PR comment for review), manual approval required for terraform apply to production, automatic apply to non-production environments on merge. Atlantis and Terraform Cloud both provide this workflow. The plan output must be reviewed before apply, an unreviewed plan applied automatically is no safer than manual apply.