Terraform on AWS
by Sergey Okinchuk
Calling and Sourcing ModulesVersioning and Version Constraints
Chapter 6: Modules
Topic 38

The Public Module Registry

RegistryModules

The Terraform Registry hosts thousands of published, versioned modules, and the AWS ones — terraform-aws-modules/vpc/aws, terraform-aws-modules/eks/aws — are some of the most-used infrastructure code in the world. They can save weeks of work. They can also pull in a large, opinionated dependency you do not fully understand, which becomes your problem the first time it breaks.

The skill is not finding a module — they are easy to find. It is evaluating one before you adopt it and pinning it so it never changes under you. A Registry module is a dependency like any package, and treating it as casually as a copied snippet is how a routine upgrade takes prod down.

Finding and Reading Modules

Every Registry module has a page listing its inputs, outputs, declared resources, and provider dependencies, with a link to the source repository. Read that page before you write the module block: the inputs tell you the interface, the resources tell you what it will actually create in your account, and the dependencies tell you which provider versions it expects. The source repository is where you confirm how it behaves when the documentation is thin.

The terraform-aws-modules Collection

A community organization, terraform-aws-modules, maintains the most widely-used AWS modules — vpc, eks, rds, security-group, and dozens more. They are mature and heavily adopted, with hundreds of millions of downloads across the collection, which means most edge cases have been hit and fixed by someone else. They are also opinionated: the VPC module alone provisions subnets, route tables, NAT gateways, internet gateways, and flow logs from one call, encoding a particular idea of how a VPC should look.

That opinion is the trade. You get a battle-tested VPC in twenty lines, and you inherit choices you did not make and a large surface to debug when something is off. The block below pins the module to a 6.x line and turns on a NAT gateway — a handful of inputs standing in for dozens of underlying resources.

A pinned terraform-aws-modules VPC call
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 6.0"

  name = "prod"
  cidr = "10.0.0.0/16"

  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]

  enable_nat_gateway = true
}

Versioning

Always set a version constraint on a Registry module, and read the changelog before you raise it. Without a constraint, a future init -upgrade can jump a major version silently — the 5.x-to-6.x VPC bump, for example, renamed inputs and restructured outputs, and an unpinned config would have taken those breaking changes without warning. The pessimistic operator ~> 6.0 accepts 6.x updates and refuses 7.0, which is usually the right default.

Evaluating Quality

Before depending on a module, weigh its maintenance. Recent commits and a healthy issue tracker say it keeps pace with the AWS provider; a year of silence and a pile of open issues say it has been abandoned and now lags current features. Download counts are a rough proxy for "edge cases already found." And size matters: a heavyweight EKS module is the wrong tool for a need that three resources would meet, because you inherit all of its complexity for none of its benefit.

Wrapping vs Using Directly

For one-off use, call a Registry module directly. When the same third-party module is used across many teams in your organization, wrap it in a thin internal module instead. The wrapper exposes only the inputs your org allows, sets your standard tags and naming, pins the upstream version in one place, and gives you a single point to upgrade. Callers depend on your stable interface, not the upstream module's full surface — so an upstream change is absorbed once, not in every project.

Common Mistakes
  • Adopting a large Registry module like the full VPC or EKS module without reading what it creates, then being unable to debug the dozens of resources it provisioned when one misbehaves.
  • Omitting the version constraint, so an init -upgrade silently jumps a major version and takes breaking input and output changes without warning.
  • Pulling in a heavyweight module for a need three resources would meet, inheriting complexity and a large debugging surface you never wanted.
  • Depending on an abandoned community module — no commits in a year, open issues piling up — that now lags the current AWS provider and breaks on a routine bump.
  • Bumping a major version blindly with init -upgrade instead of reading the upgrade guide, applying renamed inputs and restructured outputs into production.
Best Practices
  • Pin every Registry module with a tight version constraint such as ~> 6.0, and read the changelog before raising it.
  • Read what a module actually provisions before adopting it, especially the large VPC and EKS modules, so you can debug what it creates.
  • Prefer well-maintained, high-adoption modules; check recent commit activity and open-issue health before depending on one.
  • Wrap a third-party module in a thin internal module when it is used across your org, to standardize its inputs, tags, and version in one place.
  • Match a module's size to the need — reach for a few resources over a heavyweight module when that is all the problem requires.
Comparable tools Pulumi publishes components through its package registry CloudFormation has the public registry and Solutions Constructs npm / pip registries play the same role for code packages

Knowledge Check

Why pin a Registry module with a version constraint instead of leaving it unset?

  • Without one, an init -upgrade can silently jump a major version and take breaking input and output changes
  • An unpinned module is refused by the Registry and will not download during init at all
  • The version constraint is the thing that makes the module's declared outputs accessible to the calling configuration
  • Unpinned modules are re-downloaded from the Registry on every plan, slowing it down

What is the trade-off of adopting a large opinionated module like the community VPC module?

  • You get a battle-tested VPC in a few lines but inherit dozens of resources and choices you must debug when something is off
  • It is always slower to apply than the exact same infrastructure written out by hand as inline resource blocks in the root module
  • It cannot be pinned to a version, so every init pulls the latest release available
  • It stores its provisioned resources in a separate state file you cannot inspect

Why wrap a third-party Registry module in a thin internal module?

  • To expose only your allowed inputs, set standard tags, and pin the upstream version in one place that all callers share
  • Because Terraform cannot call a third-party Registry module directly and always requires an internal wrapper around it first
  • To convert the module from the Registry source type into a local-path source on disk
  • To make all of the upstream module's declared outputs sensitive by default

Which signal best indicates a community module is safe to depend on?

  • Recent commits and a healthy issue tracker, showing it keeps pace with the AWS provider
  • A long list of input variables, proving it is configurable enough for nearly any use case
  • The complete absence of any open issues, meaning it has no remaining bugs
  • An exact version pin used in the module's own bundled examples

You got correct