Terraform on AWS
by Sergey Okinchuk
The Dependency Lock FileNetworking — VPC and Subnets

Chapter Eight

Managing Real Infrastructure

Putting the language to work on actual AWS — networks, scaling compute fleets, least-privilege IAM, secrets, and the provisioners you should reach for last.

5 topics

The first seven chapters taught the language and the workflow on small, self-contained examples. This chapter is where it meets a real cloud. The resources here are interconnected — a subnet references a VPC, an ASG references a launch template and a target group, an instance profile references a role — and that interconnection is exactly where the dependency graph, lifecycle meta-arguments, and iteration concepts stop being theory.

It is also where Terraform's sharp edges live. CIDRs you can't change without recreating the network, an autoscaler that fights every apply unless you tell Terraform to back off, a single "*" in an IAM policy that hands out admin, and secrets that land in plaintext state. Each topic grounds one of those in correct, concise AWS-provider HCL.

Topics in This Chapter

Topic 47
Networking — VPC and Subnets
A VPC, public and private subnets across AZs, gateways, and routing. Why CIDRs are effectively immutable, why for_each beats count for subnets, and how cidrsubnet avoids overlap.
Networking
Topic 48
Compute and Auto Scaling
Launch templates, auto scaling groups, and load balancers instead of hand-managed instances. Zero-downtime refresh, and why Terraform must not fight the autoscaler over desired_capacity.
Compute
Topic 49
IAM and Least Privilege
Roles, policies, and instance profiles as code. Building policy documents the right way, scoping every statement, and the trust policy that one "*" can undo.
IAM
Topic 50
Secrets and Sensitive Inputs
Where secrets come from, why referencing beats owning, how they end up in plaintext state, and the right way to pass an operator-provided secret into a run.
Secrets
Topic 51
Provisioners and When to Avoid Them
What local-exec, remote-exec, and file do, why they're a last resort, the cloud-init and Packer alternatives, and the few legitimate uses.
Provisioners