Terraform on AWS
by Sergey Okinchuk
Cost Estimationfmt and validate

Chapter Eleven

Testing and Validation

The gates that keep Terraform code honest — from a two-second format check to native HCL tests, security scanners, policy as code, and the contract a shared module owes its consumers.

5 topics

Infrastructure code fails differently from application code. A typo does not crash a process you can restart — it deletes a database, opens a security group to the internet, or quietly drifts production away from what anyone reviewed. The cost of a bad change is paid in real resources, so the discipline is to catch problems before apply, when they are still text on a screen.

This chapter walks the testing pyramid for Terraform from cheapest to most thorough. fmt and validate run in seconds and catch structural mistakes. Static analysis flags the public bucket and the open port. The native terraform test framework asserts that a module does what it claims. Policy as code enforces your organization's rules on every plan. And contract testing keeps a widely-used module's interface trustworthy across versions. Each layer catches what the one below it cannot.

Topics in This Chapter

Topic 63
fmt and validate
The two cheapest gates: canonical formatting and an internal-consistency check that runs in seconds with no API calls. What validate catches, and the line it cannot cross.
ToolingCI
Topic 64
Static Analysis
tflint for correctness and provider best practices; tfsec, checkov, and trivy for the public bucket and the open security group. Why a serious pipeline runs both.
ToolingSecurity
Topic 65
The terraform test Framework
Native HCL tests (1.6+) with run and assert blocks, plan-based versus apply-based tests, and mock providers that test module logic without creating real infrastructure.
TestingModules
Topic 66
Policy as Code
Enforcing org rules on every plan automatically. Sentinel inside the HashiCorp platform, OPA and Conftest in open source, and the enforcement levels between warn and block.
GovernancePolicy
Topic 67
Contract Testing for Modules
A module's interface is a contract. How to test that inputs, outputs, and behavior hold across versions, so consumers can upgrade without their stacks breaking.
TestingModules