Terraform on AWS
by Sergey Okinchuk
DebuggingCustom Providers

Chapter Thirteen

Advanced Patterns

Extending Terraform past its built-in providers, the newer features that keep secrets out of state, the programmatic and large-deployment constructs at the edges of the tool, and how Terraform scales to a whole organization and a brownfield estate.

7 topics

The first twelve chapters cover the Terraform you use every day. This last one covers the edges: the places where you outgrow the built-in tooling, the features HashiCorp added recently to fix old pain, and the patterns that only matter once Terraform is running across dozens of teams and thousands of resources that nobody wrote a line of HCL for.

None of these are starting points. Reach for a custom provider, CDKTF, or Stacks only when the simpler path has genuinely run out, and treat the newest features as newest — present in current Terraform, but with provider support and battle-testing still catching up. The last two topics are the capstone: how a platform team underpins a multi-account organization, and how you bring years of console-built infrastructure under management without an outage.

Topics in This Chapter

Topic 74
Custom Providers
When no provider covers the system you need to manage, the Plugin Framework lets you write one. When a custom provider is justified, what building it involves, and the lighter alternatives to try first.
ExtendingTooling
Topic 75
Ephemeral Resources and Write-Only Arguments
Terraform's real answer to secrets in state. Values that live only during a run and arguments that reach the API but never get written to disk — and how they differ from the sensitive flag.
SecretsState
Topic 76
Terraform Stacks
HashiCorp's native construct for deploying the same components across many environments and regions from one definition, and where it fits against directories, workspaces, and Terragrunt.
DeploymentHCP
Topic 77
Generating Configuration (CDKTF)
Defining infrastructure in TypeScript, Python, or Go that synthesizes to Terraform JSON. When a real programming language earns its toolchain, and how CDKTF differs from Pulumi.
GenerationTooling
Topic 78
Terraform with Ansible
The clean handoff: Terraform creates the instances and outputs what Ansible needs, Ansible discovers them by tag and configures the software. Each tool in its lane, no provisioners.
Integration
Topic 79
Landing Zones and Multi-Team Scale
Terraform as platform: the multi-account baseline every team builds on, account vending, paved-road modules, and guardrails that scale without manual review.
PlatformScale
Topic 80
Brownfield Adoption at Scale
The capstone: bringing years of console-built infrastructure under Terraform in safe, reviewable increments, drawing state boundaries as you go, and making the change stick.
AdoptionMigration