Chapter Twelve

Testing, Policy & Validation

The checks that stand between a config and a broken apply: format and consistency gates, security scanners, Terraform's native test framework, the three policy layers that enforce the rules — and contract tests that keep a shared module honest.

5 topics

Nothing in the previous chapters stops you from shipping a config that names a bucket someone else owns, opens SSH to the whole internet, or quietly drops the encryption key off a disk. Terraform applies what you wrote; it does not judge whether what you wrote is safe. This chapter is the set of gates that do the judging — from the two-second format check to the org-wide policy an engineer cannot bypass at 2am.

The running example carries over: the Hatch ingest module from earlier chapters, now packaged as a reusable thing other teams consume, plus the guardrails the organization wraps around it. You will order CI cheap-to-expensive, scan for the recurring GCP exposure list, write native tests that run without touching Google Cloud, enforce policy at three different layers, and pin a module's interface so a rename does not break every consumer downstream.

Topics in This Chapter