Hi all,
I’m looking for best practices or patterns for testing shared Terraform code in a multi-repo setup, where our CDE(Central Development Repository) holds reusable static modules, and each customer-name-repository provides the dynamic configurations and variable sets.
Our constraints:
- The
CDErepository contains modules reused across many customer environments. - Each
customer-name-repositorycontains its own.tfvarsand logic tailored to the customer. - We are not allowed to re-apply infrastructure just to test changes in shared code.
- Most customer contracts treat both
testandproductionenvironments as production-grade and stable. - We currently do not have a dedicated
developmentenvironment for applying and destroying infrastructure, due to painful customer contract constraints, application licences, politics and associated costs ; although we recognize that having one would be highly valuable. - Therefore, we can rely only on linting, validation, and
terraform plan, but notterraform applyorterrform destroy.
Our current idea:
- Run static checks (
terraform fmt) and possiblytflintin theCDErepository. - When changes are made to
CDE, trigger CI pipelines in each customer repository (via GitLab). - In each customer repository, run:
terraform inittflintterraform validateterraform plan(using real customer-specific.tfvars)- Never run
applyautomatically ; must be done within managed downtime with customer - Modules are version-pinned in customer repos using
CDErelease tags.
Questions:
- Is this a sound and reliable testing strategy given that
applyis not allowed? - Are there recommended tools or patterns to orchestrate testing across customer repositories?
- Has anyone successfully used
terraform testin a similar cross-repo CI/CD setup (e.g., GitLab multi-project pipelines)? - Given our constraints, what would be the most effective Terraform testing model?
Any insights, experiences, or ideas would be greatly appreciated!
Thanks.
K.