Module Goverance

spursfc · January 9, 2024, 7:05am

Cloud providor: AWS

Using Terraform Cloud or alternative tooling is it possible to create a centralised repository of predfined Terraform modules and more importantly enforce the usage of the modules.

(I am aware of the concept of the private module registry as a centralised store for modules, but not how to ensure that resource is only created via these modules)

apparentlymart · January 9, 2024, 4:47pm

Hi @spursfc,

This sort of requirement is typically enforced as a policy check using either HashiCorp Sentinel or Open Policy Agent, which would then automatically check each Terraform plan created inside Terraform Cloud to make sure it complies with the policy.

For your specific requirement, the policy would presumably be something like:

The root module cannot declare any resources directly itself. (Or perhaps, only resources of specific approved types)
The root module is allowed to all other modules, but only modules originating from a specific private registry namespace.

There’s more information on the policy features here: Policy Enforcement - Terraform Cloud | Terraform | HashiCorp Developer