Mykhailo Marynenko
@bsky.0x77.dev
CTO / @osventuresllc.bsky.app | software & hardware engineer, AI/ML & security researcher, visual artist.
https://mykhailo.link | https://0x77.dev
https://mykhailo.link | https://0x77.dev
So before you write another Terraform module, ask yourself: "Does this actually need to be infrastructure as code, or am I just doing it because that's what we're supposed to do?"
Your future self (and your on-call rotation) will thank you.
Your future self (and your on-call rotation) will thank you.
July 22, 2025 at 7:57 AM
So before you write another Terraform module, ask yourself: "Does this actually need to be infrastructure as code, or am I just doing it because that's what we're supposed to do?"
Your future self (and your on-call rotation) will thank you.
Your future self (and your on-call rotation) will thank you.
Sometimes the "best practice" is knowing when to ignore the best practices.
The goal isn't perfect Infrastructure as Code. The goal is reliable infrastructure that your team can actually maintain, debug, and operate without losing sleep.
The goal isn't perfect Infrastructure as Code. The goal is reliable infrastructure that your team can actually maintain, debug, and operate without losing sleep.
July 22, 2025 at 7:57 AM
Sometimes the "best practice" is knowing when to ignore the best practices.
The goal isn't perfect Infrastructure as Code. The goal is reliable infrastructure that your team can actually maintain, debug, and operate without losing sleep.
The goal isn't perfect Infrastructure as Code. The goal is reliable infrastructure that your team can actually maintain, debug, and operate without losing sleep.
Sometimes the most professional thing you can do is tell your team that not everything needs to be in Terraform. Sometimes a bash script is the right answer. Sometimes clicking through the console is perfectly fine for that one-off resource.
July 22, 2025 at 7:57 AM
Sometimes the most professional thing you can do is tell your team that not everything needs to be in Terraform. Sometimes a bash script is the right answer. Sometimes clicking through the console is perfectly fine for that one-off resource.
The Bottom Line:
Terraform and OpenTofu aren't bad tools - they're just overused tools. The real problem isn't the software, it's the industry's obsession with making everything "Infrastructure as Code" even when it makes operations more complex and fragile.
Terraform and OpenTofu aren't bad tools - they're just overused tools. The real problem isn't the software, it's the industry's obsession with making everything "Infrastructure as Code" even when it makes operations more complex and fragile.
July 22, 2025 at 7:57 AM
The Bottom Line:
Terraform and OpenTofu aren't bad tools - they're just overused tools. The real problem isn't the software, it's the industry's obsession with making everything "Infrastructure as Code" even when it makes operations more complex and fragile.
Terraform and OpenTofu aren't bad tools - they're just overused tools. The real problem isn't the software, it's the industry's obsession with making everything "Infrastructure as Code" even when it makes operations more complex and fragile.
The companies with the most reliable infrastructure aren't the ones with the most comprehensive Terraform configurations. They're the ones that picked the right tool for each job and didn't try to force everything into a single "Infrastructure as Code" paradigm.
July 22, 2025 at 7:57 AM
The companies with the most reliable infrastructure aren't the ones with the most comprehensive Terraform configurations. They're the ones that picked the right tool for each job and didn't try to force everything into a single "Infrastructure as Code" paradigm.
The Industry Reality Check:
The dirty secret is that most successful infrastructure teams use Terraform for maybe 20% of their actual infrastructure management. The other 80% is handled by specialized tools, scripts, and yes, sometimes even manual processes where that makes more sense.
The dirty secret is that most successful infrastructure teams use Terraform for maybe 20% of their actual infrastructure management. The other 80% is handled by specialized tools, scripts, and yes, sometimes even manual processes where that makes more sense.
July 22, 2025 at 7:57 AM
The Industry Reality Check:
The dirty secret is that most successful infrastructure teams use Terraform for maybe 20% of their actual infrastructure management. The other 80% is handled by specialized tools, scripts, and yes, sometimes even manual processes where that makes more sense.
The dirty secret is that most successful infrastructure teams use Terraform for maybe 20% of their actual infrastructure management. The other 80% is handled by specialized tools, scripts, and yes, sometimes even manual processes where that makes more sense.
Focus on operational reality. Optimize for debugging, not elegance. Prioritize clarity over cleverness. Plan for the 3 AM production incident when you're half-asleep trying to figure out why the apply failed. Document why you made decisions, not just what the code does.
July 22, 2025 at 7:57 AM
Focus on operational reality. Optimize for debugging, not elegance. Prioritize clarity over cleverness. Plan for the 3 AM production incident when you're half-asleep trying to figure out why the apply failed. Document why you made decisions, not just what the code does.
Embrace hybrid approaches. Use Terraform for the foundation, then use cloud-native tools for everything else. Don't force everything through one tool just for consistency's sake. Let each tool do what it does best.
July 22, 2025 at 7:57 AM
Embrace hybrid approaches. Use Terraform for the foundation, then use cloud-native tools for everything else. Don't force everything through one tool just for consistency's sake. Let each tool do what it does best.
The Sane Terraform Strategy:
Start simple and stay simple. Write plain Terraform first. Add complexity only when you feel real pain, not because a blog post said you should. Test everything in disposable environments. Keep state files small and focused on related resources.
Start simple and stay simple. Write plain Terraform first. Add complexity only when you feel real pain, not because a blog post said you should. Test everything in disposable environments. Keep state files small and focused on related resources.
July 22, 2025 at 7:57 AM
The Sane Terraform Strategy:
Start simple and stay simple. Write plain Terraform first. Add complexity only when you feel real pain, not because a blog post said you should. Test everything in disposable environments. Keep state files small and focused on related resources.
Start simple and stay simple. Write plain Terraform first. Add complexity only when you feel real pain, not because a blog post said you should. Test everything in disposable environments. Keep state files small and focused on related resources.
Don't ignore blast radius. One monolithic Terraform state managing 500 resources across every environment is a ticking time bomb. Break it up by failure domains and operational boundaries, not by "logical separation" from some consultant's diagram.
July 22, 2025 at 7:57 AM
Don't ignore blast radius. One monolithic Terraform state managing 500 resources across every environment is a ticking time bomb. Break it up by failure domains and operational boundaries, not by "logical separation" from some consultant's diagram.
Don't Terraform all the things. Your application code doesn't belong in Terraform. Your monitoring dashboards don't belong in Terraform. Your team's lunch orders don't belong in Terraform. Keep it focused on actual infrastructure.
July 22, 2025 at 7:57 AM
Don't Terraform all the things. Your application code doesn't belong in Terraform. Your monitoring dashboards don't belong in Terraform. Your team's lunch orders don't belong in Terraform. Keep it focused on actual infrastructure.
Don't DRY yourself to death. Some repetition is good! Copy-pasting 3 similar resources is often cleaner than building a complex loop with conditional logic that nobody can debug at 3 AM. If you can't understand your own code in 6 months, you've gone too far.
July 22, 2025 at 7:57 AM
Don't DRY yourself to death. Some repetition is good! Copy-pasting 3 similar resources is often cleaner than building a complex loop with conditional logic that nobody can debug at 3 AM. If you can't understand your own code in 6 months, you've gone too far.
The Anti-Pattern Playbook:
Stop over-modularizing everything. A simple aws_instance doesn't need to be wrapped in 3 layers of abstraction. Modules should solve real problems, not just follow "best practices" from blog posts.
Stop over-modularizing everything. A simple aws_instance doesn't need to be wrapped in 3 layers of abstraction. Modules should solve real problems, not just follow "best practices" from blog posts.
July 22, 2025 at 7:57 AM
The Anti-Pattern Playbook:
Stop over-modularizing everything. A simple aws_instance doesn't need to be wrapped in 3 layers of abstraction. Modules should solve real problems, not just follow "best practices" from blog posts.
Stop over-modularizing everything. A simple aws_instance doesn't need to be wrapped in 3 layers of abstraction. Modules should solve real problems, not just follow "best practices" from blog posts.
Frequent Changes - If it changes daily, weekly, or even monthly, it probably shouldn't be in Terraform. The overhead isn't worth it.
July 22, 2025 at 7:57 AM
Frequent Changes - If it changes daily, weekly, or even monthly, it probably shouldn't be in Terraform. The overhead isn't worth it.
Configuration Management - Use Ansible, Salt, or good old bash scripts. Don't try to manage application configs through infrastructure tools.
Secrets Management - Use dedicated secret stores, not Terraform state files. Your database passwords have no business being in a state file.
Secrets Management - Use dedicated secret stores, not Terraform state files. Your database passwords have no business being in a state file.
July 22, 2025 at 7:57 AM
Configuration Management - Use Ansible, Salt, or good old bash scripts. Don't try to manage application configs through infrastructure tools.
Secrets Management - Use dedicated secret stores, not Terraform state files. Your database passwords have no business being in a state file.
Secrets Management - Use dedicated secret stores, not Terraform state files. Your database passwords have no business being in a state file.
Where you should stop fighting the tool:
Application Deployments - Use proper deployment tools like Helm or Nomad. Terraform doesn't understand application lifecycles.
Application Deployments - Use proper deployment tools like Helm or Nomad. Terraform doesn't understand application lifecycles.
July 22, 2025 at 7:57 AM
Where you should stop fighting the tool:
Application Deployments - Use proper deployment tools like Helm or Nomad. Terraform doesn't understand application lifecycles.
Application Deployments - Use proper deployment tools like Helm or Nomad. Terraform doesn't understand application lifecycles.
Disaster Recovery scenarios - Resources you need to recreate identically in another region when everything goes sideways.
July 22, 2025 at 7:57 AM
Disaster Recovery scenarios - Resources you need to recreate identically in another region when everything goes sideways.
Stateful Resources - Databases, storage buckets, DNS zones. Things you absolutely need to recreate identically if disaster strikes.
Foundation Layer - IAM roles, policies, networking backbone. The plumbing that everything else depends on.
Foundation Layer - IAM roles, policies, networking backbone. The plumbing that everything else depends on.
July 22, 2025 at 7:57 AM
Stateful Resources - Databases, storage buckets, DNS zones. Things you absolutely need to recreate identically if disaster strikes.
Foundation Layer - IAM roles, policies, networking backbone. The plumbing that everything else depends on.
Foundation Layer - IAM roles, policies, networking backbone. The plumbing that everything else depends on.
Here's what Terraform/OpenTofu is actually good at:
Core Infrastructure - VPCs, subnets, security groups, load balancers. The foundational stuff that changes rarely and has clear dependencies.
Core Infrastructure - VPCs, subnets, security groups, load balancers. The foundational stuff that changes rarely and has clear dependencies.
July 22, 2025 at 7:57 AM
Here's what Terraform/OpenTofu is actually good at:
Core Infrastructure - VPCs, subnets, security groups, load balancers. The foundational stuff that changes rarely and has clear dependencies.
Core Infrastructure - VPCs, subnets, security groups, load balancers. The foundational stuff that changes rarely and has clear dependencies.
But Here's The Real Issue: We're Using It Wrong
Most Terraform disasters happen because we've bought into the myth that everything must be "Infrastructure as Code." This is like using a hammer for every job because someone told you "everything is a nail."
Most Terraform disasters happen because we've bought into the myth that everything must be "Infrastructure as Code." This is like using a hammer for every job because someone told you "everything is a nail."
July 22, 2025 at 7:57 AM
But Here's The Real Issue: We're Using It Wrong
Most Terraform disasters happen because we've bought into the myth that everything must be "Infrastructure as Code." This is like using a hammer for every job because someone told you "everything is a nail."
Most Terraform disasters happen because we've bought into the myth that everything must be "Infrastructure as Code." This is like using a hammer for every job because someone told you "everything is a nail."
No autocomplete, no hints, just pure archaeological guesswork until you match whatever the provider thinks that resource should look like.
July 22, 2025 at 7:57 AM
No autocomplete, no hints, just pure archaeological guesswork until you match whatever the provider thinks that resource should look like.
The Import Circus deserves special mention. Need to import existing infrastructure? Hope you enjoy playing "guess the exact configuration that matches your existing resource." Get one attribute wrong? Start over.
July 22, 2025 at 7:57 AM
The Import Circus deserves special mention. Need to import existing infrastructure? Hope you enjoy playing "guess the exact configuration that matches your existing resource." Get one attribute wrong? Start over.
" Hours of debugging later, you discover it's a known provider bug from 2019 that's still not fixed, but somehow it's your configuration that's wrong.
July 22, 2025 at 7:57 AM
" Hours of debugging later, you discover it's a known provider bug from 2019 that's still not fixed, but somehow it's your configuration that's wrong.
What we got was learning three different flavors of the same broken abstraction.
My personal favorite error: "Provider produced inconsistent final plan." This is Terraform's way of saying "I have no idea what I'm doing, but it's definitely your fault.
My personal favorite error: "Provider produced inconsistent final plan." This is Terraform's way of saying "I have no idea what I'm doing, but it's definitely your fault.
July 22, 2025 at 7:57 AM
What we got was learning three different flavors of the same broken abstraction.
My personal favorite error: "Provider produced inconsistent final plan." This is Terraform's way of saying "I have no idea what I'm doing, but it's definitely your fault.
My personal favorite error: "Provider produced inconsistent final plan." This is Terraform's way of saying "I have no idea what I'm doing, but it's definitely your fault.
Provider inconsistency is another nightmare. Each cloud provider implements Terraform differently. AWS provider works one way, Azure has its own special interpretation, GCP throws curveballs. "Multi-cloud" they promised. "Consistent experience" they said.
July 22, 2025 at 7:57 AM
Provider inconsistency is another nightmare. Each cloud provider implements Terraform differently. AWS provider works one way, Azure has its own special interpretation, GCP throws curveballs. "Multi-cloud" they promised. "Consistent experience" they said.