Enforcing best practice on self-serve infrastructure with Terraform, Atlantis and Policy As Code

tech.loveholidays.com
7 min read
fairly difficult
Here at loveholidays we are heavily dependant on Terraform. All of our Google Cloud infrastructure is managed using Terraform, along with a number of non-GCP services as well. Terraform has widely…
Here at loveholidays we are heavily dependant on Terraform. All of our Google Cloud infrastructure is managed using Terraform, along with a number of non-GCP services as well.

Terraform has widely become the de-facto tool for infrastructure provisioning, and for good reason. It's superbly simple to set up and get started, easy to provision infrastructure, and incredibly well supported by the folk at Hashicorp.

The difficulty with Terraform: everyone does it slightly differently. This isn't limited to comparing usage across companies either; it's not uncommon to have teams deploying and managing infrastructure completely differently within the same company. One team may have a full CI/CD pipeline with approval stages and remote-managed state, the next may be manually running Terraform from one engineer's laptop, because "the infrastructure is devops' job".

Our goal here at loveholidays is to empower developers to own their infrastructure, from creation through to deprecation, ensuring compliance with all of our company standards, requirements and best practices. All with as little input as possible from the infrastructure team.

Harnessing only open-source tools, we have built an end to end pipeline that centrally manages Terraform, and enforces our best practices using Policy as Code.

Structuring Terraform at loveholidays

We use Terraform to manage the following systems:

and more. We separate these into dedicated repositories, with multiple repositories for our GCP infrastructure. We also maintain a number of Terraform modules we have created internally, which enforce our best practices (required labels, regions etc). Each internal Terraform module has a dedicated GH repository, and we release them with git tags.

At the time of writing, we have 33 repositories for various Terraform related purposes. It's crucial that we have a consistent (and fast) way of managing deployments for all of these repositories.

Deploying with Atlantis

After a brief experiment…
Dan Williams
Read full article