Building an IDP with Terraform & OpenTofu

Step-by-step guide to building a scalable Internal Developer Platform with Terraform & OpenTofu—automate infra, boost velocity and stay cloud-agnostic.

Sebastian Stadil

4 min read

An Internal Developer Platform (IDP) serves as a self-service layer, abstracting complexities and empowering developers to provision resources autonomously within defined guardrails. When built upon robust Infrastructure as Code (IaC) tools like Terraform or its open-source alternative OpenTofu, an IDP can significantly enhance productivity, standardize operations, and accelerate software delivery.

The IaC Foundation: Terraform vs. OpenTofu

Terraform and OpenTofu allow you to define infrastructure in human-readable configuration files. Both follow a core workflow: Write (define infrastructure in HCL), Plan (preview changes), and Apply (provision or modify infrastructure).

A basic HCL example looks similar for both:

# main.tf - Example for AWS EC2 instance
provider "aws" {
  region = "us-west-2"
}

resource "aws_instance" "example" {
  ami           = "ami-0c55b31ad29f52381" # Example AMI
  instance_type = "t2.micro"

  tags = {
    Name = "ExampleInstance"
  }
}

The key difference lies in licensing and governance:

Aspect

Terraform

OpenTofu

Licensing Model

Business Source License (BSL 1.1)

Mozilla Public License 2.0 (MPL 2.0)

Core IaC Functionality

Mature, extensive provider ecosystem, HCL

Compatible with HCL, leverages provider ecosystem

Community & Governance

HashiCorp-led

Linux Foundation, community-governed

Enterprise Offerings

HCP Terraform, Terraform Enterprise

Relies on 3rd-party platforms (Scalr, Spacelift, etc.)

Key Feature Divergences

Ephemeral resources (example)

Client-side state encryption (example)

OpenTofu emerged as a fork of Terraform, aiming to ensure an open-source future for the tool. For many, its MPL 2.0 license offers greater long-term flexibility, especially if building services on top of the IaC tooling.

Core IDP Components

A well-structured IDP for Terraform/OpenTofu typically includes:

  1. Self-Service Interface/Developer Portal: The primary interaction point for developers (e.g., Backstage, Port.io, or custom-built).
  2. Centralized Component Catalog: A searchable repository of all software, infrastructure components, modules, and their metadata.
  3. IaC Automation Engine: The backend that executes Terraform/OpenTofu commands (init, plan, apply) based on developer requests or CI/CD triggers.
  4. Reusable IaC Modules & Templates: Standardized, version-controlled modules encapsulating common infrastructure patterns (e.g., a VPC, a Kubernetes cluster).

Key Technical Considerations & Best Practices

1. Module Management

Reusable modules are the building blocks of a scalable IaC practice. They ensure consistency and embed best practices.

Referencing a module:

# Consuming a VPC module
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws" # Public registry example
  version = "3.14.2"

  name = "my-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-west-2a", "us-west-2b"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = false
}
  • Best Practice: Use private registries for internal modules, version them (Semantic Versioning), and document them thoroughly.

2. State Management

The state file tracks your managed infrastructure. Protecting it is crucial.

Backend configuration (e.g., AWS S3 with DynamoDB for locking):

# backend.tf
terraform {
  backend "s3" {
    bucket         = "my-terraform-state-bucket-unique-name"
    key            = "global/s3/terraform.tfstate"
    region         = "us-west-2"
    dynamodb_table = "terraform-state-lock-table"
    encrypt        = true
  }
}
  • Best Practices: Always use remote backends. Enable state locking, encryption at rest, and versioning. Isolate state files per environment/component to minimize blast radius. OpenTofu also offers client-side state encryption.

3. CI/CD Integration

Automate your IaC workflows for consistency and speed.

Conceptual CI/CD pipeline step (e.g., GitHub Actions):

# .github/workflows/terraform.yml (snippet)
name: 'Terraform CI/CD'

on:
  push:
    branches:
    - main
  pull_request:

jobs:
  terraform:
    name: 'Terraform'
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Setup Terraform/OpenTofu
      uses: hashicorp/setup-terraform@v2 # or opentofu/setup-opentofu
      with:
        # terraform_version: 1.5.0 # Specify version
        # tofu_version: 1.6.0 # For OpenTofu

    - name: Terraform Init
      run: terraform init # or tofu init

    - name: Terraform Validate
      run: terraform validate # or tofu validate

    - name: Terraform Plan
      if: github.event_name == 'pull_request'
      run: terraform plan -no-color -input=false # or tofu plan
      continue-on-error: true

    - name: Terraform Apply
      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
      run: terraform apply -auto-approve -input=false # or tofu apply
  • Best Practice: Integrate init, validate, plan, and apply stages. Use GitOps principles: store IaC in Git, use Pull/Merge Requests for changes, and automate plan reviews.

4. Policy Enforcement

Implement guardrails using Policy as Code (PaC).

Conceptual Rego policy snippet (for Open Policy Agent - OPA):

package terraform.aws.security

# Deny if an S3 bucket does not have versioning enabled
deny[msg] {
  input.resource_changes[_].type == "aws_s3_bucket"
  not input.resource_changes[_].change.after.versioning[_].enabled
  msg = "S3 buckets must have versioning enabled."
}

# Deny overly permissive security group ingress rule
deny[msg] {
  sg_rule = input.resource_changes[_]
  sg_rule.type == "aws_security_group_rule"
  sg_rule.change.after.type == "ingress"
  contains(sg_rule.change.after.cidr_blocks[_], "0.0.0.0/0")
  sg_rule.change.after.protocol == "-1" # All protocols
  msg = "Security group rule allows all traffic from any source. Please restrict."
}
  • Best Practice: Integrate PaC tools like OPA into CI/CD pipelines to validate plans against organizational policies for security, compliance, and cost.

5. Security

Embed security throughout the IDP.

  • Secrets Management: Never hardcode secrets. Integrate with tools like HashiCorp Vault, AWS Secrets Manager, etc., to inject secrets at runtime.
  • RBAC: Implement Role-Based Access Control for the IDP and ensure IaC tools operate with least privilege.
  • Vulnerability Scanning: Use tools like tfsec, checkov, or Trivy to scan IaC code for misconfigurations.

Conclusion

Building an IDP with Terraform or OpenTofu is a strategic investment that standardizes infrastructure management, enhances developer productivity, and strengthens governance. By focusing on core components, adhering to best practices in module and state management, CI/CD, policy enforcement, and security, organizations can create a powerful platform that accelerates innovation while maintaining control and compliance. The choice between Terraform and OpenTofu hinges on licensing preferences and long-term strategic alignment, with OpenTofu offering a compelling open-source path.