Structuring Terraform and OpenTofu: A Platform Engineer's Four-Part Guide

Learn production-ready Terraform & OpenTofu layouts, reusable modules, env isolation, and CI/CD patterns in this 4-part platform-engineering guide.

Sebastian Stadil

5 min read

Part 2: Mastering Modules and Repository Strategies

In Part 1 of this series, we established why a deliberate IaC structure is crucial and introduced the foundational what—standard files, naming conventions, and an initial overview of modularity. Now, we venture deeper into two pivotal aspects of structuring your Terraform and OpenTofu code: the art and science of designing truly effective modules, and the strategic decision of how to organize your code across repositories using monorepo or polyrepo approaches.

1. Essential Modularity: Designing Effective Modules (Deep Dive)

Modules are the workhorses of a reusable and scalable IaC strategy. While Part 1 introduced their benefits, crafting effective modules requires adherence to specific design principles. An effective module is not just a collection of resources; it's a well-defined, understandable, and maintainable component.

  • Key Principles for Designing Effective Modules:
    • Clear Focus and Defined Purpose (Single Responsibility):
      • Each module should have a single, clear responsibility. Avoid creating "god modules" that try to manage disparate pieces of infrastructure. For example, a module for a VPC should focus on networking components (subnets, route tables, gateways), not also try to deploy application servers within that VPC. This makes modules easier to understand, test, and reuse.
    • Avoid Thin Wrappers (Unless Justified):
      • A module should provide a meaningful abstraction or encapsulate a common pattern. Simply wrapping a single Terraform resource type without adding significant value (e.g., opinionated defaults, common tagging, related auxiliary resources) often adds unnecessary complexity. In such cases, using the resource type directly might be clearer.
      • Justification for a thin wrapper could be to enforce specific organizational standards (e.g., mandatory tags, specific encryption settings) on a widely used resource.
    • Logical Grouping of Resources:
      • Encapsulate resources that work together to provide a specific capability or logical unit of infrastructure. For instance, a database module might include the database instance itself, its parameter group, subnet group, and associated security group rules.
    • Parameterize Sparingly – Expose Only Necessary Variables:
      • Expose input variables only for values that genuinely need to vary between instances or environments where the module is used.
      • Hardcode sensible defaults or organizational standards within the module where possible. This simplifies the module's interface and reduces the configuration burden on its consumers.
      • Remember, it's generally easier to add a new variable later if needed than to remove an existing one that's widely used, as removal is a breaking change.
      • Clearly document all variables, including their types, descriptions, and default values.
    • Define Necessary and Clear Outputs:
      • Outputs are the public interface for other configurations to consume information from your module. Define outputs for values that downstream resources or other modules will need to reference (e.g., a VPC ID, a database endpoint, an application load balancer DNS name).
      • Name outputs descriptively and ensure they provide precisely what's needed, no more, no less.
    • Consider Module Size and Complexity:
      • While there's no magic number, strive for modules that are large enough to be useful but small enough to be easily understood and maintained. If a module becomes too large and complex, consider breaking it down into smaller, more focused modules.
    • Documentation is Key:
      • Every module should have clear documentation explaining its purpose, input variables (with types, descriptions, defaults), outputs, any provider requirements, and example usage. A README.md file within the module directory is standard practice.
    • Versioning:
      • If sharing modules (e.g., via a private registry or Git tags), use semantic versioning (Major.Minor.Patch) to communicate the nature of changes and manage updates safely.

2. Repository Showdown: Monorepo vs. Polyrepo for IaC

Once you have a strategy for creating modules, the next critical decision is where to store and manage your Terraform/OpenTofu code. The two primary approaches are monorepos (a single repository for multiple projects/modules/configurations) and polyrepos (multiple repositories, often one per project/module/service).

  • Defining Monorepos and Polyrepos in the IaC Context:
    • Monorepo: A single version control repository that holds the IaC for many distinct components, applications, environments, or even the entire organization's infrastructure. This could include root configurations, shared modules, and environment-specific configurations all in one place.
    • Polyrepo: Multiple version control repositories are used. Each repository might contain the IaC for a specific service, application, team, or a reusable module.
  • The Monorepo Approach:
    • Pros:
      • Unified Visibility & Atomic Changes: All infrastructure code is in one place, making it easier to search, discover, and understand dependencies. Changes that span multiple components or modules can often be made in a single atomic commit/PR, simplifying coordinated updates.
      • Easier Code Sharing & Refactoring: Shared modules or common code snippets can be easily referenced and updated. Large-scale refactoring can be more straightforward.
      • Simplified Dependency Management (Internal): Managing dependencies between internal modules can be simpler as they are all versioned together.
      • Consistent Tooling & CI/CD: Easier to enforce consistent linting, testing, and deployment pipelines across all IaC.
    • Cons:
      • CI/CD Bottlenecks & Performance: Builds and tests for the entire repository can become slow if not properly optimized (e.g., using path-based triggers).
      • Access Control Complexity: Managing granular permissions can be more challenging. GitHub's CODEOWNERS or similar features can help but might not cover all scenarios.
      • Repository Size & Checkout Times: The repository can become very large over time, increasing clone/checkout times.
      • Steeper Learning Curve (Initially): Navigating a large, multifaceted monorepo can be daunting for new team members.
      • Blast Radius (Perceived): A breaking change in a shared part of the monorepo could potentially affect many components if not carefully managed, though CI checks should mitigate this.
  • The Polyrepo Approach:
    • Pros:
      • Clear Ownership & Autonomy: Each repository typically has a clear owner or team, fostering autonomy and independent development/deployment lifecycles.
      • Smaller, Focused Repositories: Repositories are generally smaller, leading to faster clone/checkout times and easier navigation.
      • Independent Lifecycles & Versioning: Modules or services can be versioned and released independently.
      • Granular Access Control: Permissions are managed at the repository level, offering fine-grained control.
      • Optimized CI/CD: Pipelines are specific to each repository and generally faster.
    • Cons:
      • Discovery Challenges: Finding relevant code or understanding cross-repository dependencies can be more difficult.
      • Complex Dependency Management: Managing dependencies between modules or services across different repositories (e.g., ensuring compatible versions) can be challenging and may require tools like a private module registry or careful Git tagging strategies.
      • Code Duplication Risk: Common patterns or utility code might be duplicated across repositories if not actively managed through shared modules.
      • Inconsistent Tooling & Practices: Maintaining consistency in CI/CD pipelines, linting, and testing across many repositories requires deliberate effort.
      • Coordinated Changes are Harder: Changes that require updates across multiple repositories can be complex to orchestrate and deploy atomically.
  • Factors to Consider When Choosing a Repository Strategy:
    • Team Size and Structure: Smaller, co-located teams might find monorepos easier to manage initially. Larger, distributed organizations or those with distinct team boundaries might lean towards polyrepos.
    • Project Complexity and Interdependencies: Highly interconnected services might benefit from a monorepo's atomic change capabilities. Loosely coupled services might fit well in a polyrepo model.
    • Organizational Culture: Does the culture favor centralized control or distributed autonomy?
    • CI/CD Capabilities: Your CI/CD system's ability to handle monorepos efficiently (e.g., path-based triggers, parallel builds) is a key factor.
    • Existing Tooling: Leverage existing repository management tools and practices where possible.
    • Evolutionary Approach: It's possible to start with one approach and evolve. For example, start with a monorepo and spin out specific modules or services into polyrepos later if needed (or vice-versa, though consolidating into a monorepo can be more challenging).
  • Hybrid Approaches: It's also common to see hybrid strategies. For example:
    • A monorepo for application/service configurations that consume modules from separate polyrepos (one per shared module).
    • A monorepo for core platform infrastructure, with application-level infrastructure in separate repositories.

Mastering module design and making a deliberate choice about your repository strategy are critical steps towards building a mature and effective IaC practice. These decisions will profoundly impact your team's productivity, the maintainability of your codebase, and your ability to scale your infrastructure with confidence.

Next in the Series (Part 3): Practical Code Organization and Environmental Strategies.