Skills

Terraform

Reusable modules, remote state, CI/CD gating, and drift detection. Infrastructure as code that's actually maintainable at team scale.

What I work on

  • Module design with minimal, well-chosen interfaces. A module with 40 variables is undocumented.
  • Remote state with S3 + DynamoDB or GCS. Proper state boundaries by blast radius and ownership, not resource type.
  • CI gating: plan on PR, apply on merge. Hard fail on unexpected destroys before they hit production.
  • Drift detection via scheduled plans. Alert on non-empty plans so drift doesn't compound silently.
  • Policy as code with tfsec, Checkov, or OPA/Conftest in CI pipelines.

What breaks in real life

Surprise destroys on refactor
Implicit dependencies hide ordering until you rename something. Gate applies with a human review on any planned destroy.
Monolithic state
One state for an entire environment means a bad apply can touch everything at once. Split by lifecycle, ownership, and blast radius.
Over-abstracted modules
Adding variables to things that never change makes modules harder to use, not easier. Hardcoded values are honest when the value never varies.
Circular dependencies
Splitting state by resource type (all S3 in one state, all IAM in another) creates phantom coupling. Split by team ownership instead.

Patterns I reach for

  • Run terraform graph | dot -Tsvg before big refactors to catch fan-out and cycles early
  • Gate destroys: terraform show -json tfplan | jq to catch unintended deletes before apply
  • tfsec and Checkov in CI with hard-fail on HIGH severity findings
  • Workspace patterns for multi-environment with shared modules
Skills map →Ask SRE Intel →Why variables aren't always best practice →