You wouldn’t deploy code without testing it, right? So why would you push infrastructure changes without making sure they work?
Terraform makes it easy to define infrastructure, but one wrong line of code can delete everything. That’s why testing Terraform configurations is essential—to catch issues before they reach production.
In this post, we’ll cover:
- Why testing Terraform matters.
- Unit testing, validation, and security checks for Terraform.
- How to automate Terraform testing in CI/CD.
Let’s make sure your Terraform deployments don’t explode in production.
1. Why Test Terraform Configurations?
Terraform’s powerful, but also dangerous if you’re not careful. Without proper testing, you risk:
- Deleting critical infrastructure because of a typo.
- Breaking production environments with bad config changes.
- Misconfiguring security settings, exposing your cloud to attacks.
With testing, you can deploy Terraform confidently.
2. Terraform Built-in Testing: Validate & Plan
Terraform has two built-in ways to check your configs before applying changes:
Step 1: Validate Your Terraform Configs
terraform validate
Checks for syntax errors and invalid configurations.
Step 2: Run terraform plan Before apply
terraform plan
Shows what Terraform will change—before making any modifications.
Pro Tip: If terraform plan shows unintended deletions, fix your state file before applying changes!
3. Unit Testing Terraform with terraform test
Terraform 1.6+ introduced built-in unit testing using terraform test!
Example: Terraform Test File (test.tf)
test "check_vm_size" {
condition = resource.aws_instance.example.instance_type == "t2.micro"
error_message = "Instance type should be t2.micro!"
}
Run Terraform Tests
terraform test
Pass? Great! Fail? Fix your config before applying.
4. Advanced Testing with terratest (Go-Based Testing)
For deeper testing, use Terratest, a Go-based testing framework for Terraform.
Step 1: Install Go & Terratest
go mod init my-terraform-tests go get github.com/gruntwork-io/terratest
Step 2: Write a Terraform Test (main_test.go)
package test
import (
"testing"
"github.com/gruntwork-io/terratest/modules/terraform"
)
func TestTerraformDeployment(t *testing.T) {
options := &terraform.Options{
TerraformDir: "../terraform",
}
terraform.InitAndApply(t, options)
}
Step 3: Run the Test
go test -v
Runs Terraform, checks for failures, and destroys infra afterward.
Why Use Terratest?
- Runs Terraform apply and verify outputs.
- Checks for real-world infrastructure issues.
- Prevents bad deployments before they happen.
5. Security Testing for Terraform
Terraform security misconfigurations can expose your cloud to threats. Use these tools to prevent security issues!
Step 1: Scan for Security Risks with tfsec
tfsec .
Finds misconfigurations, like open S3 buckets or weak IAM policies.
Step 2: Enforce Compliance with Checkov
checkov -d .
Ensures your Terraform meets security best practices.
Example Checkov Warning:
WARNING: S3 Bucket allows public access! Fix your policy.
Now, Terraform won’t expose sensitive resources!
6. Automating Terraform Tests in CI/CD
Integrate Terraform testing into CI/CD pipelines to catch issues before deployment.
Example: Terraform Testing in GitHub Actions
name: Terraform Testing
on:
pull_request:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v2
- name: Install Terraform
uses: hashicorp/setup-terraform@v1
- name: Validate Terraform
run: terraform validate
- name: Terraform Plan
run: terraform plan
- name: Run Security Scans
run: tfsec .
Now, Terraform changes are tested automatically!
7. Common Terraform Testing Pitfalls & How to Avoid Them
| Issue | Solution |
|---|---|
Forgetting to run terraform validate | Always validate configs before applying changes. |
Skipping terraform plan | Run a plan before every apply to catch surprises. |
| Deploying untested changes | Use terraform test and Terratest for validation. |
| Ignoring security risks | Use tfsec and Checkov to scan for vulnerabilities. |
| Not integrating Terraform tests in CI/CD | Automate testing with GitHub Actions, Azure DevOps, or Jenkins. |
Pro Tip: If Terraform wants to delete something unexpected, stop and check the state file before proceeding!
Wrapping Up
Terraform testing isn’t optional—it’s essential for preventing costly infrastructure failures.
Quick Recap:
- Use
terraform validateto catch syntax errors. - Run
terraform planbefore applying changes. - Use
terraform testfor unit testing Terraform configs. - Run security scans with
tfsecand Checkov. - Automate Terraform testing in CI/CD pipelines.
Now, go test your Terraform before it tests you!
What’s Next?
Testing is great, but how do you monitor Terraform-provisioned infrastructure after deployment? In the next post, “Monitoring Infrastructure Provisioned with Terraform,” we’ll explore how to use CloudWatch, Azure Monitor, Prometheus, and Grafana to keep track of Terraform-managed resources.