Technical Deep-Dive: Building 'Golden Path' Modules with Terraform and OPA
Source: Dev.to
Introduction
Infrastructure as Code (IaC) at scale requires moving from “copy‑paste” Terraform to a modular, policy‑driven architecture. When you have 50+ developers, manually reviewing every S3 bucket or RDS instance isn’t feasible—you need a system that is secure by default and automatically enforced.
The “Golden Path” Module Pattern
Instead of letting developers use the raw aws_s3_bucket resource, we provide a Golden Path module that encapsulates the company’s security standards (encryption, versioning, public‑access blocks). Developers simply reference the module and don’t have to think about the underlying safeguards.
“Senior” Module Structure
# modules/secure-s3/main.tf
resource "aws_s3_bucket" "this" {
bucket = var.bucket_name
# Hard‑coded security – developers can’t override these to false
}
resource "aws_s3_bucket_public_access_block" "this" {
bucket = aws_s3_bucket.this.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
bucket = aws_s3_bucket.this.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}Policy as Code (The Guardrail)
Even with modules, someone might try to bypass them or use a raw resource. Open Policy Agent (OPA) or Terraform Cloud Sentinel can enforce guardrails. The following Rego policy fails any plan containing an S3 bucket with public‑read access:
package terraform.policies
deny[msg] {
resource := input.resource_changes[_]
resource.type == "aws_s3_bucket"
resource.change.after.acl == "public-read"
msg = sprintf("Resource %v has a public-read ACL. This is forbidden.", [resource.address])
}Implementing the “Promotion” Workflow
A promotion pipeline mirrors the software development lifecycle:
| Stage | Action | Validation |
|---|---|---|
| Commit | tflint & terraform fmt | Syntax and linting check |
| Plan | terraform plan | OPA policy check (security) |
| Staging | terraform apply | Integration testing (Infracost) |
| Production | Manual gate / promotion | Final sanity check |
Handling State at Scale
Avoid local state or individual S3 backends per project. Senior engineers should implement:
- Remote State Management – Centralized in Terraform Cloud, Spacelift, or an enterprise‑grade S3/DynamoDB setup.
- State Locking – Prevents concurrent corruptions.
- Decoupling – Break large state files into smaller, environment‑specific stacks to reduce the “blast radius” of a failed apply.
Takeaway
Seniority is about reducing cognitive load for teammates. By providing pre‑hardened modules and automated policy checks, developers can move fast without risking a data breach.
What does your “Golden Path” look? Do you prefer OPA, Terragrunt, or native Terraform modules? Share your thoughts below.