Modules
Modules are the smallest reusable components with well-defined scopes that require policy compliance. They are designed to be reusable and adhere to best practices established by the organization.
Characteristics
- Small surface area — Each module manages a single cloud resource or tightly related group
- Strong defaults — Security, encryption, and logging are enabled by default
- Validated inputs — All variables include type constraints and validation rules
- Purposeful outputs — Expose only what consumers need
- Auto-documented — README generated by terraform-docs
Module Structure
modules/s3/bucket/
├── main.tf # Resource definitions
├── variables.tf # Input variables
├── outputs.tf # Output values
├── versions.tf # Provider constraints
├── README.md # Auto-generated docs
└── CHANGELOG.md # Auto-generated changelog
Example: S3 Bucket Module (AWS)
# main.tf
resource "aws_s3_bucket" "this" {
bucket = var.bucket_name
}
resource "aws_s3_bucket_public_access_block" "this" {
bucket = aws_s3_bucket.this.id
block_public_acls = var.block_public_acls
block_public_policy = var.block_public_policy
ignore_public_acls = var.ignore_public_acls
restrict_public_buckets = var.restrict_public_buckets
}
resource "aws_s3_bucket_versioning" "this" {
bucket = aws_s3_bucket.this.id
versioning_configuration {
status = var.bucket_versioning_status
}
}
resource "aws_s3_bucket_lifecycle_configuration" "this" {
count = length(var.lifecycle_rules) > 0 ? 1 : 0
bucket = aws_s3_bucket.this.id
dynamic "rule" {
for_each = var.lifecycle_rules
content {
id = rule.value.id
status = rule.value.status
}
}
}
# variables.tf
variable "bucket_name" {
type = string
description = "The bucket name."
}
variable "bucket_tags" {
type = map(any)
description = "A map of tags to assign to the Bucket."
}
variable "block_public_acls" {
type = bool
default = true
description = "Whether Amazon S3 should block public ACLs for this bucket."
}
variable "block_public_policy" {
type = bool
default = true
description = "Whether Amazon S3 should block public bucket policies."
}
variable "ignore_public_acls" {
type = bool
default = true
description = "Whether Amazon S3 should ignore public ACLs."
}
variable "restrict_public_buckets" {
type = bool
default = true
description = "Whether Amazon S3 should restrict public bucket policies."
}
variable "bucket_versioning_status" {
type = string
default = "Disabled"
description = "Versioning state: Enabled, Suspended, or Disabled."
}
variable "lifecycle_rules" {
type = list(any)
default = []
description = "List of lifecycle rules."
}
Notice how public access is blocked by default. Modules should be secure by default — consumers opt-in to less restrictive settings.
Available Module Categories
| Category | Examples |
|---|---|
| Storage | S3 Bucket, EFS |
| Database | RDS PostgreSQL, Parameter Group, RDS Alarms |
| Compute | EC2 Instance, EKS Cluster, Karpenter |
| Networking | Security Groups (Static/Dynamic), VPC Peering |
| Container | ECR Repository, ECR Pull-Through Cache |
| Messaging | Amazon MQ, SES, Pinpoint |
| Observability | CloudWatch Alarms, Instance Dashboards |
| Security | IRSA, Pod Identity, Roles |