Use configuration management
Use configuration management to manage, automate and standardise your infrastructure. When using configuration management you store your infrastructure as code in a version control system such as Git.
The use of Puppet at GDS is diminishing as we move more of our infrastructure to containers and higher level services. It’s mainly still in use on GOV.UK but this will decline as more services are moved over to AWS ECS.
If your environment consists of a simple deployment artefact like an Amazon Machine Image (AMI), Puppet may not be necessary, but the process for building that artefact must still be codified and version controlled.
Due to the high rate of change in many cloud provider offerings we recommend you keep your Terraform versions and codebases up to date. A version manager such as tfenv, already used by a number of GDS teams, can help you with supporting multiple versions.
There are a number of Terraform focused static analysis tools in use at GDS. While none of them are yet ubiquitous they can help ensure your code is more idiomatic, consistent and secure and you should consider the benefits they could bring to your build pipelines.
checkov - “detects security and compliance misconfigurations”
tfsec - “spots potential security issues”
tflint “linter focused on possible errors, best practices and so on.”
Find out more about configuration management in the Service Manual.