In a blog post titled “How to write and rightsize Terraform modules”, HashiCorp shares a comprehensive framework for creating maintainable, scalable modules in the Terraform ecosystem. Author Mitch Pronschinske draws on insights from consultant Rene Schach’s HashiDays 2025 session to focus on four key pillars: module scope, code strategy, security, and testing.
According to the post, module design starts with carefully understanding the target users and use cases. Module consumers might include development teams, platform engineers, or security specialists, but each module should have a clear purpose and minimal coupling. HashiCorp recommends separating infrastructure components that change frequently from those that are stable, aligning module lifecycle to resource volatility. For example, compute instances and disks might live in one module while long-lived networking infrastructure resides in another.
On the code structure front, the post advises treating modules like software artifacts: version them semantically, structure files purposefully, provide examples and documentation, and mirror provider schemas rather than diverge needlessly. Good module design, according to the guide, helps simplify upgrades, makes intent clear to new contributors, and reduces drift over time.
Security and testing are also flagged as core concerns. Pronschinske urges teams to validate inputs early using Terraform’s variable validation blocks, adopt policy-as-code frameworks such as Sentinel or OPA, and integrate testing into CI/CD pipelines using the native “terraform test” command. Modules that expose fewer inputs, provide sensible defaults, and enforce guardrails are less likely to be misused or introduce risk.
HashiCorp’s guide offers a structured set of best practices for Terraform module authors who are working within large organizations or platforms. By focusing on user-centred design, cohesive module boundaries, software-style governance, security checks, and integration with testing pipelines, the blog aims to help teams tailor their infrastructure-as-code practice for greater reusability and maintainability at scale.
In contrast, common anti-patterns include creating monolithic root modules that bundle many resources across unrelated domains, leading to inflated state files, brittle updates, and high coupling. Another anti-pattern is modules that assume broad flexibility without guardrails – where every attribute is exposed, every variable is uncontrolled, and which lack versioning, testing, and documentation, making upgrades risky and onboarding slower.
By juxtaposing these, it becomes clear that teams should strive for modules that are cohesive, minimally coupled, version-controlled, and tested, rather than sprawling, untested, and overloaded with variables. This reduces technical debt, improves predictability and maintainability, and aligns Terraform module design with software engineering best practices, as HashiCorp’s guidance suggests.
While these best practices are insightful, they are not necessarily unknown. A feature article in The New Stack in 2024 gathered insights from infrastructure engineers on best practices for module development. While not addressing “rightsizing” per se, the article reinforced many of the themes in HashiCorp’s blog, notably the importance of modular boundaries and versioning.
Similarly, a series of blog posts by Spacelift that pre-dated HashiCorp’s blog discusses common failings in Terraform module design, such as overly broad modules and the absence of testing, effectively serving as criticism of what HashiCorp is trying to remedy.
Together, these sources show that the themes HashiCorp highlights (module scope, software-style discipline, testing) resonate with the broader community’s concerns. They also suggest that module design remains a pain point for many teams, and HashiCorp’s guidance is arriving amid interest in Terraform module governance and maintainability.
![[Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb7usGljMR3vSfxxk9XeKY39fUcIRMFDq6GOy0OEA_AK7P4ybAoHwl9Ga45OJ5pZPzpDhwqZ0D6PKEI-IFFifcl-NWBM5ymJ6wcNSyL3bneCMbRbVGz1ca3MIaKDHWbNvOVzK1LinCOt0RLYF1-zb_Zy11bGddkRxowymBu754CFJDpCDIreh4iiGF4loK/s790-rw-e365/cyberteams.jpg "[Webinar] Learn How Leading Security Teams Reduce Attack Surface Exposure with DASR")
