Skip to content

Terraform + UpCloud — Checklist

OWNER: arjan
ALSO_USED_BY: gerco, thijmen, rutger
LAST_VERIFIED: 2026-03-26
GE_STACK_VERSION: terraform ~> 1.14.x, upcloud provider ~> 5.0

PRE-APPLY CHECKLIST (every apply)

  • [ ] CHECK: Correct workspace selected (terraform workspace show)
    IF_SKIPPED: resources created in wrong zone
    ADDED_FROM: near-miss-wrong-workspace-2026-02
  • [ ] CHECK: terraform plan reviewed with no unexpected changes
    IF_SKIPPED: unintended resource modifications or deletions
  • [ ] CHECK: .terraform.lock.hcl matches committed version
    IF_SKIPPED: provider version mismatch, state corruption
    ADDED_FROM: provider-5.0-upgrade-2026-01
  • [ ] CHECK: No sensitive values hardcoded in .tfvars files
    IF_SKIPPED: credential leak in git
  • [ ] CHECK: Zone 2+3 applies have arjan's approval
    IF_SKIPPED: uncoordinated production changes

NEW RESOURCE CHECKLIST

  • [ ] CHECK: Resource name follows ge-{zone}-{component}-{qualifier} pattern
    IF_SKIPPED: naming inconsistency, hard to identify resources
  • [ ] CHECK: All required tags applied (ge.zone, ge.managed-by, ge.component, ge.owner)
    IF_SKIPPED: untagged resources are invisible to cost tracking
  • [ ] CHECK: Stateful resources have lifecycle.prevent_destroy = true
    IF_SKIPPED: accidental deletion risk
    ADDED_FROM: near-miss-db-destroy-2026-02
  • [ ] CHECK: Resource is EU-hosted (nl-ams1 or other EU region)
    IF_SKIPPED: data sovereignty violation
  • [ ] CHECK: Server has only private network interface (unless load balancer)
    IF_SKIPPED: direct public exposure of internal services
  • [ ] CHECK: Firewall rules have default-deny as last rule
    IF_SKIPPED: all traffic permitted by default

MODULE CHECKLIST (new module)

  • [ ] CHECK: Module has variables.tf, outputs.tf, main.tf
    IF_SKIPPED: incomplete module contract
  • [ ] CHECK: All variables have description and type
    IF_SKIPPED: module consumers cannot understand inputs
  • [ ] CHECK: Sensitive variables marked sensitive = true
    IF_SKIPPED: secrets visible in plan output
  • [ ] CHECK: Sensitive outputs marked sensitive = true
    IF_SKIPPED: secrets visible in output display

STATE MANAGEMENT CHECKLIST

  • [ ] CHECK: Remote backend configured with encryption
    IF_SKIPPED: state file is a security risk
  • [ ] CHECK: State bucket has versioning enabled
    IF_SKIPPED: no rollback if state corrupted
  • [ ] CHECK: terraform plan -detailed-exitcode run weekly for drift detection
    IF_SKIPPED: infrastructure drift goes unnoticed
    ADDED_FROM: staging-firewall-drift-2026-02

CROSS-REFERENCES

READ_ALSO: wiki/docs/stack/terraform-upcloud/index.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/patterns.md
READ_ALSO: wiki/docs/stack/terraform-upcloud/pitfalls.md