Terragrunt for Beginners

Terragrunt Modules

Hybrid Module Approach

In this lesson, we’ll dive into the Hybrid Module Approach. Rather than relying solely on private Git repositories or exclusively on the Terraform Registry, organizations often blend both community-maintained modules and in-house custom modules. This strategy accelerates development, ensures compliance, and reduces maintenance overhead.

Why Adopt a Hybrid Module Model?

Community modules deliver battle-tested patterns for common infrastructure components—such as VPCs, security groups, and IAM roles—while custom modules allow you to tailor resources to your organization’s policies and application requirements.

Key advantages include:

  • Rapid adoption of reusable, well-supported modules for standard services
  • Ability to extend or fine-tune modules to meet project-specific needs
  • Consistent versioning of your own modules alongside community offerings

Note

Always pin module versions (version = "x.y.z" or Git commit hashes) to avoid unexpected updates in production.

Comparing Module Sources

SourceUse CaseExample
Terraform RegistryStandard components supported by the communitymodule "vpc" { source = "terraform-aws-modules/vpc/aws" }
Private Git ReposCustom modules tailored to internal policiesmodule "app" { source = "[email protected]:org/app-module.git" }
Local File SystemRapid prototyping or offline developmentmodule "db" { source = "./modules/database" }

Best Practices for Hybrid Modules

  1. Version Control

    • Use semantic versioning for both community and custom modules.
    • Tag releases in Git and reference stable versions.
  2. Module Registry

    • Mirror public modules internally for audit and compliance.
    • Store custom modules in a private Terraform Registry or Nexus.
  3. Security and Compliance

    • Scan community modules for vulnerabilities before adoption.
    • Enforce organizational standards via pre-commit hooks or CI pipelines.

Warning

Reusing community modules without reviewing their code can introduce security risks. Always perform a security audit before deploying to production.

Example: Hybrid Module Configuration

terraform {
  required_version = ">= 1.0"
}

provider "aws" {
  region = "us-east-1"
}

module "network" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "3.14.0"

  name = "hybrid-vpc"
  cidr = "10.0.0.0/16"
}

module "app_infrastructure" {
  source = "[email protected]:your-org/app-infra-module.git"
  version = "v2.1.0"

  env        = "production"
  vpc_id     = module.network.vpc_id
  subnet_ids = module.network.private_subnets
}

Watch Video

Watch video content

Previous
Demo Sourcing a Module From the Terraform Registry