Terraform quick start

General guidance only. Keep your state backend secure and use least‑privilege IAM. Replace names and regions with your own. Each environment is initialized independently.

HIPAA‑compliant ready infrastructure

Field‑tested Terraform modules to stand up secure AWS foundations for healthcare SaaS. Per‑environment state, least‑privilege IAM, encrypted data stores, and auditable networking.

Download modules (.zip)

Prereqs

Terraform ≥ 1.5 installed.
AWS CLI configured with an IAM user or role that can provision the selected resources.
Remote state bucket and DynamoDB table created for state locking, or adapt backend.tf for your backend.

Repository layout

This template expects a customer/environment/region layout with per‑env state and variables. Example path:

terraform/
  customers/sample-customer/
    dev/us-east-1/
      backend.tf
      providers.tf
      variables.tf
      locals.tf
      main.tf
      vpc.tf
      ssm_parameter.tf
      images/
        Architecture.png
    qa/
    prod/
  modules/
    vpc/  ecs_cluster/  lb/  db/  iam/  ses/  vpn/  waf/  cloudwatch/  github/ ...
  example-tfvars/
    dev.us-east-1.tfvars
    qa.us-east-1.tfvars
    prod.us-east-1.tfvars

Initialize an environment

Change into the environment directory, e.g. terraform/customers/sample-customer/dev/us-east-1.
Review and set your backend in backend.tf (S3 + DynamoDB recommended) and providers in providers.tf.

Copy the matching example tfvars and edit values:

cp ../../../example-tfvars/dev.us-east-1.tfvars ./dev.us-east-1.tfvars

Pick modules inside main.tf as needed for your stack. Keep variables in variables.tf and computed values in locals.tf.
Initialize:
```
terraform init
```

Plan and apply

terraform workspace new dev || terraform workspace select dev
terraform validate
terraform fmt -check
terraform plan -var-file=dev.us-east-1.tfvars -out=plan.tfplan
terraform apply plan.tfplan

Repeat for qa and prod with their own directories and tfvars. Use workspaces only if you understand their implications; separate directories are preferred.

State and parameters

Use SSM Parameter Store for non‑secret configuration shared with apps. Keep secrets in Secrets Manager or an external vault.
Tag everything: project, environment, owner, cost‑center.
Enable CloudTrail and Config in the account for auditing.

Troubleshooting

Error acquiring state lock: release the lock in DynamoDB after confirming no other run is active.
Module version drift: pin source SHAs or tags for stability.
ALB or ECS task cannot reach DB: verify route tables for private subnets and security group rules.

Questions or suggestions

Send feedback:

ivigsu@gmail.com