Stop Scripting, Start Architecting: The OOP Approach to Terraform

TL;DR

• The Problem: Terraform codebases often suffer from "sprawl"—copy-pasted resources, tight coupling, and leaky abstractions that make scaling painful.
• The Solution: Treat Terraform Modules as Classes and Module Instances as Objects.
• Key Mapping:
  • Class → Child Module
  • Object → module block (instantiation)
  • Interface → variables.tf (inputs) and outputs.tf (getters)
  • Private State → locals and internal resources
• Best Practice: Prefer Composition (building modules from other modules) over inheritance. Use Dependency Injection by passing resource IDs (e.g., vpc_id) rather than looking them up internally with data sources.

An Object-Oriented approach to Terraform transforms messy, repetitive HCL into a scalable infrastructure architecture. By mapping OOP principles—Encapsulation, Abstraction, Composition, and Polymorphism—to Terraform modules, we can build infrastructure that is as maintainable and testable as application code.

The Problem: The Monolithic Terraform File

In the early days of a project, a single main.tf file is convenient. But as infrastructure grows, this "scripting" mindset leads to fragility. You might see hardcoded values repeated across environments, security groups defined inline with instances, and a complete lack of reusability.

When we treat Terraform purely as a configuration script, we miss the structural benefits of software engineering design patterns. We need to shift from writing scripts to architecting objects.

The Core Analogy: Modules as Classes

The fundamental unit of OOP is the Class. In Terraform, this role is filled by the Module.

{.no-wrap-col-1, .no-wrap-col-2}

Visualization: The Module Interface

We can visualize a Terraform module exactly like a class in a UML diagram.

1. Encapsulation: Hiding the Mess

OOP Principle: Hide internal complexity and state; expose only what is necessary.

Terraform Application:
A consumer of your module should not need to know that you are using three separate aws_route53_record resources to achieve a specific failover routing policy. They should only provide the domain name.

Anti-Pattern (Leaky Abstraction):
Creating a module that just passes variables through to a resource 1:1.

# BAD: This is just a wrapper. It adds no value.
module "s3_bucket" {
  source = "./modules/s3"
  bucket = "my-bucket"
  acl    = "private"
  versioning = { enabled = true }
  # ... passing every single S3 argument
}

Refactored (Encapsulated Service):
Create a "Service Module" that enforces company standards (like encryption and logging) automatically.

# GOOD: The implementation details (encryption, logging) are encapsulated.
# The user only supplies the intent.
module "secure_storage" {
  source      = "./modules/secure_bucket"
  bucket_name = "finance-logs"
  environment = "prod"
}

Inside ./modules/secure_bucket, we enforce the mandatory security settings (private logic), ensuring every instance of this "Class" adheres to compliance standards without the user needing to remember them.

2. Dependency Injection: Decoupling Modules

OOP Principle: Classes should receive their dependencies rather than creating or finding them globally.

Terraform Application:
A common mistake is using data sources inside a child module to look up network information. This couples the module to a specific environment naming convention.

Anti-Pattern (Hardcoded Dependency):

# /modules/app/main.tf
# BAD: The module relies on a hardcoded lookup logic.
data "aws_subnet" "selected" {
  vpc_id = "vpc-123456" # Hardcoded ID!
  filter {
    name   = "tag:Tier"
    values = ["App"]    # Hardcoded assumption about tagging!
  }
}

resource "aws_instance" "app" {
  subnet_id = data.aws_subnet.selected.id
  # ...
}

Refactored (Dependency Injection):
Pass the ID as a variable. The caller is responsible for knowing the context.

# /modules/app/variables.tf
variable "subnet_id" {
  description = "The subnet ID where the app will be deployed"
  type        = string
}

# /live/prod/main.tf (The Caller)
module "app" {
  source    = "../../modules/app"
  subnet_id = module.vpc.public_subnets[0] # Injecting the dependency
}

3. Composition: The "Has-A" Relationship

OOP Principle: Favor Composition over Inheritance. Build complex objects by combining simpler ones.

Terraform Application:
Terraform does not support inheritance (extends). You cannot subclass a module. Instead, you build Composite Modules.

Imagine a standard application stack. Instead of one massive file, you create an app_stack module that composes smaller, single-responsibility modules.

Code Example: Composition

The app_stack module acts as a facade, orchestrating the interaction between the network and the compute layer.

# /modules/app_stack/main.tf
module "networking" {
  source = "../networking"
  cidr   = var.cidr
}

module "compute" {
  source    = "../compute"
  subnet_id = module.networking.private_subnet_id # Wiring components together
  vpc_id    = module.networking.vpc_id
}

4. Abstraction & Reuse: The "Interface" Behavior

OOP Principle: Objects can behave differently based on their context or configuration (Polymorphism).

Terraform Application:
While Terraform lacks strict inheritance-based polymorphism, we achieve similar flexibility through Feature Toggles and Dynamic Blocks.

A single module can be instantiated to behave differently—creating a full high-availability cluster in prod or a single instance in dev—simply by passing different input variables that drive dynamic blocks or conditional logic.

# /modules/app/main.tf
# Polymorphic behavior: The shape of the infrastructure changes based on input.

variable "enable_load_balancer" {
  type    = bool
  default = false
}

resource "aws_lb_target_group" "app" {
  count = var.enable_load_balancer ? 1 : 0
  # ...
}

resource "aws_autoscaling_group" "app" {
  # ...
  target_group_arns = var.enable_load_balancer ? [aws_lb_target_group.app[0].arn] : []
}

Here, the module acts polymorphically. To the caller, it's just an "App Module", but under the hood, it morphs its structure based on the environment it lives in.

Conclusion

Treating Terraform through the lens of OOP moves you from "writing config" to "engineering systems."

1. Modules are Classes: Treat them as blueprints with strict inputs and outputs.
2. Encapsulate Logic: Don't let implementation details leak into the root module.
3. Inject Dependencies: Pass IDs down; don't look them up laterally.
4. Compose, Don't Inherit: Build large infrastructure by wiring together small, focused modules.

By respecting these boundaries, your Terraform code becomes testable, reusable, and significantly easier to refactor.

Further Reading

• Terraform: Module Composition - HashiCorp's official guide on composing modules.
• Refactoring Terraform - Strategies for breaking monoliths into modules.
• The SOLID Principles of IaC - A deeper dive into S.O.L.I.D. applied to DevOps.