Skip to main content

Terraform three-tier architecture

Aucert's Terraform code is organized into three independent tiers, each with its own state file and lifecycle.

Tier 1: Foundation (infra/terraform/foundation/)

Shared infrastructure that all environments depend on. Rarely changes.

Resources: VNet, AKS cluster, ACR, Key Vault, Storage Account, DNS zones, Internal PostgreSQL.

State: foundation.tfstate in aucert-tfstate-rg.

Tier 2: Internal Platform (infra/terraform/internal-platform/)

Internal tools (Plane, Grafana, Sentry). Always-on, lifecycle independent of product environments.

Resources: Helm releases for internal tools, Cloudflare Tunnel config, Ingress rules.

State: internal-platform.tfstate.

danger

The internal platform tier has prevent_destroy = true on its PostgreSQL instance. Destroying a dev environment CANNOT affect Plane or Astra data.

Tier 3: Environments (infra/terraform/environments/{env}/)

Per-environment resources. Can be created and destroyed independently.

Dev resources: Product PostgreSQL, Redis, Redis Private Endpoint.

State: environments/dev.tfstate.

Dependency rules

  • Tier 2 and Tier 3 both depend on Tier 1 outputs (VNet ID, subnet IDs, AKS credentials)
  • Tier 2 and Tier 3 are independent of each other
  • Destroying a Tier 3 environment never affects Tier 2

What's next