Operational Guides

Terraform Operations

Day-to-day Terraform commands and workflows for managing Ontopix infrastructure.

Production

All infrastructure operations are exposed through Taskfile. Never invoke terraform or aws CLI directly.

Common Workflows

View Current State

task infra:plan       # Preview what Terraform would change
task infra:show       # Show current state
task infra:list       # List all managed resources
task infra:output     # Show Terraform outputs

Make Changes

task infra:fmt        # Format .tf files
task infra:validate   # Validate configuration syntax
task infra:plan       # Preview changes (always run first)
CONFIRM=yes task infra:apply   # Apply changes (requires approval)

Check for Drift

task drift:check      # Quick drift detection
task drift:report     # Detailed drift report with plan file

Backend Operations

task bootstrap:init   # Initialize S3 + DynamoDB backend (first time only)
task bootstrap:status # Check if backend resources exist

State Management

task infra:refresh    # Refresh state from actual infrastructure
task infra:show-lock  # View current state locks
LOCK_ID=<id> task infra:force-unlock  # Force-unlock state (use with caution)

Cleanup

task clean            # Remove .terraform, lock files, plan files

Task Reference

TaskSafe?Description
infra:planYesPreview changes
infra:showYesShow current state
infra:listYesList managed resources
infra:outputYesShow outputs
infra:fmtYesFormat files
infra:fmt-checkYesCheck formatting
infra:validateYesValidate syntax
drift:checkYesDetect drift
drift:reportYesDetailed drift report
infra:applyNoApply changes (requires CONFIRM=yes)
infra:destroyNoDestroy all resources (requires CONFIRM=DESTROY)
infra:force-unlockNoForce-unlock state (requires LOCK_ID)

Validation Checks

Run all checks before committing:

task validate:all     # Structure + Terraform checks

Or individually:

task validate:structure   # Check required files exist
task validate:terraform   # Format check + validate

AWS Utilities

task aws:whoami       # Show current AWS identity
task aws:regions      # Show regions used by this infrastructure

Setup ECR Access

How to configure your project to push and pull Docker images using the central OIDC roles.

Runbooks

Troubleshooting procedures for common infrastructure issues.