IBM announced a $6.4B acquisition of HashiCorp on April 24. The honest read is that this confirms the BSL-era trajectory more than it changes it. Here's what's likely, what's uncertain, what stays the same for current Terraform users in the short term, and what to actually watch.
Most GKE-via-Terraform modules expose every knob the API has, then bury the few that matter. Here's the split I've landed on after a year of customer demos, what to parameterize per environment, what to hardcode and forget, and the regional-vs-zonal trade-off nobody likes to talk about.
Provider version pinning is one of those Terraform topics nobody thinks about until the CI runner picks up a new minor release at 2 a.m. and a hundred plans go red. Here's the audit pattern I run for customers, the trap on both sides, and the constraint style I land on by default.
Lifecycle hooks are the part of Terraform that looks trivial in the docs and saves you from a six-figure outage in practice. Here's how prevent_destroy and ignore_changes actually get used in production, what to put them on, what not to, and the operations cost of getting it right.
Most Terraform pipelines treat plan output as text, paste it in a PR, hope the reviewer reads it. The JSON form is structured data, and once you treat it that way, cost preview, policy gates, drift attribution, and change-risk scoring become engineering problems.
Long-lived AWS access keys in GitHub Actions secrets are the wrong default. OIDC federation gives every workflow a scoped, short-lived role assumption with no secret to leak. The trust-policy shape, the GitHub Actions wiring, and the gotchas that make it harder than the blog posts suggest.
The S3-plus-DynamoDB backend is the most common Terraform state setup in the world and the most commonly misconfigured. The versioning, encryption, lock-table, and cross-account patterns that hold up across customer engagements, and the failure modes that take teams a week to debug.
OpenTofu 1.6 went GA on January 10. For most teams the migration is renaming a binary and updating a CI step. The interesting parts are what 1.6 actually shipped, how the BSL clause reads five months on, and why I moved quickly on it for the engagements I'm currently on.
Most multi-cloud Terraform writeups are hypothetical. The customer engagements I keep doing aren't, they're the same workload running on AWS, Azure, and GCP in parallel, and the lessons about where abstraction actually helps and where it bites are not what the architecture diagrams suggest.
Drift gets all the attention. The inverse problem, your statefile says a resource exists, the cloud says it doesn't, is weirder, harder to detect, and causes a different shape of failure. Closing out 2023 with the ghost-resource problem and a note on where IaC observability has to go next.
Every IaC vendor talks about drift in the abstract. Here's what it actually looks like in a real cloud account, the security groups that no longer match the code, the manual fixes that never made it back into the repo, and the next terraform apply quietly fighting reality.
Nobody starts greenfield. Most Terraform work is taking infrastructure already in the cloud and putting it under code. The import flow I've used on customer engagements, the gotchas that bite every time, and why 'good' Terraform from scratch can make brownfield import worse.
