The Makefile provides a unified interface for managing the Terraform AWS Starter Kit lifecycle, from initial setup to daily operations. It wraps common Terraform commands with validation, error handling, and environment management.
Quick Reference
| Command | Description |
|---|---|
make help | Display all available commands |
make setup | Complete setup wizard (bootstrap + provision + OIDC) |
make install-tools | Install required development tools |
make validate-full | Run all validation checks |
make init ENV=<env> | Initialize Terraform for an environment |
make plan ENV=<env> | Create Terraform plan |
make apply ENV=<env> | Apply Terraform changes |
make cleanup | Interactive cleanup script |
Setup Commands
make setup
Run the complete setup wizard that bootstraps your infrastructure, provisions environments, and deploys OIDC configuration.
What it does:
- Checks prerequisites (AWS CLI, Terraform, Git)
- Verifies AWS credentials
- Creates S3 backend with native state locking
- Provisions environment directories and workflows
- Deploys OIDC provider and IAM roles
Usage:
# Interactive setup (recommended for first time)
make setup
# Or run the script directly with options
./scripts/setup.sh -e test,staging -a
./scripts/setup.sh -p production-admin
./scripts/setup.sh --skip-bootstrap
Script Options:
| Option | Description |
|---|---|
-e, --environments ENV1,ENV2 | Comma-separated list of environments |
-p, --profile PROFILE | AWS profile to use |
-a, --auto-approve | Skip interactive confirmations |
-s, --skip-bootstrap | Skip bootstrap step (use existing backend) |
-d, --skip-deploy | Skip OIDC deployment (only create files) |
-h, --help | Display help message |
make install-tools
Install required and optional development tools for the starter kit.
Tools Installed:
| Tool | Status | Purpose |
|---|---|---|
| Terraform | Required | Infrastructure as code |
| AWS CLI | Required | AWS command-line interface |
| TFLint | Optional | Terraform linter for validation |
| Checkov | Optional | Security scanner for validation |
| Granted | Optional | AWS profile manager for multi-account access |
Platform Support:
- macOS (via Homebrew)
- Linux (via package managers and direct downloads)
Usage:
make install-tools
Validation Commands
make validate-full
Run comprehensive validation across all environments.
Validation Steps:
| Step | Description |
|---|---|
| 1. Formatting check | Verifies Terraform file formatting |
| 2. Configuration validation | Validates Terraform syntax for all environments |
| 3. TFLint scan | Runs linting checks for best practices |
| 4. Checkov scan | Performs security analysis |
Usage:
make validate-full
Exit Codes:
0— All validations passed1— One or more validations failed
make validate-env
Validate Terraform configuration for a specific environment.
Parameters:
| Parameter | Required | Description |
|---|---|---|
ENV | Yes | Environment name |
ARGS | No | Additional terraform validate arguments |
Usage:
make validate-env ENV=production
make validate-env ENV=staging ARGS="-json"
make lint
Run TFLint checks across all Terraform files.
Requirements:
- TFLint must be installed (run
make install-tools) .tflint.hclconfiguration file (created during setup)
Usage:
make lint
make security-scan
Run Checkov security scan on Terraform code.
Requirements:
- Checkov must be installed (run
make install-tools) .checkov.ymlconfiguration file (optional)
Usage:
make security-scan
make format
Format all Terraform files recursively.
Usage:
make format
Deployment Commands
All deployment commands require the ENV parameter to specify which environment to operate on.
make init
Initialize Terraform backend for an environment.
Parameters:
| Parameter | Required | Description |
|---|---|---|
ENV | Yes | Environment name |
ARGS | No | Additional terraform init arguments |
Common Arguments:
| Argument | Description |
|---|---|
-upgrade | Upgrade provider plugins to latest version |
-reconfigure | Reconfigure backend ignoring saved configuration |
Usage:
make init ENV=production
make init ENV=staging ARGS="-upgrade"
make init ENV=test ARGS="-reconfigure"
make plan
Create a Terraform execution plan for an environment.
Parameters:
| Parameter | Required | Description |
|---|---|---|
ENV | Yes | Environment name |
ARGS | No | Additional terraform plan arguments |
Common Arguments:
| Argument | Description |
|---|---|
-out=tfplan | Save plan to file |
-target=RESOURCE | Plan only specific resource |
-var="key=value" | Override variable values |
Usage:
make plan ENV=production
make plan ENV=staging ARGS="-out=tfplan"
make plan ENV=test ARGS="-target=module.oidc_provider"
make apply
Apply Terraform changes to an environment.
Parameters:
| Parameter | Required | Description |
|---|---|---|
ENV | Yes | Environment name |
ARGS | No | Additional terraform apply arguments |
Common Arguments:
| Argument | Description |
|---|---|
-auto-approve | Skip confirmation prompt |
tfplan | Apply a saved plan file |
Warning: Use -auto-approve carefully, especially in production environments.
Usage:
make apply ENV=production
make apply ENV=staging ARGS="-auto-approve"
make apply ENV=test ARGS="tfplan"
make destroy
Destroy Terraform-managed infrastructure in an environment.
Parameters:
| Parameter | Required | Description |
|---|---|---|
ENV | Yes | Environment name |
ARGS | No | Additional terraform destroy arguments |
Warning: This command permanently deletes resources. Always review the plan before confirming.
Usage:
make destroy ENV=test
make destroy ENV=staging ARGS="-auto-approve"
make destroy ENV=production ARGS="-target=module.oidc_provider"
Utility Commands
make cleanup
Run the interactive cleanup script to remove resources and files.
Cleanup Options:
| Option | Description |
|---|---|
| 1. Destroy all environment resources | Removes OIDC providers, IAM roles, etc. |
| 2. Destroy bootstrap resources | Removes S3 bucket |
| 3. Clean local files | Removes cached Terraform files (.terraform, lock files) |
| 4. Remove source files | Deletes environment directories and workflow files |
| 5. Full cleanup | Combines all cleanup operations |
Important Notes:
- Destroying bootstrap resources removes the Terraform state backend
- Always destroy environment resources before destroying bootstrap
- Removing source files deletes committed code (use with caution)
- The script includes safety confirmations for destructive operations
Usage:
make cleanup
make check
Check versions of all required and optional tools.
Usage:
make check
Output Example:
Terraform: Terraform v1.9.8
AWS CLI: aws-cli/2.15.0 Python/3.11.6
TFLint: TFLint version 0.50.0
Checkov: 3.2.255
Granted: assume installed
Environment Variables
| Variable | Description | Example |
|---|---|---|
ENV | Target environment for deployment commands | ENV=production |
ARGS | Additional arguments for Terraform commands | ARGS="-auto-approve" |
AWS_PROFILE | AWS profile to use | AWS_PROFILE=production-admin |
AWS_REGION | AWS region for operations | AWS_REGION=us-east-1 |
Common Workflows
Initial Setup
# 1. Install required tools
make install-tools
# 2. Run setup wizard
make setup
# 3. Verify installations
make check
Development Workflow
# 1. Validate all code
make validate-full
# 2. Format code
make format
# 3. Initialize environment
make init ENV=test
# 4. Plan changes
make plan ENV=test
# 5. Apply changes
make apply ENV=test
Multi-Environment Deployment
# Test environment
make init ENV=test
make plan ENV=test
make apply ENV=test
# Staging environment
make init ENV=staging
make plan ENV=staging
make apply ENV=staging
# Production environment (with review)
make init ENV=production
make plan ENV=production ARGS="-out=tfplan"
# Review plan carefully
make apply ENV=production ARGS="tfplan"
Upgrading Provider Versions
# Upgrade and reinitialize
make init ENV=production ARGS="-upgrade"
# Verify with plan
make plan ENV=production
Cleanup and Removal
# Remove test environment resources
make destroy ENV=test
# Full cleanup (interactive)
make cleanup
Error Handling
Missing ENV Parameter
$ make plan
❌ Error: ENV variable is required
Usage: make plan ENV=production
make plan ENV=production ARGS="-out=tfplan"
Invalid Environment
$ make plan ENV=nonexistent
❌ Error: Environment 'nonexistent' does not exist
Available environments:
test
staging
production
Missing Tools
$ make lint
TFLint not installed. Run 'make install-tools' to install.
Best Practices
Daily Operations
-
Always validate before deploying:
make validate-full -
Review plans before applying:
make plan ENV=production # Review output carefully make apply ENV=production -
Use saved plans for production:
make plan ENV=production ARGS="-out=tfplan" make apply ENV=production ARGS="tfplan"
Tool Management
-
Keep tools updated:
make install-tools # Detects and updates existing tools -
Verify installations regularly:
make check
Security
-
Run security scans before deployments:
make security-scan -
Never commit plans with sensitive data:
# Add to .gitignore echo "*.tfplan" >> .gitignore -
Use
-auto-approvesparingly:# Avoid in production make apply ENV=production ARGS="-auto-approve"
Troubleshooting
State Lock Issues
If Terraform state is locked, you can force unlock it:
# Force unlock (use carefully)
cd environments/production
terraform force-unlock <LOCK_ID>
Note: With S3 native locking (Terraform 1.10+), lock files are stored in S3 alongside state files as .tflock files.
Backend Configuration Issues
If backend initialization fails:
# Verify backend configuration
cat .terraform-backend.conf
# Verify S3 bucket exists
aws s3 ls s3://terraform-state-ACCOUNT-REGION
# Reconfigure backend
make init ENV=production ARGS="-reconfigure"
Permission Errors
If AWS operations fail:
# Verify credentials
aws sts get-caller-identity
# Check assumed role
aws sts get-caller-identity --profile production-admin
# Use Granted to assume role
assume production-admin
Next Steps
- Learn about CI/CD Workflows automation
- Understand Project Structure
- Explore Local Development best practices
- Review OIDC Provider module details