Strategy & the test pyramid

What to test, and at what level.

Advanced14 min · lesson 9 of 12

Because Terratest tests are slow and cost money, the strategic question is not “test everything” but “what is worth a real deploy.” The testing pyramid applies to infrastructure: a wide base of fast static checks (format, validate, Checkov, policy), a middle of plan-level and unit-ish tests, and a narrow top of full integration tests with Terratest. You do not Terratest every variable permutation — you Terratest the module’s core promise and the integrations that only real deploys can prove.

The infrastructure testing pyramid
top — few, slow, high-value
Terratest
real deploy + behavior
middle
plan / native tests
resolved values, cheap
policy (OPA/Conftest)
guardrails on the plan
base — many, instant, free
fmt / validate
syntax + schema
Checkov / lint
static misconfig
Push checks down the pyramid where you can. Reserve Terratest for behavior that only a real deploy proves.

What to actually test

Good Terratest targets: a reusable module’s happy path (given typical inputs, it produces working, correctly-configured infrastructure), critical security properties that must hold at runtime (the private subnet is really unreachable, the bucket really rejects public access), and integration seams (this module composes with that one). Skip things a cheaper layer already covers — a static scan already knows the bucket has encryption declared; Terratest is for “and it actually works.”

Over-testing with Terratest is slow and expensive
Every Terratest case is a real deploy costing minutes and money, so a suite that exhaustively tests trivial permutations becomes a slow, pricey bottleneck teams start skipping. Move everything you can to the fast, free layers (validate, Checkov, plan tests), and reserve Terratest for the high-value behavioral and integration cases that justify a real deploy. Right-sizing the suite is as important as writing it.