AWS Staging Terraform Apply Order and Outputs

Purpose

This document turns the staging Terraform checklist into an apply sequence with explicit outputs.

The goal is to keep the staging build incremental:

• create the network foundation first
• expose only the outputs the next layer needs
• avoid manual pre-design of low-level AWS details

Apply Order

1. Backend

Create the remote state backend for staging.

Outputs needed:

• backend bucket name
• backend lock mechanism, if used

Practical input:

• use infra/envs/staging/backend.hcl.example as the template
• copy it to infra/envs/staging/backend.hcl
• keep the real backend file local and uncommitted
• use terraform -chdir=infra/envs/staging init -reconfigure -backend-config=backend.hcl

2. Network Foundation

Create the staging project VPC.

Resources:

• VPC
• public subnets
• private subnets
• route tables
• internet gateway or equivalent egress path
• NAT or egress design if required by the chosen layout

Outputs needed:

• vpc_id
• public_subnet_ids
• private_subnet_ids
• route_table_ids

3. Security Groups

Create the initial project security groups.

Resources:

• ALB security group
• ECS service security group
• database security group
• cache security group

Outputs needed:

• alb_security_group_id
• ecs_security_group_id
• database_security_group_id
• cache_security_group_id

4. Core Platform

Create the shared platform resources used by the application stack.

Resources:

• ECR repositories
• CloudWatch log groups
• ECS cluster
• Application Load Balancer
• target groups

Outputs needed:

• ECR repository URLs
• ECS cluster ARN
• ALB DNS name
• ALB listener and target group ARNs

5. Staging Data Services

Create the staging data plane.

Resources:

• PostgreSQL host
• Valkey service on the database host
• Secrets Manager secrets
• Parameter Store entries

Outputs needed:

• database endpoint or hostname
• database port
• Valkey endpoint
• Valkey port
• secret ARNs or names
• parameter names or paths

6. ECS Services

Create the ECS services for the application runtime.

Resources:

• API service
• frontend service
• admin panel service
• worker services

Outputs needed:

• service ARNs
• task definition ARNs
• service discovery names, if used

7. Validation

Validate the deployed stack.

Checks:

• health checks pass
• logs appear in CloudWatch
• database connectivity works
• Valkey connectivity works
• deployment rollback works

Output Design Rule

Each layer should output only what the next layer needs.

That keeps the Terraform code simpler and avoids a large, intertwined dependency graph.

Practical Staging Rule

If a value is needed by ECS task definitions, expose it from the infrastructure layer rather than hardcoding it in the application image.

Related Documents

• 14 AWS Staging Terraform Resource Checklist
• 13 AWS Staging Terraform Implementation Blueprint
• 10 AWS Terraform Backend and Bootstrap Plan