Back to all blog posts

Terramate Bundles: The Contract Layer Terraform Never Shipped

Picture of Soren Martius
Sören Martius Chief Product Officer
Portrait of Chris Schagen
Chris Schagen Chief Executive Officer
Photo of Marius Tolzmann
Marius Tolzmann Chief Technology Officer
Reading Time:8 min read

Terraform modules were designed for code reuse, not for governing infrastructure at scale across teams, environments, and repositories. Terramate Bundles introduce the missing contract layer between platform teams who define standards/patterns and developers who provision infrastructure in self-service, with built-in governance, directory structure, environment promotion, and lifecycle management out of the box.

Cover Terramate Bundles: The Contract Layer Terraform Never Shipped

You have 14 teams, 80 repositories, and a Confluence page titled "How to create an S3 bucket" that nobody reads. Your shared Terraform modules started clean. Then one team starts copying the module to adjust it to their needs, another adds a bunch of missing resources, and so on. Now you need to roll out a tagging strategy across every S3 bucket in every environment, and you're looking at pull requests in 40 repositories, each with slightly different directory layouts, variable names, and module versions.

This is not a tooling problem. It's a missing abstraction.

Terraform modules solve code reuse. They were never designed to be a contract between a platform team and the rest of engineering. They don't enforce directory conventions, don't manage environment promotion, don't track where they're used, and don't constrain what developers can configure. Modules give you building blocks. What you actually need is an interface boundary. A layer that lets platform teams ship vetted, governed infrastructure patterns that developers consume without needing to understand or modify the underlying Terraform. That's what Terramate Bundles are. Not a replacement for modules, but the contract layer that sits above them: platform-team-owned, self-service-ready, and opinionated by design.

Built-in Governance

A Bundle is a platform-team-owned definition of how a piece of infrastructure should be provisioned. It encodes best-practice patterns such as resource naming, security configuration, cost controls, compliance requirements and exposes only a limited, vetted set of configuration options to the end user.

This is a deliberate constraint. When a developer creates an S3 bucket through a bundle, they don't choose the encryption algorithm, the lifecycle policy, or the logging configuration. The platform team already made those decisions. The developer picks a name, an environment, and maybe a retention period. Everything else is locked.

The result is that every resource provisioned through Bundles meets your organization's reliability, security, budget, and compliance goals by default. Not because developers read the wiki. Because the interface doesn't let them do it wrong.

Built-in Directory Structure

If you've operated IaC across multiple repositories and teams, you know the entropy. One team nests everything under terraform/ . Another uses infra/production/ . A third uses yet another structure. When someone new joins, they spend a day just figuring out where things live.

With Terramate Bundles, the directory structure is part of the contract. The platform team defines the layout pattern, and every Bundle scaffolds into it automatically. For example, a Bundle can enforce the convention:

define bundle stack "s3" {
  metadata {
    path = "/infra/${bundle.environment.id}/{bundle.input.account.value}/s3/${tm_slug(bundle.input.name.value)}"
    ... 
  }
}

When a developer provisions a new S3 bucket called my-bucket in the dev environment, the infrastructure code is scaffolded into infra/dev/web-account/s3/my-bucket . Every time. In every repository. For every team.

This means you can look at any repository in your organization and immediately know where to find the Terraform for a specific resource. No guessing. No Confluence page. The structure is the documentation.

Built-in Environment Promotion

Promoting infrastructure changes between environments is one of those problems that sounds simple and never is. With vanilla Terraform, teams end up copying entire directory trees, duplicating .tfvars files, or wrestling with workspaces that were never designed for multi-environment promotion. The result is drift between environments that's invisible until something breaks in production.

Terramate Bundles treat environment promotion as a first-class operation. Developers use terramate ui , a terminal interface that lets you promote changes from one environment to another, adjust environment-specific settings, and preview the diff before applying. Under the hood, it updates the relevant variables and regenerates the Terraform code. No manual file copying. No editing raw HCL in three directories.

apiVersion: terramate.io/cli/v1
kind: BundleInstance
metadata:
  name: my-bucket
  uuid: 6586fa6a-d25a-4d16-9950-d79c226add76
spec:
  source: /bundles/acme.com/s3/v1
  inputs:
    
    name: my-bucket
    versioning_enabled: true
    retention_days: 30
    
    terraform_modules:
      terraform-aws-modules/s3-bucket/aws:
        source: terraform-aws-modules/s3-bucket/aws
        version: 5.9.1

# environment-specific overrides
environments:
  dev:
    inputs:
      versioning_enabled: false
  staging:
    inputs:
      versioning_enabled: true
      retention_days: 90
  production:
    inputs:
      versioning_enabled: true
      retention_days: 365

The same overrides can be managed directly in YAML or HCL files, making it machine-friendly for CI pipelines and automation. The key shift: environment configuration lives in a structured format that tools can read and modify, not scattered across .tfvars files that only humans can parse.

Built-in Maintainability

Here's the scenario that breaks most IaC setups at scale: you need to roll out a change to existing infrastructure. Not provide something new, but update something that's already deployed everywhere.

Say your security team mandates a new tagging strategy. Every resource needs a cost-center and data-classification tag. With vanilla Terraform, this means updating hundreds of resource configurations across dozens of repositories. You're writing migration scripts, opening mass pull requests, and hoping each team's module version is compatible with the change.

With Terramate Bundles, you update the bundle definition once. Then you can see exactly which repositories, teams, and environments are running which bundle versions — and upgrade them in a targeted manner. Update all s3-bucket bundles in dev environments first. Verify. Promote to staging. Then production. The bundle version graph gives you the visibility and control that raw module references never provided.

Built-in AI Safety Layer

Generative AI is accelerating infrastructure code production. That's the good news. The bad news: every LLM-generated Terraform file looks slightly different: different resource names, different variable conventions, different provider configurations. Often, it is also a function of the expertise level of the LLM-user. The code might be syntactically correct, but it doesn't match your organization's patterns. At scale, this creates a maintenance nightmare that compounds faster than any team can review.

While this can be partially mitigated by using agent-skills such as the Terramate agent-skills for Terraform and OpenTofu, Bundles solve this by constraining the generation surface. When an AI agent provisions infrastructure through a bundle, it doesn't write raw Terraform. It fills in bundle inputs. The underlying code is deterministically generated, i.e., exactly the same way every time, matching your organization's standards. You can integrate bundles directly with coding agents like Cursor, Codex, or Claude Code, giving your agentic workflows the same guardrails your human developers get.

Built-in Standardization

Without bundles, developers have to decide how and where to use modules, structure repositories, how to name cloud resources, etc. Eventually, there’s a gap between the standardization that modules provide and everything else.

Bundles enforce standardization at the generation layer. The platform team controls which dependency versions are used, which configuration options are exposed, and how the code is structured. Every bundle-generated stack looks the same. Not because developers are disciplined, but because the system doesn't produce anything else.

Built-in Review

If developers write raw Terraform, every pull request needs a review. Someone has to verify the resource configuration, check naming conventions, validate that the right provider version is pinned, and confirm the directory structure and state configuration are correct. That review burden scales linearly with your team count.

With Bundles, the code and its possible configurations are reviewed once — when the platform team publishes the bundle in the first place. After that, PRs that contain only bundle-generated configuration can be auto-merged. The review happened upstream, at the contract definition. Not downstream, at every consumption point.

Built-in Lifecycle Management

Day-2 operations in Terraform are often manual and fragile. Upgrading a provider version means touching every configuration that uses it. Rotating a pattern means coordinating across teams. There's no built-in concept of "upgrade all instances of this pattern to the next version."

Bundles make lifecycle management a version upgrade workflow. Because the bundle owns the definition of dependency versions, upgrading the provider, the module, or the underlying resource configuration is a single bundle version bump. Roll it out to dev first. Then staging. Then production. Target by environment, by team, by repository. Day-2 operations become as straightforward as day-1 provisioning.

Built-in Visibility

If you use Terraform modules today, answering "where is this module used?" requires grep, tribal knowledge, or both. Answering "which version of this module is running in production across all teams?" is harder. Answering "which teams haven't upgraded to the version with the security fix?" is nearly impossible without custom tooling.

Terramate Cloud provides a single control plane that tracks bundle usage across all environments, teams, and repositories. You can see which bundle versions are deployed where, which components and providers are in use, and which teams are running outdated versions — all from one dashboard. The visibility that any module registry is lacking.

The Layer You've Been Building by Hand

Every mature platform team ends up building some version of this. Internal CLIs that scaffold directories. Wrapper scripts that manage environment promotion. Dashboards that track module usage. Review policies that try to enforce standards through process.

Terramate Bundles are that layer — productized. A contract between the platform team that defines how infrastructure should be provisioned and the developers who provision it. If you're scaling IaC beyond a single team and you're still relying on modules, READMEs, and good intentions, you're missing the abstraction that actually matters: not code reuse, but organizational control.

Modules are building blocks. Bundles are the interface.

Give it a go

Terramate Bundles are available now as part of the open-source Terramate CLI. Check out our example repo to see Bundles live in action. And learn how Bundles technically work.


Ready to supercharge your IaC?

Explore how Terramate can uplift your IaC projects with a free trial or personalized demo.

Start free trial Book a demo