Skip to content
All entries
terraform Draft 2026-02-12

Things that bit me when staging and prod "shared just one small thing."

A field guide to the environment-isolation failures that show up six months into a Terraform rollout, from shared secrets to DNS drift.

Draft — coming soon.

A field guide to the environment-isolation failures that show up six months into a Terraform rollout — after the happy path is deployed, after the team has moved on to new features, and somebody in staging runs terraform destroy with the wrong AWS_PROFILE.

Topics covered:

  • Shared secrets that weren’t supposed to be shared (and how the “just this one API key” pattern metastasizes)
  • External DNS provider drift: when your zone file stops matching your Terraform state and neither side notices
  • Console-vs-state divergence — the quiet drift from engineers clicking “just this once” in the AWS console
  • The boring account-boundary practices that actually prevent this

Anonymized. Based on patterns observed across multiple engagements.

Start a conversation Back to archive

site-terminal.sh — runtimeforge:~

ENTRY · terminal

Slash opens it. Tab completes. Up and down walk history. When suggestions are visible, Ctrl+J and Ctrl+K move through them.

$ help

Available: help, services, forge, writing, about, lab, contact, top, github, email, phone, book, clear, plus a few that are better discovered than advertised.

Try services, lab, contact, or github.