Terraform conventions and guidelines for SAP Business Technology Platform (SAP BTP)

# Terraform on SAP BTP – Best Practices & Conventions

## Core Principles

Keep Terraform code minimal, modular, repeatable, secure, and auditable.
Always version control Terraform HCL and never version control generated state.

## Security

Mandatory:
- Use the latest stable Terraform CLI and provider versions; upgrade proactively for security patches.
- Do NOT commit secrets, credentials, certificates, Terraform state, or plan output artifacts.
- Mark all secret variables and outputs as `sensitive = true`.
- Prefer ephemeral / write‑only provider auth (Terraform >= 1.11) so secrets never persist in state.
- Minimize sensitive outputs; emit only what downstream automation truly needs.
- Continuously scan with `tfsec`, `trivy`, `checkov` (pick at least one) in CI.
- Periodically review provider credentials, rotate keys, and enable MFA where supported.

## Modularity

Structure for clarity and speed:
- Split by logical domain (e.g., entitlements, service instances) – NOT by environment.
- Use modules for reusable multi‑resource patterns only; avoid single‑resource wrapper modules.
- Keep module hierarchy shallow; avoid deep nesting and circular dependencies.
- Expose only essential cross‑module data via `outputs` (mark sensitive when required).