Ergonomics
TFO makes using Terraform simple, easy, and stress-free
Automatic Initialization
TFO detects uninitialized Terraform modules and runs
terraform init automatically before the requested command.
It checks for two conditions:
- Missing
.terraformdirectory — the module has never been initialized - Failed
terraform validate— the module’s provider or backend dependencies have changed
This eliminates the need to manually run terraform init
after cloning, switching branches, or updating providers.
Lock-Free Planning
Plan operations use the -lock=false flag, which means
multiple developers can run plans concurrently without blocking each
other. Apply operations still acquire the Terraform state lock to
prevent concurrent mutations.
This also ensures CI/CD pipelines never interfere with local development workflows.
Environment Protection
terraform apply in local mode is restricted to the
development environment. Attempting to apply against
non-production, production,
shared, or all returns a
SafetyViolation error. Higher-level environment changes
happen exclusively through Cloud Build after code review and a
release.devexdevexdevexdevexdevexdevexdevexdevexdevex
terraform plan is allowed against any environment —
plans are read-only and safe to run.
Read-Only Service Accounts
All local Terraform operations run through a dedicated service account with read-only permissions. This is enforced through impersonation. The service accounts should never have Edit, Admin, or Write IAM roles. This ensures that even if the environment protection were somehow bypassed, the service account lacks the permissions to modify resources.
Edit this page