terraform init                    # Initialize working directory
terraform plan                    # Preview changes
terraform plan -out=tfplan        # Save plan for apply
terraform apply tfplan            # Apply saved plan
terraform fmt -recursive          # Format all files
terraform validate                # Validate configuration

# 1. Pin provider versions
terraform {
  required_version = ">= 1.6.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.60"
    }
  }
}

# 2. Use for_each for stability
resource "aws_subnet" "private" {
  for_each = var.private_subnets  # NOT: count
}

# 3. Validate inputs
variable "environment" {
  type = string
  validation {
    condition     = can(regex("^(dev|staging|prod)$", var.environment))
    error_message = "Must be: dev, staging, prod."
  }
}

# 4. Mark sensitive data
variable "db_password" {
  type      = string
  sensitive = true
}

# 5. Lifecycle protection
resource "aws_s3_bucket" "state" {
  lifecycle {
    prevent_destroy = true
  }
}

# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules

USER node
EXPOSE 3000
CMD ["node", "dist/index.js"]

# Pin versions
FROM python:3.12.1-slim-bookworm

# Run as non-root
RUN useradd -m appuser
USER appuser

# Layer optimization
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .

# Health check
HEALTHCHECK --interval=30s --timeout=3s \
  CMD curl -f http://localhost:8080/health || exit 1