Most Terraform incidents we get called into aren't caused by exotic bugs. They're caused by modules that grew organically, pin nothing, expose every variable, and apply changes nobody reviewed carefully. The fix isn't a rewrite — it's a handful of conventions enforced consistently.
Pin everything that can drift
Pin the Terraform version, provider versions and module sources to exact values. Floating versions are how a routine apply on Tuesday picks up a breaking provider release and rewrites half your security groups. Use a renovate or dependabot job to bump pins on a schedule, with a PR you can actually review.
Keep modules small and opinionated
A good module does one thing and exposes the minimum set of variables needed to do it well. If your module has 40 inputs and a dozen feature flags, it's a framework, not a module — and every consumer will use it differently. Split it, set sane defaults, and remove the knobs nobody turns.
Plan in CI, apply with intent
Every PR should produce a plan output attached to the review. Applies should be triggered explicitly after merge, never as a side-effect of pushing to a branch. This one workflow change catches the majority of accidental destroys before they ever reach the cloud.
None of this is novel. It's just the difference between infrastructure code you trust on a Friday afternoon and infrastructure code you only touch on Monday mornings.