Strategy & the test pyramid
What to test, and at what level.
Because Terratest tests are slow and cost money, the strategic question is not “test everything” but “what is worth a real deploy.” The testing pyramid applies to infrastructure: a wide base of fast static checks (format, validate, Checkov, policy), a middle of plan-level and unit-ish tests, and a narrow top of full integration tests with Terratest. You do not Terratest every variable permutation — you Terratest the module’s core promise and the integrations that only real deploys can prove.
What to actually test
Good Terratest targets: a reusable module’s happy path (given typical inputs, it produces working, correctly-configured infrastructure), critical security properties that must hold at runtime (the private subnet is really unreachable, the bucket really rejects public access), and integration seams (this module composes with that one). Skip things a cheaper layer already covers — a static scan already knows the bucket has encryption declared; Terratest is for “and it actually works.”