Codifying infrastructure configuration to automate provisioning and management. Treat infrastructure the same as application code—version controlled, reviewed, tested, and repeatable.
Benefits
- Repeatability - Deploy identical environments reliably, every time
- Consistency - Eliminate configuration drift between environments
- Documentation - Configuration files serve as living, executable documentation
- Version control - Track changes, review via pull requests, rollback when needed
- Automation - Integrate with CI/CD pipelines for continuous deployment
- Auditing - Full history of who changed what and when
Approaches
Declarative
Define the desired end state; the tool determines how to achieve it. Idempotent by nature.
Imperative
Define the steps to reach the desired state. More control, but requires careful handling of idempotency.
- Ansible
- Chef
- Puppet
Tools
- Ansible - Agentless configuration management using YAML playbooks. Connects via SSH. Good for configuration and orchestration.
- OpenTofu / Terraform - Declarative cloud provisioning using HCL. Manages state to track resources. See Terraform for details.
- Pulumi - IaC using general-purpose programming languages (TypeScript, Python, Go). Offers type safety and IDE support.
GitOps
Git as the single source of truth for infrastructure. Changes are made via pull requests and automatically reconciled by an operator running in the cluster.
- Argo CD - Kubernetes-native continuous delivery. Declarative, GitOps-based. Web UI for visualisation.
- Flux - CNCF project. Pull-based reconciliation. Lightweight and composable.
Best Practices
Use remote state with locking
Store state in a shared backend (S3, GCS, Azure Blob) rather than locally. Enable locking to prevent concurrent modifications that corrupt state.
Modularise configurations
Break infrastructure into reusable modules. Reduces duplication, improves testability, and makes large configurations manageable.
Separate environments
Keep production, staging, and development in separate state files or workspaces. Prevents accidental changes to production when working on development.
Review before applying
Always run plan or dry-run before applying changes. Integrate this into CI/CD pipelines with manual approval gates for production.
Consistent tagging and labelling
Tag all resources with environment, owner, project, and cost centre. Essential for cost allocation, filtering, and automation.
Secrets management
Never commit secrets to version control. Use secret managers (Vault, AWS Secrets Manager, GCP Secret Manager) and reference them dynamically.
Design for idempotency
Ensure running the same configuration multiple times produces the same result. Avoid scripts that append rather than set, or create rather than ensure.