Infrastructure as Code
IaC Tools Comparison
| Tool | Type | Language | Best For |
|---|---|---|---|
| Terraform / OpenTofu | Provisioning | HCL | Multi-cloud infra, state management |
| Ansible | Config Management | YAML | Server config, app deployment, agentless |
| Pulumi | Provisioning | Python/TS/Go/C# | Devs who prefer real languages, complex logic |
| AWS CloudFormation | Provisioning | JSON/YAML | AWS-only, deep service integration |
| AWS CDK | Provisioning | TS/Python/Java | AWS-only, programmatic approach |
| Helm | K8s Config | YAML + templates | Kubernetes application packaging |
Terraform Project Structure
infra/
โโโ environments/
โ โโโ dev/
โ โ โโโ main.tf
โ โ โโโ variables.tf
โ โ โโโ terraform.tfvars
โ โโโ prod/
โ โโโ main.tf
โ โโโ terraform.tfvars
โโโ modules/
โ โโโ vpc/
โ โ โโโ main.tf
โ โ โโโ variables.tf
โ โ โโโ outputs.tf
โ โโโ eks/
โ โโโ rds/
โโโ shared/
โโโ backend.tf
โโโ providers.tf
IaC Best Practices
| Practice | Description |
|---|---|
| Remote state | Store state in S3/GCS, use DynamoDB for locking |
| State per environment | Separate state files for dev/staging/prod |
| Modularize | Reusable modules for VPC, EKS, RDS, etc. |
| Version pin everything | Pin provider versions, module versions |
| Plan before apply | Always review plan; use CI to automate plan display on PRs |
| Secret management | Never store secrets in IaC; use Vault, AWS SSM, or similar |
| Tag resources | Consistent tags: environment, team, cost-center, created-by |
| Drift detection | Run terraform plan on schedule to detect manual changes |