Infrastructure as Code
IaC Tools Comparison
| Tool | Type | Language | Best For |
|---|---|---|---|
| Terraform / OpenTofu | Provisioning | HCL | Multi-cloud infra, state management |
| Ansible | Config Management | YAML | Server config, app deployment, agentless |
| Pulumi | Provisioning | Python/TS/Go/C# | Devs who prefer real languages, complex logic |
| AWS CloudFormation | Provisioning | JSON/YAML | AWS-only, deep service integration |
| AWS CDK | Provisioning | TS/Python/Java | AWS-only, programmatic approach |
| Helm | K8s Config | YAML + templates | Kubernetes application packaging |
Terraform Project Structure
infra/
├── environments/
│ ├── dev/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── terraform.tfvars
│ └── prod/
│ ├── main.tf
│ └── terraform.tfvars
├── modules/
│ ├── vpc/
│ │ ├── main.tf
│ │ ├── variables.tf
│ │ └── outputs.tf
│ ├── eks/
│ └── rds/
└── shared/
├── backend.tf
└── providers.tf
IaC Best Practices
| Practice | Description |
|---|---|
| Remote state | Store state in S3/GCS, use DynamoDB for locking |
| State per environment | Separate state files for dev/staging/prod |
| Modularize | Reusable modules for VPC, EKS, RDS, etc. |
| Version pin everything | Pin provider versions, module versions |
| Plan before apply | Always review plan; use CI to automate plan display on PRs |
| Secret management | Never store secrets in IaC; use Vault, AWS SSM, or similar |
| Tag resources | Consistent tags: environment, team, cost-center, created-by |
| Drift detection | Run terraform plan on schedule to detect manual changes |