Infrastructure as code means defining and managing cloud resources – servers, networks, databases, load balancers, DNS records – in version-controlled configuration files that you review, test, and deploy the same way you deploy application code. The payoff is immediate: no more undocumented manual changes, reproducible environments across dev/staging/production, and a full audit trail of exactly who changed what infrastructure and when. That last point matters more than people expect – most incident postmortems involve someone saying “but I thought the load balancer config was X” and discovering it had been manually changed three weeks ago.

Terraform is the most widely adopted IaC tool. Its declarative HCL syntax describes the desired state of your infrastructure, and the engine calculates and applies the diff. The community provider registry is genuinely impressive – you can manage AWS VPCs, Cloudflare DNS records, GitHub repository settings, and Datadog monitors in the same codebase. OpenTofu is the Linux Foundation-maintained open-source fork following HashiCorp’s controversial BSL licence change in 2023, and it’s gained rapid adoption as a drop-in Terraform-compatible alternative. The Terraform vs Pulumi debate is mostly a matter of taste and team background. Pulumi lets you write infrastructure definitions in TypeScript, Python, Go, or Java – full programming language semantics, loops, conditionals, unit tests. If your infrastructure logic is complex and repetitive (generating dozens of similar resources dynamically), Pulumi can be much cleaner. If your team already knows Terraform HCL and your infrastructure is reasonably straightforward, there’s no compelling reason to switch.

The operational patterns have matured into clear best practices. State management is critical in Terraform – remote state in S3 with DynamoDB locking (or Terraform Cloud) prevents concurrent applies from corrupting your state file. Module composition breaks infrastructure into reusable pieces for networking, compute, and databases. Policy as code tools like Open Policy Agent (OPA) and HashiCorp Sentinel enforce guardrails automatically in CI before any change is applied: no public S3 buckets, required resource tags, approved instance types. Drift detection – continuously comparing live infrastructure against declared state – catches manual console changes before they become incidents. That’s the scenario that always hurts: someone made a quick change in the AWS console during an incident and forgot to update the IaC, and six months later you’re debugging why your IaC plan is trying to “delete” a resource that production actually depends on.

Frequently Asked Questions

What is the difference between Terraform and CloudFormation?

CloudFormation is AWS-specific and uses JSON or YAML templates. Terraform is cloud-agnostic with hundreds of providers via a plugin ecosystem – the standard choice when you use multiple cloud providers or want to manage non-AWS resources alongside your AWS infrastructure. CloudFormation has tighter AWS service integration and handles some AWS-specific scenarios better.

How do you manage secrets in infrastructure as code?

Never store secrets in plain text in IaC files. The standard approach is referencing secrets from a secrets manager (AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault) in your Terraform code, letting the runtime inject values. For CI/CD pipelines, secrets go in the pipeline platform (GitHub Actions secrets, GitLab CI variables) and get injected as environment variables.

What is drift detection and why does it matter?

Drift is when actual infrastructure state differs from what your IaC declares – usually from a manual change in the cloud console. Drift detection tools periodically compare live state against declared configuration and alert you to differences. Catching drift early prevents incidents where someone assumes the IaC is the source of truth when the infrastructure has already changed underneath it.

Should you use Terraform or Pulumi for new projects?

Terraform (or OpenTofu) is the safer default if your team already knows it or needs the widest provider support. Choose Pulumi when infrastructure logic is complex enough that a real programming language would simplify it significantly – for example, generating dozens of similar resources dynamically or writing unit tests for infrastructure modules. Both are mature tools.