Infrastructure as Code
Infrastructure in git. Reproducible. Auditable.
Terraform and Pulumi with GitOps workflow. Every infrastructure change goes through code review, automated tests, and audit trail.
Why Infrastructure as Code¶
Manual infrastructure is technical debt. A server configured through console is a snowflake — nobody knows exactly how to reproduce it. IaC eliminates:
- Snowflake problem — Every environment is reproducible from code
- Documentation drift — Code IS documentation. Always current.
- Audit questions — “Who changed the firewall?” → git blame
- DR nightmare — Disaster recovery = terraform apply
- Environment parity — Dev = staging = prod (just different parameters)
GitOps Workflow¶
Developer → Branch → Terraform change → PR
│
┌──────────┴──────────┐
│ Automated checks: │
│ - terraform validate│
│ - tflint │
│ - checkov (security)│
│ - cost estimate │
│ - plan preview │
└──────────┬──────────┘
│
Code review + approval
│
Merge → terraform apply
│
Drift detection (continuous)
Everything automated. Plan preview in PR comment — reviewer sees exactly what will change before approval. Cost estimate shows impact on cloud bill.
Modularization¶
Terraform modules for standard patterns:
- Networking — VPC/VNet, subnets, NSG, load balancer
- Kubernetes cluster — Managed K8s with node pools, RBAC, monitoring
- Database — Managed PostgreSQL/SQL Server with backup, monitoring
- Monitoring — Grafana + Prometheus + alerting rules
- Application — Container app with ingress, TLS, DNS
Internal module registry. New team fills in parameters, gets production-ready infrastructure in hours. Best practices built-in — security, tagging, naming, monitoring.
Drift Detection¶
Someone changes something manually in console. Without drift detection you won’t notice — until terraform apply overwrites the change and something breaks.
Automatic drift detection every hour. Alert on mismatch. Remediation: either import into state or revert manual change.
Security as Code¶
Checkov, tfsec, Sentinel policies — automatic validation of security rules:
- Encryption at rest mandatory
- Public access forbidden (unless explicitly approved)
- Tagging rules (cost center, environment, owner)
- Network segmentation
- Logging enabled
Security check runs in CI — non-compliant changes don’t reach production.
Časté otázky
Terraform is the standard with a huge ecosystem. Pulumi enables TypeScript/Python — better for development teams. We choose based on the team and existing tooling.
Remote state in encrypted storage (S3 + DynamoDB lock or Azure Blob). State locking for team collaboration. Workspace per environment. Automated backup.
Depends on infrastructure complexity. Typically 4-8 weeks for existing environments. New environments from scratch are faster — 2-4 weeks.