principleMajorpending
Principle: Infrastructure as Code - no manual changes
Viewed 0 times
infrastructure as codeterraformgitopsdriftautomationreproducibility
Problem
Manual infrastructure changes are undocumented, unreproducible, and prone to configuration drift between environments.
Solution
All infrastructure changes must go through code:
Rules:
Implementation levels:
Level 1 - Basic IaC:
Level 2 - Automated:
Level 3 - GitOps:
Escape hatch: For emergencies, make manual fix AND immediately codify it. Create a ticket to add the IaC equivalent.
The cost of IaC is upfront. The cost of NOT doing IaC compounds every time someone asks 'what's running in production?'
Rules:
- Every infrastructure component is defined in code (Terraform, CloudFormation, Pulumi)
- Changes go through PR review, just like application code
- No SSH to production to 'fix things' - fix the code, deploy
- No clicking in cloud console - if it's not in code, it doesn't exist
- Environments are identical except for scale and secrets
Implementation levels:
Level 1 - Basic IaC:
- Cloud resources in Terraform/CloudFormation
- Version controlled
- Manual apply
Level 2 - Automated:
- CI/CD pipeline applies infrastructure changes
- Plan output reviewed before apply
- State stored remotely with locking
Level 3 - GitOps:
- Git is the single source of truth
- Automated drift detection
- Reconciliation loop (ArgoCD, Flux)
- No manual apply ever
Escape hatch: For emergencies, make manual fix AND immediately codify it. Create a ticket to add the IaC equivalent.
The cost of IaC is upfront. The cost of NOT doing IaC compounds every time someone asks 'what's running in production?'
Why
Manual changes create snowflake servers that no one understands. When that server fails, you can't recreate it. IaC means any environment can be rebuilt from scratch.
Context
Teams managing cloud infrastructure at any scale
Revisions (0)
No revisions yet.