Introduction
Infrastructure as Code (IaC) manages infrastructure via version-controlled declarative configuration, enabling reproducible, auditable, and automated infrastructure provisioning. Changes go through code review and are applied consistently across environments.
Terraform Architecture
Providers are plugins for cloud APIs (AWS, GCP, Azure, Kubernetes). Resources are infrastructure components such as aws_instance or aws_rds_cluster. Data sources read existing resources not managed by Terraform. Modules are reusable resource groups. The state file records current infrastructure state. Plan computes the difference between desired and current state. Apply executes the changes.
State Management
Terraform state is stored in a remote backend (S3 + DynamoDB for locking, or Terraform Cloud). The state file maps each resource to its real infrastructure ID. State locking prevents concurrent applies. State must be updated atomically. Never edit the state file manually. Use terraform import to bring existing resources under management. The state file may contain sensitive values such as database passwords and must be stored encrypted.
Module Design
Modules encapsulate reusable infrastructure patterns. Each module has inputs (variables), outputs (exported values), and resources. For example, a vpc module creates the VPC, subnets, route tables, and NAT gateways. Modules are versioned in a separate repository. The root module calls child modules with environment-specific variable values. A module registry makes shared modules available across teams.
Multi-Environment Strategy
Each environment (dev, staging, production) has a separate state. The workspace approach uses one configuration with multiple workspaces and different variable values. The directory approach uses separate directories per environment for more isolation at the cost of some duplication. The production environment enforces stricter policies: tighter IAM permissions, deletion prevention, and manual approval before apply. Variables are loaded from environment-specific tfvars files.
Drift Detection
Infrastructure drifts when manual changes are made outside Terraform. Running terraform plan detects drift by comparing desired state to real infrastructure state. Automated drift detection runs a scheduled terraform plan in CI and alerts on any non-empty plan. Policy enforcement with OPA (Open Policy Agent) or Sentinel validates plans against policies before apply — for example, blocking public S3 buckets. Terraform Cloud Sentinel policies are enforced pre-apply.
GitOps Workflow
Infrastructure changes are submitted as pull requests. An automated plan is posted as a PR comment for review. Merging the PR triggers an apply via the CI pipeline. All changes are audited through git history. ArgoCD or Flux manages Kubernetes GitOps: each tool continuously syncs cluster state to the git repository. The reconciliation loop detects and corrects drift automatically.
Secrets Management
Never hardcode secrets in Terraform configuration. Use data sources to fetch secrets from Vault or AWS Secrets Manager at apply time. Mark outputs with sensitive = true so they are not printed in logs. SOPS encrypts secret values stored in git. Dynamic secrets are the most secure option: Vault generates short-lived database credentials on demand rather than storing static passwords.