Practice of defining and managing infrastructure through versioned configuration files instead of manual processes. Foundation of modern operations automation.
Infrastructure as Code (IaC) is treating infrastructure exactly like code: versioned in Git, reviewed in PRs, tested in CI, and applied in an automated and reproducible way.
Without IaC:
With IaC: terraform apply and the complete infrastructure is recreated in minutes.
| Approach | Description | Tools |
|---|---|---|
| Declarative | Describe desired state, tool figures out how to get there | Terraform, CloudFormation, Kubernetes YAML |
| Imperative | Describe steps to execute in order | Bash scripts, Ansible (partially), Pulumi |
# Declarative (Terraform) — "I want this"
resource "aws_instance" "web" {
ami = "ami-0c55b159cbfafe1f0"
instance_type = "t3.micro"
}# Imperative (Pulumi) — "do this"
server = aws.ec2.Instance("web",
ami="ami-0c55b159cbfafe1f0",
instance_type="t3.micro")Immutable infrastructure eliminates configuration drift by design.
| Tool | Type | Cloud | Language | State |
|---|---|---|---|---|
| Terraform | Provisioning | Multi-cloud | HCL | Remote state |
| OpenTofu | Provisioning | Multi-cloud | HCL | Remote state |
| Pulumi | Provisioning | Multi-cloud | TS, Python, Go | Managed/self-hosted |
| AWS CDK | Provisioning | AWS | TS, Python, Java | CloudFormation |
| CloudFormation | Provisioning | AWS | YAML/JSON | AWS-managed |
| Ansible | Config mgmt | Agnostic | YAML | Stateless |
| Crossplane | Provisioning | Multi-cloud | YAML (K8s CRDs) | Kubernetes |
infra/
├── modules/
│ ├── networking/
│ ├── compute/
│ └── database/
├── environments/
│ ├── dev/
│ ├── staging/
│ └── production/
├── .github/workflows/
│ └── terraform.yml
└── README.md
Applying the same code N times produces the same result:
terraform apply # Creates 3 instances
terraform apply # No changes. Infrastructure is up-to-date.
terraform apply # No changes. Infrastructure is up-to-date.State is the source of truth about what exists:
# Remote backend (shared across team)
terraform {
backend "s3" {
bucket = "my-terraform-state"
key = "prod/terraform.tfstate"
region = "us-east-1"
dynamodb_table = "terraform-locks"
encrypt = true
}
}module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "5.0.0"
name = "production"
cidr = "10.0.0.0/16"
azs = ["us-east-1a", "us-east-1b"]
private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
public_subnets = ["10.0.101.0/24", "10.0.102.0/24"]
enable_nat_gateway = true
}terraform plan # See what will change
# + aws_instance.web (create)
# ~ aws_security_group.web (modify)
# - aws_instance.old (destroy)
terraform apply # Apply after review# .github/workflows/terraform.yml
name: Terraform
on:
pull_request:
paths: ['infra/**']
push:
branches: [main]
paths: ['infra/**']
jobs:
plan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform validate
- run: terraform plan -out=plan.tfplan
- uses: actions/upload-artifact@v4
with:
name: plan
path: plan.tfplan
apply:
needs: plan
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
environment: production
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- uses: actions/download-artifact@v4
with:
name: plan
- run: terraform apply plan.tfplan| Level | Tool | What it validates |
|---|---|---|
| Lint | terraform validate, tflint | Syntax and conventions |
| Static | Checkov, tfsec, Trivy | Security and compliance |
| Unit | Terratest, terraform test | Module logic |
| Integration | Terratest | Temporary real infrastructure |
| Policy | OPA, Sentinel | Organizational policies |
Without IaC, infrastructure is tacit knowledge that lives in the head of whoever configured it. With IaC, every change is traceable, reviewable, and reproducible. It is the foundation on which practices like GitOps, automated disaster recovery, and self-service infrastructure are built.
Culture and set of practices that unify development (Dev) and operations (Ops) to deliver software with greater speed, quality, and reliability. It's not a role — it's a way of working.
Set of technical and cultural practices that implement DevOps principles — from Infrastructure as Code to blameless post-mortems. The "how" behind the philosophy.
Continuous Integration and Continuous Delivery/Deployment — practices that automate code integration, testing, and delivery to production. Foundation of modern software engineering.
Cloud computing model where the provider manages infrastructure automatically, allowing code execution without provisioning or managing servers, paying only for actual usage.
Practices and strategies to minimize cloud spending without sacrificing performance, including right-sizing, reservations, spot instances, and eliminating idle resources.
Architecture design for scaling a personal second brain to a production system with AWS serverless — from the current prototype to specialized use cases in legal, research, and community building.
Chronicle of building a second brain with a knowledge graph, bilingual pipeline, and agent endpoints — in days, not weeks, and what that teaches about the gap between theory and working systems.
Reusable Terraform modules for managing Docker containers and AWS ECS Fargate, with progressive examples and local testing with LocalStack.
Collection of 13 Terraform modules published on the Terraform Registry for deploying serverless architectures on AWS, with 12 examples covering basic ECS to full-stack CRUD with DynamoDB and AgentCore with MCP.
Production-ready serverless backend for a personal knowledge graph — DynamoDB, Lambda, Bedrock, MCP, Step Functions. The implementation of the architecture described in the 'From Prototype to Production' essay.
Serverless GitHub App that auto-approves pull requests after CI passes, with optional AI code review via Amazon Bedrock. Five repositories: TypeScript/Probot app, AWS Terraform module (Lambda + API Gateway + Secrets Manager + SQS DLQ), GitHub Terraform module (webhooks), deployment infra, and test repo.
Three-agent system that automates the bilingual MDX content lifecycle: deterministic QA auditing, surgical fixes, and full upgrades — all orchestrated with Strands Agents, Claude Sonnet 4 on Amazon Bedrock, and GitHub Actions with a diamond workflow pattern.
HashiCorp's Infrastructure as Code tool that enables defining, provisioning, and managing multi-cloud infrastructure through declarative HCL files.
Model where development teams can provision and manage infrastructure autonomously through automated interfaces, without depending on operations tickets.
Practice of defining security, compliance, and governance policies as versioned, executable code, automating their verification in CI/CD pipelines.
Open source fork of Terraform maintained by the Linux Foundation. Compatible with HCL and Terraform providers, created in response to HashiCorp's license change to BSL 1.1.
Package manager for Kubernetes that simplifies installation and management of complex applications through reusable and configurable charts.
Operational practice using Git as single source of truth for infrastructure and configuration, with automatic reconciliation between desired and actual state.
AWS open-source framework for building serverless applications with simplified CloudFormation syntax, CLI for local development, and integrated deployment.
AWS object storage service with 99.999999999% durability, unlimited scalability, and multiple storage classes for cost optimization.
AWS identity and access management service controlling who can do what in your account, with granular policies based on the principle of least privilege.
AWS native service for defining and provisioning infrastructure as code using YAML or JSON templates, with state management and automatic rollback.
AWS infrastructure as code framework that allows defining cloud resources using programming languages like TypeScript, Python, or Java, generating CloudFormation.