Skip to content
Back to glossary
Methodology

What is Infrastructure as Code (IaC)?

Infrastructure as Code describes servers, networks and policies in version-controlled files so they can be reviewed, replicated and rolled back.

The core idea

Infrastructure as Code (IaC) treats the infrastructure your applications run on as a software artefact. Instead of clicking through cloud consoles or running ad-hoc shell commands, engineers write declarative or imperative files that describe the desired state, VPCs, subnets, IAM roles, Kubernetes namespaces, monitoring alerts, and a tool reconciles reality with that description.

The shift sounds modest. The consequences are not:

  • Every change is reviewable. Diffs in pull requests, before anything touches production.
  • Every environment is reproducible. Spin up a staging clone in 15 minutes, not 15 days.
  • Drift is detectable. When someone fixes something at 3 a.m. by clicking in the console, the next plan run shouts about it.
  • Disaster recovery is simpler. Rebuild the entire region from Git, with one command.

The two flavours

Declarative IaC (Terraform, OpenTofu, Pulumi, Crossplane, ArgoCD-rendered manifests) describes what the system should look like. The tool figures out the steps to get there. Most production setups use this approach because it scales and converges.

Imperative IaC (Ansible playbooks, raw cloud SDK scripts) describes how to change the system step by step. Useful for one-shot tasks like rolling restarts or coordinated patches, but harder to reason about over time.

In real engagements we usually combine the two: Terraform for the cloud account skeleton, Helm/Kustomize for what runs inside Kubernetes, Ansible for the rare situations where we still touch a VM directly.

Where teams trip up

A handful of patterns kill IaC projects:

  • Storing state files in someone's laptop. State must live in shared, versioned, locked storage (S3 + DynamoDB lock, Terraform Cloud, Spacelift). Otherwise two engineers running plan at the same time corrupt each other's work.
  • Treating secrets like config. Passwords, API keys and certificates should never be in Git. Use Vault, AWS KMS, sealed-secrets, anything that decouples plaintext from version control.
  • Monolithic state files. A single Terraform state with 5 000 resources takes 20 minutes to plan and one mistake to break. Split by lifecycle: account, network, services, applications.
  • No automated testing. terraform plan in CI catches 90 % of mistakes. Without it, IaC is just version-controlled clicking.

Compliance angle

For Swiss regulated industries, IaC is the cheapest way to satisfy change management requirements: every modification is in Git, signed, reviewed and timestamped. Auditors stop asking for screenshots and start asking for repository access, which is faster for everyone.

Related Hidora services

  • Consulting : Terraform module design, account separation, state strategy.
  • Managed Services : operating the IaC-defined infrastructure once it's built.