Day 1/90: IaC concepts and principles

#terraform #ansible #devsecops #security

Day 1/90: IaC concepts and principles

90 Day Security Infrastructure Challenge

I am writing this one as if a teammate opened the pull request and asked what actually matters. My answer is that keeping Terraform honest when the state file, provider behavior, and module boundaries are all capable of hiding drift. Good infrastructure content should make the operational boundary visible, not bury it behind screenshots or one happy-path command.

Declarative Vs Imperative

The practical reason to spend time on declarative vs imperative is simple: it is one of the places where infrastructure drift hides behind a clean-looking diff. Keeping terraform honest when the state file, provider behavior, and module boundaries are all capable of hiding drift.

The repo earns trust when terraform plan output, remote state configuration, provider aliases, variables, outputs, and CI checks wired into the repo tell the same story as the PR summary. That is how you get to a Terraform workflow where the plan, state backend, and module interfaces explain exactly what the change will touch. If the state file is trusted, it needs ownership, locking, and review discipline. If the module boundary is trusted, it needs readable inputs and outputs.

terraform fmt -check -recursive
terraform init -backend-config="key=iac_concepts_and_principles/terraform.tfstate"
terraform validate
terraform plan -out iac_concepts_and_principles.tfplan
tfsec .

Idempotency

Idempotency sounds narrow until it fails under pressure. Then you find out whether the infrastructure repo can explain its own behavior. The real work is still keeping Terraform honest when the state file, provider behavior, and module boundaries are all capable of hiding drift.

I do not want a magical success message. I want terraform plan output, remote state configuration, provider aliases, variables, outputs, and CI checks wired into the repo, because that evidence is what turns the work into a Terraform workflow where the plan, state backend, and module interfaces explain exactly what the change will touch. If the state file is trusted, it needs ownership, locking, and review discipline. If the module boundary is trusted, it needs readable inputs and outputs.

Immutable Infrastructure

Immutable Infrastructure is where iac concepts and principles becomes operational. On a real team, the argument is rarely about syntax. It is about keeping Terraform honest when the state file, provider behavior, and module boundaries are all capable of hiding drift.

What I want back from this day is a Terraform workflow where the plan, state backend, and module interfaces explain exactly what the change will touch. That only happens when the change leaves evidence in terraform plan output, remote state configuration, provider aliases, variables, outputs, and CI checks wired into the repo. If the state file is trusted, it needs ownership, locking, and review discipline. If the module boundary is trusted, it needs readable inputs and outputs.

Review posture

I want the pull request to name the affected environment, the rollback path, and the state or inventory boundary touched by iac concepts and principles.
The review should show exactly how declarative vs imperative changes behavior, not just that the file format is valid.
If a pipeline gate, policy check, or drift report disagrees with the proposed change, that disagreement belongs in the review thread instead of hidden in logs.

The outcome I care about is a Terraform workflow where the plan, state backend, and module interfaces explain exactly what the change will touch. That is only believable when terraform plan output, remote state configuration, provider aliases, variables, outputs, and CI checks wired into the repo are easy to find and consistent with the explanation in the pull request. If the state file is trusted, it needs ownership, locking, and review discipline. If the module boundary is trusted, it needs readable inputs and outputs.

Why this belongs in a security infrastructure track

IaC, Ansible, policy as code, GitOps, and infrastructure testing all share the same responsibility: make change review safer than console drift. That is why I keep bringing the lesson back to Terraform, IaC boundaries, pipeline evidence, and the operational story behind the diff.