ArcLibrary
L1入门L2进阶L3生态

Infrastructure as Code (IaC)

Declare cloud resources in code — reviewable, versioned, rebuildable.

IaCTerraformInfrastructure
核心 · Key Idea

In one line: IaC describes "what cloud resources I want" (VPC / VM / DB / DNS) in declarative code; the tool diffs current state and auto-creates / modifies / deletes. Result: rebuildable environments, reviewable PRs, traceable rollbacks.

What it is#

# main.tf — declare AWS resources with Terraform
provider "aws" { region = "us-east-1" }
 
resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
  tags       = { Name = "prod" }
}
 
resource "aws_instance" "web" {
  ami           = "ami-0abcd"
  instance_type = "t3.small"
  subnet_id     = aws_subnet.public.id
  user_data     = file("${path.module}/cloud-init.yml")
  tags          = { Name = "web-1" }
}
terraform init
terraform plan          # what will it do?
terraform apply         # actually do it
terraform destroy       # delete

Analogy#

打个比方 · Analogy

Without IaC = hand-throwing pottery — each piece by feel, not reproducible, redone if broken. With IaC = 3D model + 3D printer — one CAD file (code) prints identical copies repeatedly.

Key concepts#

DeclarativeDeclarative
You declare desired state; the tool computes the diff. Contrast: imperative shell scripts that do step-by-step.
StateState
Terraform's .tfstate records 'what's currently in the cloud'. **Must be remote-shared + locked** (S3 + DynamoDB / GCS / Terraform Cloud).
ProviderProvider
AWS / GCP / Azure / Cloudflare / GitHub — almost every cloud resource has a provider.
ModuleModule
Reusable resource bundle, function-like.
DriftDrift
Someone manually edited the cloud → reality diverges from code. `terraform plan` surfaces it.
OpenTofuOpenTofu
Community fork of Terraform after the BSL license switch — open-source.

Tool comparison#

Terraform / OpenTofu
HCL DSL, most widely used. Multi-cloud.
Pulumi
Use real languages (Python / TS / Go) for IaC.
AWS CDK
Also real languages — compiles to CloudFormation. AWS only.
CloudFormation / ARM / Deployment Manager
Cloud-native.
Crossplane
Manage cloud resources as K8s CRDs.
Ansible
More about in-OS config (packages / files / services), but can also manage infra.

How it works#

Each apply: read state + read cloud + read code → compute diff → call cloud APIs.

Practical notes#

  • Remote state + lock — local state is a beginner trap. Multi-person collaboration requires remote + lock.
  • plan as review artifact — CI posts terraform plan to the PR; merge then apply.
  • Tag everything with env / owner / project — billing-friendly.
  • Don't put everything in one root module — split by region / env / component, blast radius small.
  • Secrets: Vault / SOPS / Secrets Manager — never push tfvars to git.
  • Be careful destroyingterraform destroy is irreversible. Add prevent_destroy = true to critical resources.
  • Drift detection: schedule plan runs; treat manual edits as drift and revert to code (don't retrofit code to manual changes).

Easy confusions#

IaC (cloud)
Create / modify / delete **cloud objects**: VMs, VPCs, DBs.
Terraform / Pulumi.
Config mgmt (Ansible / Chef)
On existing machines: **install packages / write configs / start services**.
Ansible / Chef / Salt.

Further reading#