Infrastructure as code (IaC) is a DevOps practice that automates the provisioning and management of IT infrastructure by using configuration files rather than manual processes.
IaC treats infrastructure as software. Teams use IaC to version, test and deploy infrastructure by using the same practices they use for application code.
This approach enables teams to bypass traditional manual configuration, which can be cumbersome and error-prone. Manual configuration often involves individual server setup, console-based management and undocumented changes.
Instead, teams define infrastructure requirements in configuration files that specify the resources needed—servers, networks, databases, security policies—and how to configure them. These files then live in version control systems, providing tracking, review and rollback capabilities.
IaC is an important element of the broader practice of infrastructure automation, which uses code and automation to manage IT infrastructure across its lifecycle. With IaC, developers no longer need to manually provision infrastructure components every time they develop, test or deploy applications. This automation helps organizations control costs, reduce risks and respond quickly to new business opportunities.
As organizations adopt cloud-native architectures, IaC is increasingly essential. IT environments now span multiple clouds, thousands of containers and distributed microservices. Manual processes that once managed a few servers cannot handle these architectures, where teams deploy frequently hundreds of applications daily and constantly provision, scale and decommission infrastructure.
IaC helps manage these complex environments in three critical ways:
For example, a retail company preparing for Black Friday might need to scale 100–1,000 servers within hours. With IaC, this scaling happens automatically across on-premises and cloud infrastructure, based on predefined templates. This ability to scale helps ensure that each new server maintains identical security and compliance configurations.
According to the IBM Institute for Business Value, 65% of executives report that automation technologies such as IaC are enhancing their IT teams’ productivity.
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
IaC combines a repeatable workflow with automated tooling. The workflow—write, version, provision and deploy—defines how teams move from infrastructure requirements to deployed resources. The tooling—configuration files, version control systems and automation engines—provides the mechanisms to define, track and create infrastructure.
Together, these elements transform infrastructure management from a manual, error-prone process into an automated, repeatable function. Teams write infrastructure as code, with unique versions as with software, and deploy identical environments on demand.
The IaC workflow follows four stages:
Developers create IaC scripts by using languages such as HCL, YAML or JSON, similar to how they write application code in Java™ or Python. Teams write infrastructure definitions that specify which resources they need and how to configure them. They often write these files in integrated development environments (IDEs), which provide error checking and autocomplete features.
Code gets stored in version control systems—also known as source control or source code repositories—such as Git or GitHub. Version control tracks changes, maintains alternative versions and enables teams to revert to earlier versions when issues arise.
An automation engine reads the configuration files and provisions the specified infrastructure resources. This stage transforms the code into actual infrastructure—creating virtual machines (VMs), configuring networks, setting up databases and establishing security groups. The provisioning process is idempotent, meaning it can run multiple times without creating duplicate resources.
Teams execute scripts to deploy infrastructure across various environments, with IaC helping ensure consistent configurations across environments. The consistency of the scripts helps most when using continuous deployment, where software changes to an application are released automatically into the production environment.
Automated tools provide mechanisms to define, track and create infrastructure through code.
Configuration files define the infrastructure. They can be written in HCL, JSON, YAML or domain-specific languages. These files are blueprints that describe exactly what infrastructure you need—how many servers, what size, which network settings—in a format that automation tools can read and execute.
These files become the single source of truth for teams, helping ensure consistency across multiple environments. They can be updated, reused or varied for new installations as teams add more assets.
Version control systems store the history of each file. They track the original code and any alterations to it, including what was changed, by whom and when. This tracking enables teams to understand changes, recover deletions and roll back when issues arise.
Version control enables organizations to divide infrastructure into modules that combine through automation. This modular approach helps build, update and version complex environments while reducing duplication and making scripts easier to test and reuse.
Automation engines automate provisioning and configuration by using predefined code. They execute the infrastructure definitions in configuration files, turning the code into actual IT resources such as servers, networks and databases.
Some engines are cloud-specific, such as AWS CloudFormation, Azure Resource Manager or Google Cloud Deployment Manager. Others run on all clouds, such as Terraform, OpenTofu (an open source fork of Terraform) or Pulumi (which uses general-purpose programming languages such as Python).
These automation engines are often paired with orchestration tools, such as Kubernetes, to coordinate resources and workloads at scale.
IaC tools often integrate with cloud platforms through application programming interfaces (APIs). These API connections allow IaC tools to communicate directly with cloud services, creating and managing resources programmatically rather than through manual console interactions.
IaC also incorporates standard software development practices to help ensure reliability. Automated testing can help verify infrastructure configurations before deployment, identifying errors that might otherwise cause outages or security vulnerabilities. Some version control systems can trigger these tests automatically when code changes occur, helping ensure that every modification is validated before it reaches production.
When implementing IaC, organizations make two main choices: how to define an infrastructure (declarative versus imperative) and whether an infrastructure can be modified after deployment (mutable versus immutable).
The declarative and imperative approaches differ in how you write infrastructure code.
The declarative approach, also known as the functional approach or declarative IaC, is the most common method. The user describes the wanted state—“I need 3 servers with these specifications”—and IaC handles the implementation. It creates the resources, installs necessary software, resolves interdependencies and manages versioning automatically.
The imperative approach, also known as the procedural approach, requires that the user write step-by-step instructions for provisioning infrastructure. Exact commands are specified in precise order—“First create a server, then install this software, then configure these settings.” This approach requires more expertise and can make it harder to maintain consistency.
Mutable infrastructure can be modified after provisioning, whereas immutable infrastructure cannot be modified after provisioning.
Mutable infrastructure provides flexibility for ad hoc changes, such as addressing specific application requirements or emergency security patches. However, this flexibility can compromise consistency and make version tracking difficult.
Most organizations choose immutable infrastructure. To change a server or configuration, teams must replace the entire infrastructure with new resources.
While this sounds prohibitive, in truth it can be beneficial for several reasons. First, immutable infrastructure eliminates configuration drift. Drift is a common problem with mutable infrastructure, where manual changes accumulate over time, making it harder to maintain consistency across environments.
Second, immutable infrastructure provides reliable version tracking and rollback capabilities because every change creates a new, versioned instance. This means teams can instantly revert to any previous configuration.
Finally, with cloud-based IaC, new infrastructure can be provisioned quickly, often within minutes, so that reprovisioning all infrastructure resources is far more practical than it initially appears.
By automating infrastructure management that uses code, IaC provides several benefits:
Manual infrastructure provisioning can require weeks of hardware setup, OS installation and network configuration by specialized staff.
IaC reduces provisioning time from weeks to minutes across all environments. For example, IaC can automate provisioning of legacy infrastructure that would otherwise require manual processes such as pulling a ticket. Rather than waiting days for database and server configuration, developers can run a script to deploy them in minutes.
With IaC—every time infrastructure is provisioned—it follows the identical configuration defined in the code.
This consistency helps eliminate manual configuration errors—such as typographical errors, missed steps or incorrect settings—while preventing configuration drift or missing dependencies.
Configuration inconsistencies can also create security vulnerabilities and violate regulatory requirements, such as the Sarbanes-Oxley Act (SOX) or General Data Protection Regulation (GDPR). For example, unnecessary open ports or disabled HTTPS might trigger compliance violations or audit failures. IaC helps ensure identical environment configurations every time—until modifications are needed.
IaC can help accelerate every phase of the software delivery lifecycle. Developers can quickly provision sandboxes and environments on demand. QA teams can spin up test environments instantly. Operations teams can automate infrastructure for security and user-acceptance testing.
When new code passes testing, both the application and its infrastructure are then deployed together, resulting in faster feature delivery and more frequent deployments.
Organizations without IaC typically rely on a few specialists for provisioning. When one of these specialists leaves, their knowledge often goes with them.
IaC helps preserve infrastructure knowledge in code, helping ensure critical expertise stays with the organization.
IaC can significantly reduce the time, effort and specialized skill required to provision and scale infrastructure. It also optimizes cloud computing’s consumption-based pricing—organizations can provision resources only when needed and deprovision them automatically when idle.
This pay-as-you-go approach can significantly reduce infrastructure spending, particularly for development and testing environments that don’t need non-stop availability.
IaC is essential to DevOps practices because it enables infrastructure to move at the speed of software development.
Without IaC, infrastructure provisioning can become a bottleneck. While code deploys in minutes, infrastructure setup might take hours or days. For example, adding a new database might require a ticket to the infrastructure team and days of waiting.
IaC eliminates this gap by applying continuous integration and continuous delivery (CI/CD) to infrastructure deployments. Infrastructure and application code can be tested, validated and deployed together in parallel, rather than as disparate processes.
In practice, infrastructure code often lives alongside application code in version control. When developers commit changes, the CI/CD pipeline can provision test infrastructure by using IaC templates, runs automated tests and use the same templates to deploy to production. This helps ensure that every environment—development, testing, staging, production—has identical infrastructure configurations.
The key benefit is consistency. Without IaC, environmental drifts can occur when test environments don’t match production, causing deployment failures. IaC helps ensure that what works in testing works also in production because both use the same infrastructure definitions. Teams can review infrastructure changes through pull requests, track modifications and roll back when needed—treating infrastructure with the same rigor as application code.
IaC tools fall into two main categories: provisioning tools that create and deploy infrastructure, and configuration management tools that maintain infrastructure after deployment.
Some tools run on all clouds (working across multiple providers), while others are platform-specific.
Organizations typically combine tools from both categories to build complete IaC pipelines.
Provisioning tools create and deploy infrastructure resources—servers, networks and storage systems. They focus on the initial setup and configuration of infrastructure components, transforming infrastructure requirements into running resources.
Terraform from HashiCorp, an IBM company, is an IaC tool that can run on all clouds and that uses declarative configuration to manage infrastructure across multiple platforms.
Teams write infrastructure definitions in HCL (HashiCorp Configuration Language) and can deploy the same code to AWS, Azure, Google Cloud or on-premises data centers. This portability enables organizations to avoid vendor lock-in and mix cloud providers based on their strengths—for example, using AWS for compute and Google Cloud for machine learning.
Terraform also speeds deployments by provisioning resources across multiple providers simultaneously. It analyzes dependencies between resources and creates independent ones in parallel. For instance, if deploying 10 AWS servers and 5 Azure databases with no dependencies, Terraform creates all 15 resources at once rather than sequentially, reducing deployment time.
AWS CloudFormation is Amazon’s native IaC solution for AWS infrastructure. Teams define entire application stacks—from EC2 instances to Rational Directory Server databases—using JSON or YAML templates. CloudFormation handles resource dependencies automatically, creating them in the correct order and rolling them back in case errors occur.
While limited to AWS, CloudFormation offers deep integration with AWS services and immediate support for new ones. Organizations committed to AWS might prefer its native performance and access to proprietary features.
Azure Resource Manager (ARM) is Microsoft’s native IaC tool for Azure infrastructure. While limited to Azure, it offers deep integration with the platform.
Organizations use ARM templates (JSON format) to define, deploy and manage Azure resources. ARM provides built-in features including role-based access control for security, resource tagging for organization, locks to prevent accidental deletion and dependency mapping to help ensure that resources deploy in the correct order.
Google Cloud Deployment Manager is Google’s native IaC tool that uses YAML or Python templates to orchestrate Google Cloud deployments. Though platform-specific, it creates and configures resources across multiple services—Cloud Storage for data, Compute Engine for VMs, Cloud SQL for databases—helping ensure they work together as a complete stack.
Configuration management tools maintain infrastructure after provisioning, helping ensure that systems stay properly configured, patched and consistent.
Ansible® is an automation tool from Red Hat® that manages configuration without requiring agents on target systems. In other words, Ansible doesn’t need special software installed on the servers it manages. It connects directly by using SSH to execute commands.
This agentless approach means Ansible works across cloud, on-premises and hybrid environments. Teams write YAML playbooks that define wanted states, and Ansible helps ensure that systems match those states. It’s popular for managing Docker containers and Kubernetes deployments.
Puppet uses declarative configuration to manage large infrastructures across cloud, on-premises and data center environments.
It continuously checks thousands of servers to help ensure that they match their defined configurations, automatically fixing any drift. Puppet generates detailed reports showing what changed and when, making it effective for larger deployments.
Chef uses “cookbooks” and “recipes” to define infrastructure configurations across any environment—cloud, on-premises or hybrid.
Organizations frequently turn to Chef for its testing framework. Teams can verify configurations in test environments before pushing to production. This discover-issues-early approach can make it popular in organizations that require frequent infrastructure updates and value strong testing frameworks.
Helps simplify complex hybrid environments with unified infrastructure and security management.
Build, deploy and manage secure, cloud-native apps across devices and environments.
Enhance the value of your hybrid cloud and fully leverage the opportunities of the agentic AI era.