The Complete Infrastructure as Code Guide

Master Terraform, CloudFormation, and modern IaC practices. From tool selection to production patterns — a comprehensive guide for cloud infrastructure teams.

Why Infrastructure as Code Matters for Cloud Costs

Infrastructure as Code (IaC) isn’t just an operational best practice — it’s a critical lever for cloud cost management. When your infrastructure is defined in code, you can:

Review changes before they cost money — catch oversized instances in pull requests
Enforce cost guardrails — policy-as-code prevents expensive mistakes
Reproduce environments cheaply — spin up and tear down environments on demand
Audit spending decisions — git history shows who provisioned what and when

Teams without IaC tend to accumulate cloud waste faster because there’s no review process for infrastructure changes and no easy way to clean up abandoned resources.

Terraform vs CloudFormation: Choosing Your Tool

The two dominant IaC tools serve different needs:

Terraform

Best for: Multi-cloud environments, teams that want provider flexibility, and organizations that prefer a declarative HCL syntax.

Terraform’s provider ecosystem covers AWS, Azure, GCP, and hundreds of other services. Its state management, plan/apply workflow, and module system make it the industry standard for teams managing infrastructure across multiple providers.

Key considerations:

The BSL license change (from HashiCorp) has pushed some teams toward OpenTofu
State file management requires careful planning (remote backends, locking)
Provider version pinning is essential for reproducible deployments

CloudFormation

Best for: AWS-only teams that want deep AWS integration, native support for new services on day one, and no external state management.

CloudFormation is AWS’s native IaC service. It handles state management automatically, integrates with AWS organizations and service catalog, and supports every AWS service immediately on launch.

Key considerations:

JSON/YAML templates can be verbose — CDK addresses this with programming language support
Drift detection helps identify manual changes
DeletionPolicy and UpdateReplacePolicy are critical for data protection — get them wrong and CloudFormation will happily delete your production database

The OpenTofu Fork

HashiCorp’s license change from MPL to BSL in 2023 triggered the OpenTofu fork, backed by the Linux Foundation. This has created a real choice for Terraform users:

Stay with Terraform if you’re comfortable with the BSL license and want HashiCorp’s commercial support
Move to OpenTofu if open-source licensing matters to your organization or you want community-driven governance

Both are compatible with existing Terraform configurations for now, but they’re diverging over time.

Modern IaC Patterns

Hybrid Approaches

Real-world infrastructure often benefits from combining tools:

Terraform for infrastructure + Serverless Framework for Lambda — Let each tool handle what it’s best at
Terraform for base infrastructure + Helm for Kubernetes workloads — Separate infrastructure lifecycle from application lifecycle
CloudFormation for AWS + Terraform for multi-cloud — Use native tools where they’re strongest

Cost-Aware IaC

Embed cost awareness into your IaC workflow:

Pre-deployment cost estimation — Tools like Infracost show the cost impact of Terraform changes in pull requests
CloudExpat’s GitHub Action — Surfaces cost optimization insights directly in PRs
Tagging enforcement — Require cost allocation tags in IaC templates
Right-sizing in code — Review instance types and storage configurations during code review

Safety Patterns

Critical patterns that prevent costly mistakes:

Always set DeletionPolicy: Retain on stateful resources (databases, storage)
Use prevent_destroy lifecycle rules in Terraform for critical resources
Implement drift detection — manual changes bypass your cost guardrails
Test infrastructure changes in staging with the same IaC code before production

IaC and Cloud Cost Optimization

CloudExpat integrates with your IaC workflow through our GitHub Action, which surfaces cost optimization recommendations directly in pull requests. This shifts cost optimization left — catching expensive infrastructure decisions before they hit production, not after the bill arrives.