Infrastructure Version Control Patterns
Why treating infrastructure as code with proper versioning is critical as systems grow in complexity
Most of us have been there: it’s 2 a.m., a deployment is stuck, and someone is manually editing a Terraform state file or tweaking a CloudFormation template directly in the console. The next morning, no one quite remembers what changed, why, or who approved it. This is the point where infrastructure stops being a set of repeatable assets and starts becoming tribal knowledge. The reality is, as our systems scale, the need for version control over infrastructure becomes as essential as version control over application code.
In this post, I’ll walk through practical patterns for versioning infrastructure, drawing from real-world projects I’ve seen and contributed to. We’ll avoid abstract theory and focus on what works, what doesn’t, and where common pitfalls hide. You’ll get concrete examples in Terraform and GitOps with ArgoCD, along with folder structures and scripts that you can adapt. If you’re a developer or a curious engineer wondering how to bring discipline to your infrastructure changes, you’re in the right place.
Where infrastructure version control fits today
Infrastructure as code (IaC) is now table stakes in modern software delivery. Tools like Terraform, Pulumi, AWS CloudFormation, and Azure Bicep have matured, and GitOps practices (using Git as the single source of truth for declarative infrastructure) are increasingly common, especially in Kubernetes environments. The audience ranges from platform engineers and DevOps teams to backend developers who own their deployment pipelines.
Compared to manual infrastructure management or purely script-based approaches, IaC with version control offers reproducibility, auditability, and collaboration. It’s not just about spinning up resources; it’s about managing change safely, reviewing infrastructure just like code, and recovering from mistakes quickly. Alternatives like direct console changes or ad-hoc scripts may feel faster in the moment, but they rarely scale and almost always create operational debt.
Core patterns for infrastructure version control
There are several proven patterns to manage infrastructure versions. Each pattern has tradeoffs depending on team size, compliance requirements, and the complexity of your stack.
Git branching strategies for infrastructure
A common approach is to adapt Git branching models for infrastructure. The main branch usually represents the desired state of production, while feature branches are used for changes. Staging or development environments are often tied to specific branches. This mirrors application workflows but adds infrastructure-specific considerations like state file management and drift detection.
# Example folder structure for a Git-based IaC repository
├── infrastructure/
│ ├── modules/ # Reusable Terraform modules
│ │ ├── network/
│ │ ├── compute/
│ │ └── database/
│ ├── environments/
│ │ ├── dev/
│ │ │ ├── main.tf
│ │ │ ├── variables.tf
│ │ │ └── terraform.tfvars
│ │ ├── staging/
│ │ │ ├── main.tf
│ │ │ └── terraform.tfvars
│ │ └── prod/
│ │ ├── main.tf
│ │ └── terraform.tfvars
│ └── scripts/
│ └── validate.sh
├── .github/
│ └── workflows/
│ └── terraform-plan-apply.yml
└── README.md
In this structure, each environment has its own working directory, and modules are centralized. A pull request targeting environments/dev/main.tf triggers a plan for dev; merging to main triggers a plan for prod, often with manual approval gates.
One real-world challenge is managing state files. Terraform’s remote state (e.g., S3 backend with locking via DynamoDB) ensures multiple engineers don’t overwrite each other’s changes. In GitOps, tools like ArgoCD watch the Git repository and continuously reconcile the cluster state with what’s declared. This shifts the focus from imperative commands to declarative intent.
Version pinning and release tags
Infrastructure definitions often depend on provider versions, module versions, or container image tags. Pinning versions in code ensures reproducible deployments. Using Git tags (e.g., v1.2.0-infra) marks a known-good state, allowing rollbacks or audits.
# Terraform backend and provider pinning
terraform {
required_version = ">= 1.5.0"
backend "s3" {
bucket = "my-company-terraform-state"
key = "prod/terraform.tfstate"
region = "us-east-1"
dynamodb_table = "terraform-lock"
encrypt = true
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.30"
}
}
}
provider "aws" {
region = "us-east-1"
}
In practice, pinning avoids surprise breakages when providers release backward-incompatible updates. It’s common to run scheduled updates (e.g., monthly) where the team intentionally upgrades versions in a controlled manner, testing thoroughly in staging before prod.
Change records and commit messaging conventions
Good commit messages are underrated. For infrastructure, they should explain what changed, why, and any impacts. A convention like “feat: add private subnet for app tier” or “fix: adjust RDS instance size to reduce costs” gives future readers context. Linking to tickets (e.g., Jira or GitHub Issue) ties changes to business decisions.
In regulated environments, maintaining an audit trail is non-negotiable. Some teams generate change logs automatically from commit history or use tools like Atlantis for plan output storage. When combining with GitOps, ArgoCD’s sync history provides a per-application record of what was applied and when.
Practical examples: Terraform and GitOps workflows
Let’s ground these patterns in code. Below are two scenarios I’ve worked with: a Terraform-based IaC workflow with plan/apply gates, and a GitOps workflow using ArgoCD for Kubernetes.
Terraform: Plan and apply with approvals
In many organizations, infrastructure changes go through a PR process. The plan output is posted as a comment, and an approval gate ensures a second pair of eyes. The following GitHub Actions workflow illustrates this. It uses hashicorp/setup-terraform and terraform plan for PRs, and terraform apply on merge to main, but only after manual approval.
# .github/workflows/terraform-plan-apply.yml
name: Terraform Plan and Apply
on:
pull_request:
paths:
- 'infrastructure/**'
push:
branches:
- main
paths:
- 'infrastructure/**'
jobs:
terraform:
name: Terraform
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./infrastructure
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.7.0
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Initialize
id: init
run: terraform init
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan -no-color -input=false
continue-on-error: true
- name: Comment PR with Plan
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`terraform\n${{ steps.plan.outputs.stdout }}\n\`\`\`
</details>
*Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
- name: Terraform Plan Status
if: steps.plan.outcome == 'failure'
run: exit 1
- name: Terraform Apply
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
run: terraform apply -auto-approve -input=false
In the real world, teams often add a manual approval step for production applies. They might use GitHub Environments with required reviewers or integrate with tools like Atlantis for a centralized plan/apply server. One pattern I’ve used is to store plan artifacts in S3 and link them in PR comments for traceability.
GitOps with ArgoCD: Declarative Kubernetes management
GitOps extends version control to Kubernetes. ArgoCD watches a Git repository and applies changes when the repo changes. This ensures the cluster state is always traceable to a specific commit.
# argocd/applications/myapp.yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: myapp
namespace: argocd
spec:
project: default
source:
repoURL: https://github.com/myorg/k8s-manifests.git
targetRevision: HEAD
path: apps/myapp/overlays/prod
destination:
server: https://kubernetes.default.svc
namespace: myapp-prod
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
The folder structure for Kubernetes manifests might look like:
k8s-manifests/
├── apps/
│ ├── myapp/
│ │ ├── base/
│ │ │ ├── deployment.yaml
│ │ │ ├── service.yaml
│ │ │ └── kustomization.yaml
│ │ └── overlays/
│ │ ├── dev/
│ │ │ ├── replica-patch.yaml
│ │ │ └── kustomization.yaml
│ │ └── prod/
│ │ ├── replica-patch.yaml
│ │ └── kustomization.yaml
│ └── other-app/
└── clusters/
└── prod/
└── argocd-app.yaml
With this setup, a commit to apps/myapp/overlays/prod triggers ArgoCD to sync the production cluster. If something goes wrong, reverting the commit and syncing immediately restores the previous state. This pattern is especially valuable in environments where multiple teams contribute to manifests; Git becomes the common interface.
In one project, we used Kustomize overlays to manage environment-specific differences, reducing duplication. We paired this with pre-merge checks using kustomize build and kubeval to validate manifests, catching errors before they reached the cluster.
Strengths, weaknesses, and tradeoffs
Infrastructure version control is powerful, but it’s not a silver bullet. Understanding the tradeoffs helps you choose the right pattern.
Strengths:
- Reproducibility: Pinning versions and using declarative definitions ensures consistent environments.
- Auditability: Git history provides a clear timeline of changes, authors, and reasons.
- Collaboration: PRs and code reviews bring infrastructure into the team’s workflow, reducing “hero” deployments.
- Disaster recovery: With Git as the source of truth, rebuilding from scratch is often just a matter of running
terraform applyor syncing ArgoCD.
Weaknesses:
- Complexity overhead: Setting up remote state, CI/CD pipelines, and access controls takes initial effort.
- Drift risk: Manual changes in consoles can cause drift. Regular reconciliation (e.g.,
terraform planor ArgoCD self-heal) is necessary. - Learning curve: Engineers unfamiliar with IaC or GitOps may struggle with concepts like state management or declarative patterns.
When to avoid:
- For very small, non-critical projects, the overhead might outweigh the benefits. A single script or even console-based management could be acceptable.
- In highly dynamic environments where infrastructure changes multiple times per hour, traditional GitOps might be too slow; consider tools like Crossplane or more event-driven approaches.
- If your team lacks buy-in for code reviews on infrastructure changes, the process can become a checkbox exercise, undermining the value.
Personal experience: Lessons from the trenches
I’ve seen infrastructure version control succeed and fail in equal measure. Early on, I assumed that adopting Terraform would automatically solve our reliability issues. In reality, the tool is only as good as the processes around it. One memorable incident involved a developer pushing a Terraform change that deleted a production database because the state file was out of sync. Since then, we’ve enforced remote state locking and mandatory plan reviews, which has prevented similar mishaps.
Another common mistake is neglecting module design. In one project, we started with ad-hoc Terraform files for each environment. Over time, changes became hard to propagate, and we ended up with drift. Refactoring to reusable modules (like the folder structure above) took effort but paid off in maintainability. It also made onboarding easier, as new engineers could understand the architecture by looking at the module interfaces.
I’ve also learned that documentation is as important as code. A README.md in each environment folder, describing assumptions, dependencies, and common commands, reduces confusion. Similarly, for GitOps, documenting how overlays work and what each patch does helps avoid “magic” that no one understands.
Lastly, there’s a human factor. When we first introduced PR reviews for infrastructure changes, some engineers viewed it as a bottleneck. We addressed this by adding automation (linting, security scans) and by celebrating well-written PRs in team meetings. Over time, the culture shifted to seeing infrastructure changes as a team responsibility, not an individual’s secret knowledge.
Getting started: Tooling and mental models
To start, pick a tool that matches your environment. For cloud-agnostic IaC, Terraform is a solid choice; for Kubernetes, consider ArgoCD or Flux. The mental model is to treat infrastructure like software: versioned, reviewed, and tested.
- Set up a Git repository for your IaC. Structure it with environments and modules as shown above.
- Configure remote state (e.g., S3 for Terraform) with locking. This prevents concurrent modifications.
- Add CI/CD pipelines for validation and plan/apply. Start with simple scripts and expand as needed.
- Establish code review norms. Require at least one reviewer for infrastructure PRs and use template PR descriptions.
- Implement drift detection. Schedule regular
terraform planruns or enable ArgoCD’s self-heal, but monitor for unintended changes.
For Terraform, tools like tflint and tfsec can catch issues early. For Kubernetes, kustomize and kubeval are helpful. In both cases, keep the pipeline fast by running only necessary checks on each PR.
One practice I recommend is “infrastructure as product.” Assign ownership of modules or environments to specific teams, with clear SLAs for changes and support. This aligns incentives and ensures changes are thoughtful.
Free learning resources
- Terraform Registry (modules): registry.terraform.io – Official modules for common patterns. Useful for starting points, though always review before production use.
- ArgoCD Documentation: argo-cd.readthedocs.io – Comprehensive guides on GitOps workflows. The “Getting Started” section is particularly hands-on.
- GitOps Working Group: gitopsworkinggroup.gitops.io – Background on GitOps principles and best practices, from the founders of the movement.
- Kustomize Tutorial: kubectl docs – Official guide to using Kustomize for Kubernetes configuration management.
- OpenTofu: opentofu.org – An open-source fork of Terraform that’s gaining traction. Good for those wanting to avoid vendor lock-in.
These resources are practical and community-driven. They avoid the fluff and focus on real-world usage.
Who should use this, and who might skip it?
If you’re managing more than a handful of resources or working in a team, infrastructure version control is a must. It’s especially valuable in regulated industries, multi-cloud setups, or when you need to scale deployments reliably. Developers who own their services end-to-end will benefit from having infrastructure changes reviewed and versioned alongside application code.
If you’re a solo developer with a small, non-critical project, you might skip the full setup and start with simple scripts. However, even then, consider using Git for change tracking. The overhead is minimal, and the benefits compound as your project grows.
The key takeaway is that infrastructure version control isn’t about perfection; it’s about progress. Start small, iterate, and focus on the practices that bring clarity and safety to your changes. In doing so, you’ll reduce midnight firefights and build systems that are resilient by design.
