IaC Tools Toolkit
7 modules are currently being reworked. Watch this section over the next few days.
Toolkit Track | 13 Modules | ~13 hours total
Overview
Section titled “Overview”The IaC Tools Toolkit covers the major infrastructure as code tools in depth. From HashiCorp’s Terraform to OpenTofu, from Pulumi’s programming language approach to Ansible’s configuration management, from CloudFormation to Bicep, and from Ansible roles to Kubernetes-native Ansible Operators—this toolkit gives you hands-on experience with the tools that define modern infrastructure.
This toolkit applies concepts from IaC Discipline.
Prerequisites
Section titled “Prerequisites”Before starting this toolkit:
- IaC Discipline — IaC fundamentals, testing, security
- IaC Fundamentals — Core concepts (minimum)
- Cloud provider account (AWS, Azure, or GCP for exercises)
- Basic command-line experience
Modules
Section titled “Modules”| # | Module | Complexity | Time |
|---|---|---|---|
| 7.1 | Terraform Deep Dive | [COMPLEX] | 60 min |
| 7.2 | OpenTofu | [MEDIUM] | 45-50 min |
| 7.3 | Pulumi | [COMPLEX] | 55-60 min |
| 7.4 | Ansible | [COMPLEX] | 55-60 min |
| 7.5 | CloudFormation | [MEDIUM] | 45-50 min |
| 7.6 | Bicep | [MEDIUM] | 45-50 min |
| 7.7 | Wing | [COMPLEX] | 50-55 min |
| 7.8 | SST | [MEDIUM] | 45-50 min |
| 7.9 | System Initiative | [COMPLEX] | 50-55 min |
| 7.10 | Nitric | [MEDIUM] | 45-50 min |
| 7.11 | HCP Terraform Workflow Operations | [COMPLEX] | 60-70 min |
| 7.12 | Ansible Operator SDK Fundamentals | [COMPLEX] | ~90 min |
| 7.13 | Advanced watches.yaml Patterns | [COMPLEX] | ~100 min |
| 7.15 | Helm vs Ansible vs Go Operator Decision Framework | [COMPLEX] | ~90 min |
| 7.16 | Production Ansible Operator Patterns | [EXPERT] | ~120 min |
| 7.17 | Testing Ansible Operators with Molecule and Kuttl | [COMPLEX] | ~100 min |
| 7.14 | AWX, Tower, and Event-Driven Ansible (EDA) Integration | [COMPLEX] | ~120 min |
Learning Outcomes
Section titled “Learning Outcomes”After completing this toolkit, you will be able to:
- Write production Terraform — Modules, workspaces, state backends, providers
- Migrate to OpenTofu — Understand the fork, migration path, differences
- Use Pulumi — Infrastructure in TypeScript, Python, Go
- Manage configuration with Ansible — Playbooks, roles, inventory
- Deploy with CloudFormation — AWS-native IaC, nested stacks, macros
- Use Bicep — Azure-native IaC, simplified ARM templates
- Understand Wing — Cloud-oriented programming language
- Develop with SST — Modern serverless framework with live Lambda
- Explore System Initiative — Reactive, visual DevOps automation
- Build with Nitric — Cloud-agnostic application framework
- Operate Terraform at organizational scale — HCP Terraform workspaces, dynamic provider credentials, Sentinel/OPA policy gates, drift detection, and private module registry workflows
- Build Ansible Operators — Map Kubernetes custom resources to Ansible roles with Operator SDK,
watches.yaml,kubernetes.core, and status-aware reconciliation - Choose the right operator implementation style — Score a requirement across twelve decision axes (complexity, state-machine fit, OLM tier, upgrade safety, and more) to select Helm, Ansible, or Go, and plan incremental migrations as requirements grow
- Operate Ansible Operators in production — Status conditions, finalizer safety, idempotency at scale, CRD upgrade strategies, leader election, OLM bundles, and operator observability
- Master advanced watches.yaml patterns — Multi-CRD operators, namespace scoping, cluster-scoped RBAC, watchDependentResources + blacklist filtering, finalizer mapping, selector filters, and worker concurrency tuning via ANSIBLE_WORKERS
- Test Ansible Operators — Design a layered test strategy using Molecule (role-level unit and integration), Kuttl (end-to-end CRD reconciliation), and operator-sdk scorecard (OLM bundle validation)
- Operate centralized Ansible automation — Deploy AWX Operator, configure job templates, credentials, and dynamic Kubernetes inventory; wire Event-Driven Ansible rulebooks to react to cluster events via AWX webhooks
Tool Selection Guide
Section titled “Tool Selection Guide”WHICH IAC TOOL?─────────────────────────────────────────────────────────────────
"I need multi-cloud infrastructure provisioning"└──▶ Terraform / OpenTofu • Declarative HCL syntax • Provider ecosystem (AWS, Azure, GCP, K8s, etc.) • State management built-in • Largest community
"I want to use my programming language (TypeScript, Python, Go)"└──▶ Pulumi • Real programming languages • Better testing capabilities • Complex logic support • Reuse existing libraries
"I need AWS-only with native integration"└──▶ CloudFormation • Deep AWS integration • Stack drift detection • StackSets for multi-account • No state file management
"I need Azure-only with simplified syntax"└──▶ Bicep • Azure-first design • Cleaner than ARM templates • Built into Azure CLI • No state file management
"I need configuration management (post-provisioning)"└──▶ Ansible • Agentless (SSH/WinRM) • Idempotent operations • Procedural + declarative • Great for OS configuration
"I want an Ansible role to reconcile Kubernetes custom resources"└──▶ Ansible Operator SDK • Kubernetes controller shell from Operator SDK • Reconcile logic implemented as Ansible roles • `watches.yaml` maps CRDs to roles or playbooks • Strong when platform teams already own Ansible automation • Production patterns (status conditions, finalizers, OLM): Module 7.16
"I need to choose between Helm, Ansible, and Go for a Kubernetes operator"└──▶ Module 7.15: Helm vs Ansible vs Go Operator Decision Framework • 12-axis decision matrix covering complexity, state-machine fit, OLM tier • Worked examples: cert-manager (Helm), MinIO (Ansible), Crossplane (Go) • OperatorHub.io capability level requirements per style • Migration paths from Helm → Ansible → Go
"I need centralized Ansible automation with UI, RBAC, and event-driven response"└──▶ AWX (open-source) or AAP (Red Hat enterprise) • AWX Operator installs AWX on Kubernetes • Job templates, credentials, dynamic inventory • EDA rulebooks react to Kubernetes API events • AAP adds support contract, EDA Controller, Automation Hub
"I want Terraform without HashiCorp licensing concerns"└──▶ OpenTofu • 1:1 Terraform compatible • Linux Foundation governance • Community-driven • Drop-in replacement
"I want unified infrastructure and application code"└──▶ Wing • Cloud-oriented programming language • Compiles to Terraform + Lambda • Built-in local simulator • Preflight/inflight model
"I want fast serverless development with live reload"└──▶ SST • Live Lambda development • Real AWS, instant reload • Full-stack support (Lambda, Next.js, etc.) • TypeScript-first
"I want visual, reactive infrastructure automation"└──▶ System Initiative • Canvas-based visual editing • Reactive dependency propagation • Real-time collaboration • Function-based extensibility
"I want to deploy the same code to any cloud"└──▶ Nitric • Cloud-agnostic APIs • Infrastructure derived from code • AWS, Azure, GCP support • TypeScript, Python, Go, DartTool Comparison Matrix
Section titled “Tool Comparison Matrix”| Feature | Terraform | OpenTofu | Pulumi | Ansible | CloudFormation | Bicep |
|---|---|---|---|---|---|---|
| Language | HCL | HCL | TypeScript/Python/Go | YAML | YAML/JSON | Bicep DSL |
| State | Required | Required | Required | None | Managed | Managed |
| Multi-cloud | Yes | Yes | Yes | Yes | AWS only | Azure only |
| Learning curve | Medium | Medium | Higher | Low | Medium | Low |
| Testing | Terratest | Terratest | Native | Molecule | TaskCat | ARM TTK |
| Drift detection | Plan | Plan | Preview | Check mode | Drift detection | What-if |
| License | BSL 1.1 | MPL 2.0 | Apache 2.0 | GPL 3.0 | Proprietary | MIT |
The IaC Landscape
Section titled “The IaC Landscape”┌─────────────────────────────────────────────────────────────────┐│ IAC TOOL LANDSCAPE │├─────────────────────────────────────────────────────────────────┤│ ││ PROVISIONING (Infrastructure Creation) ││ ┌─────────────────────────────────────────────────────────────┐││ │ │││ │ Multi-Cloud Cloud-Native │││ │ ┌────────────┐ ┌────────────┐ │││ │ │ Terraform │ │CloudForm. │ (AWS) │││ │ │ OpenTofu │ │ Bicep │ (Azure) │││ │ │ Pulumi │ │ GCP DM │ (GCP) │││ │ └────────────┘ └────────────┘ │││ │ │││ └─────────────────────────────────────────────────────────────┘││ ││ CONFIGURATION (Post-Provisioning) ││ ┌─────────────────────────────────────────────────────────────┐││ │ Ansible │ Chef │ Puppet │ Salt │││ └─────────────────────────────────────────────────────────────┘││ ││ KUBERNETES-NATIVE ││ ┌─────────────────────────────────────────────────────────────┐││ │ Crossplane │ Cluster API │ Pulumi K8s │││ └─────────────────────────────────────────────────────────────┘││ │└─────────────────────────────────────────────────────────────────┘Study Path
Section titled “Study Path”Module 7.1: Terraform Deep Dive │ │ The industry standard │ Providers, modules, state ▼Module 7.2: OpenTofu │ │ Open-source alternative │ Migration from Terraform ▼Module 7.3: Pulumi │ │ Programming languages for IaC │ Testing with real code ▼Module 7.4: Ansible │ │ Configuration management │ Playbooks and roles ▼Module 7.5: CloudFormation │ │ AWS-native IaC │ Stacks and StackSets ▼Module 7.6: Bicep │ │ Azure-native IaC │ ARM template evolution ▼Module 7.7: Wing │ │ Cloud-oriented language │ Unified infra and code ▼Module 7.8: SST │ │ Live Lambda development │ Modern serverless ▼Module 7.9: System Initiative │ │ Visual, reactive IaC │ Collaboration built-in ▼Module 7.10: Nitric │ │ Cloud-agnostic framework │ Deploy anywhere ▼Module 7.11: HCP Terraform Workflow Operations │ │ Remote runs, governance, drift │ Operate Terraform at org scale ▼Module 7.12: Ansible Operator SDK Fundamentals │ │ Map CRDs to Ansible roles │ Build a minimum viable operator ▼Module 7.15: Helm vs Ansible vs Go Operator Decision Framework │ │ 12-axis decision matrix │ Three worked examples, all 3 flavors on kind ▼Module 7.13: Advanced watches.yaml Patterns │ │ Multi-CRD, namespace scoping, finalizers │ blacklist filtering + ANSIBLE_WORKERS tuning ▼Module 7.16: Production Ansible Operator Patterns │ │ Status conditions, finalizers, idempotency at scale │ Leader election, OLM, observability, chaos testing ▼Module 7.17: Testing Ansible Operators with Molecule and Kuttl │ │ Molecule role-level unit and integration tests │ Kuttl E2E CRD reconciliation tests ▼Module 7.14: AWX, Tower, and EDA Integration │ │ Centralized automation controller │ Event-Driven Ansible on Kubernetes ▼[Toolkit Complete] → Apply to productionHands-On Focus
Section titled “Hands-On Focus”| Module | Key Exercise |
|---|---|
| Terraform | Build multi-environment setup with modules |
| OpenTofu | Migrate existing Terraform project |
| Pulumi | Deploy infrastructure with TypeScript |
| Ansible | Configure servers with roles and inventory |
| CloudFormation | Create nested stack with drift detection |
| Bicep | Deploy Azure resources with parameters |
| Wing | Build image processing pipeline with simulator |
| SST | URL shortener with live Lambda development |
| System Initiative | Reactive VPC with automatic subnet calculation |
| Nitric | Multi-cloud notes API deployed everywhere |
| HCP Terraform | VCS-driven workflow with dynamic credentials and policy gates |
| Ansible Operator SDK | Build a DemoApp custom resource reconciled by an Ansible role |
| Advanced watches.yaml | Multi-CRD operator with namespace scoping, blacklist filtering, and finalizer |
| Helm vs Ansible vs Go Decision | Build all three operator styles against the same WebApp CRD on kind; compare line counts, debugging, and capability ceilings |
| Production Ansible Operator Patterns | Deploy operator with HA leader election, create 100 CRs, inject leader transition, measure reconciliation latency |
| Testing Ansible Operators | Molecule delegated + docker + kind scenarios, Kuttl E2E create/delete assertions on kind |
| AWX + EDA | Deploy AWX Operator on kind, register a Kubernetes credential, and write an EDA rulebook that reacts to Pod events |
Related Tracks
Section titled “Related Tracks”- Before: IaC Discipline — IaC fundamentals (essential)
- Related: GitOps & Deployments — GitOps for infrastructure delivery
- Related: Security Tools — Security scanning for IaC
- Related: CI/CD Pipelines — IaC in pipelines
- Related: Platforms Toolkit — Crossplane as Kubernetes-native IaC
“The best tool is the one your team will actually use consistently. Master one deeply, understand all broadly.”