GitOps for Infrastructure as Code

Manage your entire infrastructure through pull requests. Every change is versioned, reviewed, and auditable. From plan to apply, GitOps is the way.

What is GitOps for infrastructure?

GitOps brings the power of Git workflows to infrastructure management. Every change follows the same path: branch, commit, review, merge, deploy.

Declarative infrastructure

Your entire infrastructure is defined as code in Git. The repository becomes the single source of truth for what should be deployed.

  • Version controlled infrastructure
  • Rollback to any previous state
  • Directory-based environments

Pull request workflows

Every infrastructure change starts with a pull request. Plans are automatically generated, reviewed, and approved before any changes are applied.

  • Automated plan generation
  • Peer review process
  • Approval workflows

Automated deployment

Once approved and merged, changes are automatically applied to your infrastructure. No manual steps, no drift, just consistent deployments.

  • Auto-apply on merge
  • Drift detection
  • Automated rollbacks

The GitOps workflow

From code change to production deployment in a secure, auditable pipeline

1

Create branch & make changes

Developers create a feature branch and modify infrastructure code. Changes are committed with clear, descriptive messages.

$ git checkout -b add-redis-cluster
$ vim terraform/redis.tf
$ git add .
$ git commit -m "Add Redis cluster"
$ git push origin add-redis-cluster
2

Open pull request

A pull request triggers Terrateam to automatically run terraform plan. The results are posted as a comment for review.

Add Redis cluster for session management #423
Terrateam Plan
Plan: 3 to add, 0 to change, 0 to destroy.

+ aws_elasticache_cluster.redis
+ aws_elasticache_subnet_group.redis
+ aws_security_group.redis
3

Review & approve

Team members review the plan, discuss changes, and approve when ready. Security policies and compliance checks run automatically.

Code Review

Team reviews infrastructure changes and provides feedback

Policy Checks

OPA policies validate security and compliance requirements

4

Merge & auto-apply

Once merged, Terrateam automatically applies the changes to your infrastructure. The apply results are posted back to the pull request.

Successfully Applied

Infrastructure updated. Redis cluster deployed to production.

Why GitOps for infrastructure?

GitOps transforms infrastructure management from a manual, error-prone process into an automated, reliable, and auditable workflow.

Complete visibility

Every change is tracked in Git. Know who changed what, when, and why with a complete audit trail.

Enhanced security

No direct access to production. All changes go through code review and automated security checks.

Faster deployment

Automated workflows mean changes deploy faster and more reliably than manual processes.

Better collaboration

Pull requests enable team discussion, knowledge sharing, and collective ownership of infrastructure.

Easy rollbacks

Something went wrong? Revert the commit and your infrastructure rolls back automatically.

Continuous improvement

GitOps enables progressive delivery, canary deployments, and feature flags for infrastructure.

Enterprise GitOps features

Terrateam brings enterprise-grade features to GitOps workflows

Policy as code

Enforce security, compliance, and best practices automatically. Write policies in Rego and apply them to every change before it reaches production.

Policy Definition

package terrateam

# Deny public S3 buckets
deny[msg] {
  resource := input.plan.resource_changes[_]
  resource.type == "aws_s3_bucket"
  resource.change.after.acl == "public-read"
  msg := "S3 buckets cannot be public"
}

# Require encryption for RDS
deny[msg] {
  resource := input.plan.resource_changes[_]
  resource.type == "aws_db_instance"
  not resource.change.after.storage_encrypted
  msg := "RDS must have encryption enabled"
}

Policy in Action

Policy Check Failed

2 policy violations found:

  • S3 buckets cannot be public
  • RDS must have encryption enabled

Multi-environment workflows

Manage dev, staging, and production with different approval requirements. Progressive deployment strategies built-in for safe rollouts.

Configuration

# .terrateam/config.yml
apply_requirements:
  checks:
    - tag_query: "production"  
      approved:
        enabled: true
        any_of_count: 2
      status_checks:
        enabled: true
        
dirs:
  development:
    tags: [development]
    when_modified:
      autoplan: true
      autoapply: true
      
  staging:
    tags: [staging]  
    when_modified:
      autoplan: true
      autoapply: false
      
  production:
    tags: [production]
    when_modified:
      autoplan: true
      autoapply: false

Environment Pipeline

Development
Auto-deploy
Deploys automatically on merge
Staging
1 approval
Requires team lead approval
Production
2 approvals
Requires 2 approvals + security review

Drift detection & reconciliation

Automatically detect when your infrastructure drifts from the desired state. Get notified immediately and create pull requests to reconcile differences.

Drift Alert

Drift Detected

Production infrastructure has drifted from desired state

Drift Report

aws_instance.web
Modified
aws_security_group.api
Deleted
aws_s3_bucket.logs
In Sync

GitOps best practices

Follow these practices to get the most out of your GitOps workflow

Repository structure

  • Separate repositories for application and infrastructure code
  • Environment-specific directories with proper tagging
  • Modular Terraform with clear ownership

Branching strategy

  • Feature branches for all changes
  • Protected main branch with required reviews
  • Short-lived feature branches merged to main

Security practices

  • Never commit secrets - use secret management tools
  • Implement least-privilege access controls
  • Regular security policy reviews

Automation rules

  • Automate everything that can be automated
  • Clear approval workflows for production
  • Automated testing and validation

Ready to transform your infrastructure management?

Join thousands of teams using GitOps to manage infrastructure at scale. Start your free trial today and see the difference.