Technical
Infrastructure as Code Patterns That Stay Legible
Infrastructure as code is supposed to make operations reviewable and repeatable. Done poorly, it makes them opaque and rigid. After eight months of shipping AWS stacks with SAM and a bit of Terraform, here are the patterns that keep IaC readable six months after you wrote it.
The Single-File Ceiling
If my template is under 400 lines, it lives in one file. Past that, it is time to split by resource domain: template-api.yaml, template-data.yaml, template-web.yaml. Splitting earlier adds indirection without benefit. Splitting later means scrolling forever to find anything.
Named Resources Always
Every resource gets an explicit, descriptive name. Not the auto-generated Stack-Function-123abc. A human-readable name in the template. This shows up in the console, the logs, the billing reports. Good names make operations faster; bad names slow every incident.
Parameters for Environment Differences Only
The parameter list should reflect what actually differs across environments: domain name, log retention, which alert email gets paged. Everything else is hardcoded. Parameters are abstractions; each abstraction has a cost; use them where they earn the cost.
Parameters:
Environment:
Type: String
AllowedValues: [dev, staging, prod]
DomainName:
Type: StringTwo parameters for this kind of stack. Not twenty.
Outputs You Actually Use
Outputs exist for cross-stack references. If an output is never imported, it is documentation at best and noise at worst. I prune outputs on every template review. Only the ones another stack consumes survive.
The Diff Discipline
Every change to an IaC template goes through sam deploy --no-execute-changeset (or terraform plan) and the plan output lands in the PR description. Reviewers see exactly what will change in the cloud. The AWS CloudFormation changeset docs cover the mechanics. The discipline is what matters.
What I Stopped Doing
Generating templates programmatically. The abstraction never paid for itself on my scale. A hand-written YAML I can read on a phone screen beats a Python generator that produces the same YAML after debugging the generator. Simple beats clever here too.
The Honest Test
Hand your IaC template to a colleague who has never seen the project. If they can draw the architecture on a whiteboard from the template alone, the template is legible. If they cannot, it is not. Names, structure, and minimal abstraction get you there.
IaC is a communication tool as much as an automation tool. Treat it as one.
The Drift Detection Habit
Console-edited resources drift out of your template. Drift becomes technical debt the moment it exists. A weekly sam list stack-outputs or terraform plan against production catches drift before it becomes a compound problem. When drift is detected, I either fold the change into the template or revert the console edit. Never both approaches in the same codebase; pick one and enforce it. Mixed ownership of infrastructure is the exact thing IaC was supposed to eliminate.
RELATED READING
The Consulting Shift I Am Making In Year Two
After a year of writing and building, my consulting practice is changing shape. Shorter engagements. Sharper outcomes.
ReadThe Frontend Shift: Shipping Less JavaScript In Year Two
A year ago I reached for Next.js for everything. This year I often reach for nothing.
ReadThe Serverless Lesson I Would Write On A Sticky Note
After a year of shipping serverless projects, one rule explains most of the wins and all of the losses.
Read