blog

7 points to consider while building Infra as Code (IaC) on AWS

Posted on April 8, 2025 by Vikrant Sundriyal

There are many questions in the air regarding architecting Infrastructure as code (IaC) and IaC pipelines. Adopting cloud and automation tools eases the complexity of infrastructure changes. However, improving consistency and reliability doesn't come out of the box in the software. It takes Architects to think through how they will use the tools to design the systems, processes, and discipline to use them effectively.

A common problem with IaC design is that unintentionally as we introduce more and more components in the stack, our IaC becomes a monolith. In the past, I have seen companies who have put the best resources and humungous efforts in coding IaC templates/scripts for 50+ modules realizing that change-set management and risk of touching the same massive code base for every minor change is unmanageable. A wrongly designed IaC certainly makes life messier.

Here I want to share my experience and a few important lessons learned while designing and optimizing many IaC solutions. Though I have tried to keep the points generic, I will be mentioning a few AWS Tools and services for practical examples:

1. Follow Layered IaC Design Approach

Categorize stack components in Hardly Changed, Infrequently Changes, and Frequently changed layers and decide appropriate deployment strategy and tool for every layer.

2. Keep Loose cross References

Instead of using tightly coupled references, i.e., the output of layer1 stack directly referred in layer2 stack, it's better to push layer1 output to global storage like Vault or AWS Parameter Store. We are not bound to use the same tool for layer1 and 2. Also, we can change params manually in case of any unavoidable situation OR Severity0 issue.

3. Use Public Cloud Provider's native tools wherever possible

“When it comes to IaC, at times, being "cloud agnostic" is an overvalued concept.”

There is no simple way to write a cloud-agnostic deployment template. Better use the cloud provider's native tool. E.g., AWS's CDK gives off-the-shelf three types of constructs, i.e., Level1, Level2, and Level3. Level 1 resources are the same as CloudFormation resources, L2 are curated ones that encapsulate L1 resources, and Level3 creates an entire architecture for a particular use case. Using L2 and L3 resources eliminates the difficulty of managing complex cross-referencing by providing simplified curated resources.

4. Use Nested templates with Modular Approach

“Managing the entire IaC in a single file is an inefficient way.”

Being modular helps in easy updates where any part can be changed without the risk of touching others.

Other development considerations:

  • Environment-specific Inputs should be saved outside the template and passed as Configuration Files.
  • Use Unique environment suffix with every resource name. It's mainly for proper tagging and also helps to avoid any region-specific unique naming restrictions.
  • Secrets should strictly be outside IaC templates and repo. We can use Vault or AWS secret-manager kind to services to manage secrets.

5. Validate and Test before Execution

“If Infra is version controlled and managed as code, testing and validating the code can't be overlooked.“

Tools like AWS-cflint and AWS Taskcat helps in template validation.

6. Use Deploy Only Pipelines

Maintain well-controlled Deploy Only Pipelines for Production to avoid arbitrary infrastructure changes.

7. Run regular jobs to catch Drifts (if any)

Yes, there will be drifts as it's impossible to handle every P0 production infra issue with IaC changes. We must be flexible for quick fixes but immediately add a story to enhance IaC. Implement IaC changes, test in lower environments, revert the manual shift, and rollout same via IaC in the following deployment window.

Conclusion

Infrastructure as a code (IaaC) will help you manage new changes easily by rapidly rolling out low-risk changes in a true agile fashion. This can greatly help in improving your velocity if you do it right. We are sharing our experience in implementing IaaC on AWS.

Share post on

subscription

Subscribe to Our Blogs

Subscribe to our blogs and be the first to know about innovations in the field of cloud storage

Related Posts

Running NBFC Workload on AWS   
Digital Transformation ChallengesDigital transformation in Financial Services is impossible without modernizing your core system. Amazon Web Services (AWS) is built to handle the complexity, rigor, and regulatory requirements unique to the Financial Services industry. By running your core system on AWS, you can access the agility and speed you need at any time, break down the siloes that hold your data hostage, and drive innovation at the enterprise level – all while reducing IT costs. Integrate your most valuable data with the cloud to automate manual processes, improve customer experiences, and launch new market-facing applications more quickly. AXESS.IO, an AWS Advanced partner has deep industry expertise, solutions that align to AWS best practices, and AWS-certified staff.AWS as the Trusted Choice for FSI IndustryWhat is AWS?Amazon Web Services (AWS) is a cloud platform that provides a secure and resilient cloud infrastructure that financial services can use to innovate, build and safely handle, process and analyze sensitive financial information.AWS is Highly AvailableGlobally, AWS has 76 availability zones with three availability zones in India.Also, AWS delivers the highest network availability with 7 times fewer downtime hours than the next largest cloud provider.AWS is Easily ScalableWith AWS, companies don’t have to provision resources to handle peak levels of activity. They, in turn, can just scale up or down based on their business needs and also pay only for what they use.AWS is Highly SecureThe AWS infrastructure is built to satisfy the security requirements for global banks and other high-sensitivity organizations and is monitored 24/7 to ensure confidentiality, integrity and availability of your data.AWS Security Hub comprises of solutions like Amazon Macie, Amazon Inspector and Amazon GaurdDuty that not only protect your infrastructure and data but also perform compliance monitoring.Effective and Efficient InfrastructureThe AWS cloud infrastructure is equipped to cater to the increasing mark of customer satisfaction, contain, process and analyze massive amounts of financial data without technical glitches while being highly secure and easily adaptable.Managing Compliance on AWSHaving said that, though operating on the cloud has immense opportunities in terms of business growth while being able to process and analyze hundreds of terabytes of financial data in very little time, it has its own list of setbacks. Migrating into a cloud infrastructure that doesn’t address these setbacks could turn the whole finance sector into a disaster.In addition, NBFCs are highly regulated. RBI has published guidelines in regards to the outsourcing of IT Infrastructure. These requirements are very stringent and have been designed to ensure business continuity in the event of a disaster or geopolitical problem.But the good news is that AWS with its local legal entity named Amazon Internet Services Private Limited (AISPL), meets all the compliance requirement from the RBI. We have published a couple of whitepapers in this regard:Whitepaper - Running NBFC Workload on AWSPlease do not hesitate to reach us at ciso@axcess.io to discuss how we can help you with your cloud journey.
read more

Ready to discuss your cloud project?
Have questions?

Get In Touch

Only a competent AWS Consulting Partner will understand your unique needs and goals. The smart, enterprise-ready cloud solutions from Axcess.io can make life easier for your organization.

Get In Touch
Services
Cloud Resources
Company

© 2025 All rights reserved

Terms of Service|Privacy Policies