Declarative IaC

No Change
adopt
First Added:January 5, 2025 Updated: June 12, 2026

Declarative infrastructure as code describes desired end state in versioned files; a planner/reconciler (Terraform, the Kubernetes API, GitOps controllers) computes and applies the diff. We adopt declarative IaC for cloud and cluster shape; hold Imperative IaC, CDKs, and Pulumi for new work when a declarative path exists.

Blurb

Infrastructure as code is the process of managing and provisioning computer data center resources through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.

Summary

Declarative vs imperative (IaC):

StyleArtifactGarden stance
Declarative IaCDesired state (HCL, YAML, JSON)adopt
Imperative IaCPrograms that emit or call APIshold

Why adopt: reviewers see what should exist; engines handle ordering and drift detection. Pairs with GitOps (PR-driven apply), Policy as Code (lint before merge), and Shift Left / DevSecOps.

Common tools (declarative lane):

SurfaceExamples
Cloud accountsTerraform / OpenTofu (HCL)
Kubernetesmanifests, Helm charts (YAML)
Cluster deliveryArgoCD reconciles Git desired state
Host config (when needed)Ansible playbooks (prefer images + declarative cloud where possible)

DRY without going imperative: modules, variables, for_each, Helm subcharts, and policy bundles. Repetition is a design smell, not a reason to generate IaC from TypeScript.

When imperative is still OK: application code, one-off scripts, and glue. The garden hold is scoped to infrastructure generators, not all programming.

Details

TopicNotes
ReconciliationPlan/apply or controller loop; fix drift instead of documenting it
Blast radiusDeclarative plans show resource graph changes; imperative generators hide side effects
StateRemote state (Terraform) or etcd (K8s); back up and lock
SecretsNever in Git; use secret managers and external data sources
Legacy importterraformer and similar can bootstrap; then refactor into modules

References