IaC pipelines & config

Reviewed/scanned IaC; Key Vault & App Config.

Advanced30 min · lesson 9 of 15

Infrastructure as code delivers its full value only when run through automation with configuration and secrets managed properly. This lesson ties IaC into the pipeline and covers how configuration and secrets are externalized.

Externalizing configuration and secrets

Applications and infrastructure need configuration and secrets, and hardcoding either is a mistake. Azure Key Vault stores secrets (connection strings, keys, certificates) that pipelines and apps fetch at runtime by identity — never embedded in code, images, or pipeline YAML. Azure App Configuration centralizes application settings and feature flags so configuration changes do not require redeployment. In the pipeline, a service connection using workload identity federation authenticates to Azure with short-lived tokens and no stored credential, and Key Vault–backed variable groups supply secrets to the deployment without exposing them. This separation — code in the repo, configuration in App Configuration, secrets in Key Vault, identity-based pipeline access — keeps sensitive material out of source control and lets you change settings independently of deployments.

config and secrets externalized
# WHAT WHERE HOW ACCESSED
# code → git repo built by the pipeline
# app settings → Azure App Configuration fetched at runtime/deploy
# feature flags → App Configuration toggled without redeploy
# secrets → Azure Key Vault fetched by managed identity
# pipeline auth → service connection (OIDC fed.) short-lived tokens, no secret
#
# Nothing sensitive lives in the repo, the image, or the pipeline YAML.

The IaC delivery pipeline

Putting it together, a mature IaC pipeline provisions and updates infrastructure automatically and safely: the IaC code is reviewed in pull requests (with a plan/what-if showing proposed changes), scanned for security misconfigurations, gated by approvals for production, and applied by a least-privilege pipeline identity, with drift detection catching out-of-band changes. Configuration and secrets are externalized to App Configuration and Key Vault, so environments differ by configuration, not by code. This is infrastructure delivered with the same rigor as application code — versioned, reviewed, scanned, approved, automated, and auditable. The DevOps engineer builds this so that spinning up a new environment or changing infrastructure is a safe, repeatable, logged operation rather than a risky manual effort, which is the foundation everything else in continuous delivery depends on.

The IaC delivery pipeline
deliver infra safely
PR review + plan/what-if
see changes before they apply
scan + approve + apply
gated, least-privilege
externalize
App Configuration
settings + feature flags
Key Vault
secrets fetched by identity
Deliver IaC through a reviewed, scanned, approved, automated pipeline, with config and secrets externalized — infra as rigorous as code.
Environments should differ by configuration, not by code
When each environment has its own hardcoded settings or a forked copy of the code, they drift apart and "works in test" stops predicting production. Keep one codebase and one IaC definition, and vary environments through externalized configuration (App Configuration) and secrets (Key Vault) — so what you tested is what ships, differing only in config.