IaC pipelines & config
Reviewed/scanned IaC; Key Vault & App Config.
Infrastructure as code delivers its full value only when run through automation with configuration and secrets managed properly. This lesson ties IaC into the pipeline and covers how configuration and secrets are externalized.
Externalizing configuration and secrets
Applications and infrastructure need configuration and secrets, and hardcoding either is a mistake. Azure Key Vault stores secrets (connection strings, keys, certificates) that pipelines and apps fetch at runtime by identity — never embedded in code, images, or pipeline YAML. Azure App Configuration centralizes application settings and feature flags so configuration changes do not require redeployment. In the pipeline, a service connection using workload identity federation authenticates to Azure with short-lived tokens and no stored credential, and Key Vault–backed variable groups supply secrets to the deployment without exposing them. This separation — code in the repo, configuration in App Configuration, secrets in Key Vault, identity-based pipeline access — keeps sensitive material out of source control and lets you change settings independently of deployments.
# WHAT WHERE HOW ACCESSED# code → git repo built by the pipeline# app settings → Azure App Configuration fetched at runtime/deploy# feature flags → App Configuration toggled without redeploy# secrets → Azure Key Vault fetched by managed identity# pipeline auth → service connection (OIDC fed.) short-lived tokens, no secret## Nothing sensitive lives in the repo, the image, or the pipeline YAML.
The IaC delivery pipeline
Putting it together, a mature IaC pipeline provisions and updates infrastructure automatically and safely: the IaC code is reviewed in pull requests (with a plan/what-if showing proposed changes), scanned for security misconfigurations, gated by approvals for production, and applied by a least-privilege pipeline identity, with drift detection catching out-of-band changes. Configuration and secrets are externalized to App Configuration and Key Vault, so environments differ by configuration, not by code. This is infrastructure delivered with the same rigor as application code — versioned, reviewed, scanned, approved, automated, and auditable. The DevOps engineer builds this so that spinning up a new environment or changing infrastructure is a safe, repeatable, logged operation rather than a risky manual effort, which is the foundation everything else in continuous delivery depends on.