The IaC & automation tool landscape

Provisioning, config, templating, policy, GitOps.

Beginner12 min · lesson 3 of 23

The IaC and automation ecosystem has many tools, and they are not competitors so much as pieces that fit different jobs. Knowing which category a tool belongs to tells you what it is for and when to reach for it. There are five broad groups: provisioning, configuration management, Kubernetes templating, policy & scanning, and GitOps delivery — and a real platform usually uses one from several of them together.

The tool landscape by job
build the infrastructure
Provisioning
Terraform, OpenTofu, Pulumi, CloudFormation, Crossplane
Config management
Ansible, Chef, Puppet, Salt
package, guard & deliver
Kubernetes IaC
Helm, Kustomize
Policy & scanning
OPA/Conftest, Sentinel, Checkov, tfsec/Trivy, Terrascan, KICS
GitOps delivery
Atlantis, Argo CD, Flux
A typical stack: Terraform provisions cloud + a cluster, Helm/Kustomize deploy apps, Checkov/OPA guard the code, Atlantis/Argo apply it from Git.

Provisioning: build the infrastructure

Provisioning tools create cloud and infrastructure resources. Terraform is the de facto standard — declarative, cloud-agnostic, huge provider ecosystem; OpenTofu is its open-source fork (covered later); Pulumi lets you write IaC in real programming languages; CloudFormation is AWS’s native tool; and Crossplane provisions cloud resources through Kubernetes. This course centers on Terraform because its concepts (providers, resources, state, plan/apply) transfer to almost all of them.

Everything else, briefly

Configuration management (Ansible, Chef, Puppet, Salt) configures machines after they exist. Kubernetes templating (Helm, Kustomize) turns raw manifests into reusable, per-environment deployments. Policy-as-code and scanning (OPA/Conftest, Sentinel, Checkov, tfsec/Trivy, Terrascan, KICS) automatically enforce rules and catch misconfigurations in your IaC before it is applied — the security layer. And GitOps tools (Atlantis, Argo CD, Flux) apply your IaC automatically from Git, making the repository the source of truth. Each has its own lessons ahead; the point now is knowing the map.

Pick tools for the job, not the hype
The most common IaC mistake is tool sprawl — adopting five overlapping tools because each looked interesting, ending with a stack nobody fully understands. Choose deliberately: one provisioning tool (usually Terraform/OpenTofu), one config-management tool if you need it, the Kubernetes templating your team prefers, and add policy/scanning and GitOps as you mature. A small, well-understood toolset that the whole team can operate beats a comprehensive one that only one person can debug.