ARCH-8 Tech Due Diligence

Tech Due Diligence ARCH-8: Infrastructure as Code and Environment Parity

What This Control Requires

The assessor evaluates whether infrastructure is defined and managed as code, the reproducibility of environments, parity between development, staging, and production environments, and the overall infrastructure management discipline.

In Plain Language

Manually managed infrastructure is one of the biggest operational risk factors an assessor can find. It creates undocumented dependencies, makes disaster recovery uncertain, and introduces configuration drift that causes bugs to slip through staging undetected. Infrastructure as Code (IaC) is the antidote.

Assessors check which IaC tools are in use (Terraform, Pulumi, CloudFormation, Ansible), how much of the infrastructure is actually defined as code versus manually created, whether staging and production are configured similarly enough to catch issues before they reach users, whether new environments can be spun up reliably, and whether disaster recovery is possible by recreating infrastructure from code.

Teams that invest in IaC demonstrate operational maturity. They can recover from failures faster, onboard new engineers more easily, and avoid the "it works on staging but breaks in production" class of incidents that erode customer trust.

How to Implement

Pick an IaC tool that fits your cloud provider and team. Terraform is the most widely adopted multi-cloud option. CloudFormation or CDK work well for AWS-only environments. Pulumi suits teams that prefer general-purpose programming languages. Whichever tool you choose, the goal is to have all production infrastructure defined in code.

Store IaC definitions in version control, either alongside application code or in dedicated infrastructure repositories. Apply the same development practices you use for application code: code review for infrastructure changes, CI/CD for deployment, and testing for configurations.

Build environment parity between development, staging, and production. The critical areas are: same database engine and version (not SQLite for dev and PostgreSQL for prod), same container orchestration approach, same networking and security group configuration, same service configurations (scale can differ), and same monitoring and logging setup.

Automate environment provisioning so new environments can be created reliably from IaC definitions. This enables disaster recovery (rebuilding from code), testing (spinning up isolated test environments), and development (personal environments for developers).

Test your IaC before applying changes. Use syntax validation and linting, plan/preview steps that show what will change, policy-as-code tools (Open Policy Agent, Sentinel) for security and compliance enforcement, and integration tests that verify infrastructure behaviour after provisioning.

Manage infrastructure state securely. For Terraform, use remote state backends (S3, GCS) with state locking. Never store state files locally or in version control. Restrict access to state files since they may contain sensitive information.

Track infrastructure drift by periodically comparing actual state against IaC definitions. Alert on drift and remediate promptly by reconciling code and reality.

Evidence Your Auditor Will Request

IaC repository with infrastructure definitions for all environments
CI/CD pipeline for infrastructure changes with review and approval
Environment comparison showing parity between staging and production
Evidence of automated environment provisioning capability
Infrastructure drift detection and remediation records

Common Mistakes

Production infrastructure partially or fully managed manually (ClickOps)
Significant differences between staging and production environments
IaC exists but is out of sync with actual infrastructure (drift)
Infrastructure state stored insecurely or without locking
No ability to reproduce the production environment from code

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.9	Related
SOC 2	CC8.1	Related

Frequently Asked Questions

Does 100% of infrastructure need to be in IaC?

That should be the goal, but in practice some resources like DNS records for external domains or marketplace configurations may be impractical to manage as code. Assessors look for comprehensive coverage of core infrastructure and a pragmatic approach to the edge cases. Any manually managed production resources should at minimum be documented.

Is using a cloud console for changes acceptable?

For production, no. All production infrastructure changes should go through IaC with code review. Console access to production should be read-only, with write access reserved for genuine break-glass emergency scenarios. Console experimentation in development environments is perfectly fine.

Track Tech Due Diligence compliance in one place

AuditFront helps you manage every Tech Due Diligence control, collect evidence, and stay audit-ready.

Start Free Assessment