Service · Terraform / IaC

Stop clicking.
Start declaring.

Terraform and OpenTofu, done properly. We architect Infrastructure as Code that is modular, reviewable, and drift-resistant, then hand it to your team with the runbooks to keep it that way.

Terraform, end to end.

01

Greenfield IaC Architecture

Starting fresh, or carving a clean estate out of a messy one. We design the repository layout, environment model, and conventions before a single resource is written.

  • Repo and directory structure that scales past ten environments
  • Remote backends, state layout, and bootstrap from day one
  • Provider version pinning and dependency lock files
  • Naming and tagging conventions your team can follow without a wiki
03

State Management

State is where Terraform projects live or die. We make yours remote, locked, segmented, and boring.

  • Remote state on S3, GCS, or Azure with locking (DynamoDB, native)
  • State segmentation so a plan never re-reads the whole estate
  • Workspaces and directory-per-environment patterns done right
  • Scheduled drift detection wired into CI and alerting
04

Refactoring & Importing Click-Ops

Brittle, hand-built infrastructure brought under code without a weekend of downtime. We import, reconcile, and refactor in reviewable steps.

  • Import of existing console-built resources into state
  • moved blocks and refactors that produce zero-diff plans
  • Breaking up monolithic state files safely
  • Untangling copy-pasted HCL into shared modules
05

Multi-Account & Multi-Cloud Structure

Landing zones and account topologies that keep blast radius small and billing legible across AWS, GCP, and Azure.

  • Account and project factories with guardrails baked in
  • Provider aliasing and cross-account assume-role patterns
  • Environment isolation for prod, staging, and sandbox
  • Tagging strategy that makes cost allocation possible
06

Policy-as-Code & CI Integration

Every change proposed as a plan, reviewed in a pull request, and checked by policy before it can apply. No more apply-from-laptop surprises.

  • OPA/Conftest or Sentinel guardrails in the pipeline
  • Plan and apply automation in GitHub Actions, GitLab CI, or Atlantis
  • Cost estimation and security scanning on every plan
  • OIDC-federated credentials, no long-lived cloud keys

The licensing question, answered straight.

In August 2023, HashiCorp relicensed Terraform from the MPL open-source license to the Business Source License (BSL 1.1). The BSL is source-available, not open source: you can still read and run the code, but you cannot build a competing commercial product on it. For the vast majority of teams simply using Terraform to manage their own infrastructure, nothing about day-to-day work changed — and that is the honest headline.

The response was OpenTofu, a fork of the last MPL-licensed Terraform, now stewarded by the Linux Foundation. OpenTofu stays open source, tracks the HCL language closely, and is a near drop-in replacement for most workflows, with some genuinely useful features of its own such as state encryption and early variable evaluation. It is not a perfect mirror, and much of the provider and module ecosystem still centers on the Terraform registry, so a migration is a real decision rather than a rename.

We do not hold a religious position here. If you are an enterprise with a Terraform Cloud contract and Sentinel policies, staying put is often the right call. If you are wary of vendor lock-in or need everything under an OSI-approved license, OpenTofu is a strong, stable choice. What matters is that you decide deliberately, with a written rationale, rather than drifting into one by accident. We lay out the trade-offs for your specific situation and support whichever you pick.

When a migration is the answer, we treat it as an engineering project, not a find-and-replace. That means pinning your current version, standing up the new binary in CI alongside the old one, running plans through both to prove they agree, and cutting over environment by environment behind feature branches. The same discipline applies to the migrations we run most often: lifting a click-ops estate into code, moving local state to a locked remote backend, or upgrading across major provider versions. Every step produces a reviewable plan, and there is always a way back.

The moment Terraform stops scaling.

Terraform is easy to start and hard to keep clean. Most teams reach us at one of a handful of familiar breaking points:

  • A single four-thousand-line state file that everyone is scared to touch, where one plan re-reads the entire estate.
  • Copy-pasted HCL across ten repositories, so every change has to be made ten times and one copy always gets missed.
  • Drift: the console and the code disagree, nobody knows which is right, and apply has become a gamble.
  • A cloud footprint built by hand over three years that finally needs to come under version control.
  • A new platform, fintech compliance requirement, or SOC 2 audit that demands every infrastructure change be reviewed and logged.
  • The engineers who wrote the original modules have left, and the ones who remain treat Terraform as read-only.

If any of those sound like your week, that is exactly the work we do. Infrastructure as Code is the backbone of modern DevOps practice, and getting it right unlocks everything downstream, from safe deploys to predictable cloud spend.

the shape of an engagement
typical durationmodule & CI cleanup 3–5 weeks · greenfield multi-account platform 8–14 weeks
engagement modelsstrategic advisory · project delivery · managed devops & sre
what you get in writingmodule docs, state topology diagrams, runbooks, and pairing sessions with your engineers
tooling stanceTerraform or OpenTofu, your CI, your cloud — changes ship with a migration plan, never rip-and-replace

Senior hands, no hand-waving.

You get engineers who have run Terraform at scale in production, not a slide deck. We write code you would be happy to inherit: small modules, clear interfaces, tests where they earn their keep, and documentation that lives close to the code. Everything ships in pull requests your team reviews, so knowledge transfers as we go rather than in a rushed handover on the last day.

We are also honest about scope. If your problem is really a cloud cost problem or a reliability problem wearing a Terraform costume, we will say so and point you at the right work — whether that is our cloud and FinOps practice, our SRE team, or a broader DevOps engagement. The goal is a durable IaC estate your team owns, not a standing dependency on us.

Common questions.

Should we use Terraform or OpenTofu?

It depends on your risk tolerance and licensing posture, not on syntax, since the HCL is nearly identical. In 2023 HashiCorp moved Terraform to the Business Source License, which is source-available rather than open source. OpenTofu is the MPL-licensed Linux Foundation fork that stayed open and is a near drop-in replacement. We lay out the trade-offs for your situation and support whichever you choose.

Can you fix Terraform state that is already a mess?

Yes. Broken or drifted state is one of the most common reasons teams call us. We import click-ops resources, split oversized state files, move state to remote backends with locking, reconcile drift, and add guardrails so it does not happen again.

Will you rewrite our code or work with what we have?

We work with what you have. If your modules are sound we refactor incrementally behind a plan you approve. We recommend a larger rewrite only when the existing code actively blocks you, and even then we migrate in small reviewable stages, never a big-bang rip-and-replace.

How long does a Terraform engagement take?

It depends on scope. A focused module and CI cleanup is usually 3 to 5 weeks. A greenfield multi-account platform with policy-as-code and remote state runs 8 to 14 weeks. We scope honestly and give you a timeline before any work starts.

Do you set up policy-as-code and drift detection?

Yes. We wire policy-as-code with OPA or Sentinel into your pipeline so risky plans fail before they apply, and we add scheduled drift detection so your real infrastructure never quietly diverges from code. Both are standard parts of how we hand over a durable estate.

Ready to get your infrastructure under code?

Book a free 30-minute IaC review. We'll look at your modules, your state, and your pipeline, and tell you honestly what's worth fixing first.

Get Your IaC Review

See also: DevOps Engineering · Cloud Consulting & FinOps · Site Reliability Engineering

Learn more: What is DevOps? · 3 K8s Migration Mistakes