https://allenz.net/tags/infrastructure-as-code/Recent content in Infrastructure as Code on Allen ZiegenfusHugoen-usSat, 23 May 2026 00:00:00 +0000https://allenz.net/writing/when-go-templates-outgrow-you-a-typed-language-alternative-for-crossplane-compositions/Sat, 23 May 2026 00:00:00 +0000https://allenz.net/writing/when-go-templates-outgrow-you-a-typed-language-alternative-for-crossplane-compositions/When Crossplane’s Go-template compositions outgrow you — no types, no tests, global scope — KCL offers a typed, testable alternative. The multi-step pipeline architecture, and the bugs only end-to-end validation catches.https://allenz.net/writing/test-your-guardrails-policy-as-code-that-you-actually-verify/Mon, 11 May 2026 00:00:00 +0000https://allenz.net/writing/test-your-guardrails-policy-as-code-that-you-actually-verify/Policy-as-code that’s never tested usually fails open — it waves violations through and no one notices. How to test guardrails so they both deny when they must and pass when they must.https://allenz.net/writing/the-admin-stack-that-manages-itself-bootstrapping-a-self-hosted-iac-control-plane/Tue, 05 May 2026 00:00:00 +0000https://allenz.net/writing/the-admin-stack-that-manages-itself-bootstrapping-a-self-hosted-iac-control-plane/If your IaC orchestrator is itself configured as code, you need an admin stack that provisions every stack — including itself. The elegant pattern, and the two bootstrap problems no amount of declarative code removes.https://allenz.net/writing/when-terraform-owns-a-shared-resource-as-if-it-were-dedicated/Mon, 04 May 2026 00:00:00 +0000https://allenz.net/writing/when-terraform-owns-a-shared-resource-as-if-it-were-dedicated/When a per-cluster Terraform module owns a project-global, shared resource, tearing down one cluster quietly breaks the others. Why resources with different lifecycles can’t share state — and the bootstrap-module fix.https://allenz.net/writing/tearing-down-a-managed-kubernetes-deployment-without-leaving-a-tail/Tue, 28 Apr 2026 00:00:00 +0000https://allenz.net/writing/tearing-down-a-managed-kubernetes-deployment-without-leaving-a-tail/A field guide to deleting a GKE or EKS deployment cleanly when the cluster, the in-cluster GitOps/Crossplane layer, and Terraform all disagree about who owns cleanup — orphans, deletion order, and the stuck cases.https://allenz.net/writing/applying-terraform-from-ci-is-a-stateful-problem-wearing-a-stateless-tool/Sat, 25 Apr 2026 00:00:00 +0000https://allenz.net/writing/applying-terraform-from-ci-is-a-stateful-problem-wearing-a-stateless-tool/GitHub Actions is a near-perfect stateless task runner — and a poor fit for applying Terraform, which is stateful, collaborative, and approval-gated. The practical case, from running it both ways.https://allenz.net/writing/the-crossplane-object-that-synced-green-and-changed-nothing/Wed, 15 Apr 2026 00:00:00 +0000https://allenz.net/writing/the-crossplane-object-that-synced-green-and-changed-nothing/Everything’s green — Argo CD Synced, Crossplane Ready — but the change never took effect. The trap where Crossplane management policies without Update meet Kubernetes immutability.https://allenz.net/writing/a-clone-and-go-installer-gcp-cloud-shell-tutorials--infrastructure-manager/Thu, 19 Mar 2026 00:00:00 +0000https://allenz.net/writing/a-clone-and-go-installer-gcp-cloud-shell-tutorials--infrastructure-manager/Turning a many-step platform install — APIs, IAM, Terraform, state, secrets — into a browser-only, guided, clone-and-go onboarding with GCP Cloud Shell tutorials and Infrastructure Manager.