CI/CD Pipeline Patterns for Infrastructure Repositories
GitOps workflows, plan/apply gates, and policy checks that keep infrastructure delivery fast and safe.
- cicd
- gitops
- devops
Infrastructure repositories deserve the same rigor as application code — but the blast radius of a bad merge is higher. These patterns reduce risk without slowing teams down.
Plan on every pull request
Tools like Atlantis or GitHub Actions should run terraform plan (or equivalent) on every PR and post the diff as a comment. Reviewers see exactly what will change before approval.
Separate plan and apply
Never auto-apply from a feature branch. Use protected branches and environment-specific credentials:
- PR → plan + policy checks
- Merge to main → apply to staging
- Tagged release → apply to production
Policy as code
Integrate OPA, Conftest, or native cloud policy engines to block:
- Public S3 buckets
- Overly permissive security groups
- Missing required tags
Secrets and supply chain
- Fetch secrets from Vault or cloud secret managers at runtime
- Pin provider and module versions
- Generate SBOMs for container images in the pipeline
Summary
Fast infrastructure delivery is a function of automation + guardrails. Invest in both early; retrofitting compliance after a production incident is always more expensive.