Infrastructure as Code With AI
Devops
AI writes the Terraform. You own cost, security, and 'why did we choose this region?' Don't let AI make those calls.
Cloud Arch
AI suggests patterns. It doesn't know your compliance requirements or multi-cloud strategy. You do.
Sre
AI can generate alerting rules. It doesn't know your SLOs or what 'page at 3am' means for your team.
Infrastructure as Code With AI
TL;DR
- AI is good at generating Terraform, Pulumi, and Ansible for standard patterns: VPCs, EC2, S3, Kubernetes, etc.
- AI doesn't know your cost constraints, compliance requirements, or existing infra. You have to align output with reality.
- Use AI for boilerplate. You own modules, state, and "is this the right way to do it?"
Infra-as-code is highly structured. AI loves that. It also loves to give you the "default" config — which might not be your default.
Where AI Helps
Standard Resource Creation
Prompt: "Create Terraform for an EKS cluster with 3 node groups."
What you get: Valid, often working Terraform. Correct provider syntax. Reasonable defaults.
What you adjust: Region, instance types, networking (do you have existing VPC?), tags for cost allocation, and "do we need a public endpoint?"
Repetitive Patterns
Prompt: "Create an S3 bucket with versioning and encryption."
Output: Standard pattern. Block public access. Maybe lifecycle rules.
What you add: Bucket naming (org convention), logging destination, replication if multi-region. AI doesn't know your org.
Patching and Updates
Prompt: "Add an IAM role for this Lambda to access DynamoDB."
Output: Policy, attachment, correct ARN format.
Caveat: Does the role already exist? Are you following least-privilege? AI will give you a solution. You decide if it's the right solution.
Where AI Falls Short
Cost and Optimization
- "Use m5.large for the worker nodes." Maybe. Are you cost-conscious? Do you have reserved capacity? Spot instances? AI suggests common choices, not optimized ones.
- "Create 5 read replicas." Do you need 5? What's your read ratio? AI doesn't know your workload.
Security and Compliance
- Encryption at rest: AI will add it. Will it use your KMS key? Your key policy? Compliance might require specific config. AI gives generic.
- Network segmentation: AI can create subnets. It doesn't know your security zones, PCI scope, or "these two things must never talk."
State and Module Structure
- AI writes resources. It doesn't know your Terraform state layout, remote backend, or whether this should be a module or inline.
- You own: workspaces, backend config, and "how does this fit our existing 200 modules?"
Provider Versions and Drift
- Terraform provider versions change. AI might use syntax from an older provider. Always check compatibility.
- AI doesn't run
terraform plan. It doesn't see drift. You do.
How to Use AI for IaC
- Generate, then adapt. Get the structure from AI. Then: fix regions, instance types, tags, and security settings to match your standards.
- Never paste secrets or real ARNs. Use placeholders. AI doesn't need your prod account ID.
- Always run plan. AI code can be syntactically valid and logically wrong. Terraform plan is your sanity check.
- Own the modules. If you have internal modules, AI won't know them. Use AI for net-new, standard resources. You wire into your module system.
Quick Check
AI generates valid Terraform for an EKS cluster. What must you do before applying?
# AI outputs something like this. You then:
# - Change region to your primary
# - Replace instance types with your cost-optimized choices
# - Add tags for cost allocation
# - Wire into your existing VPC (AI used a generic one)
resource "aws_eks_cluster" "main" {
name = "my-cluster"
role_arn = aws_iam_role.eks.arn
vpc_config {
subnet_ids = var.subnet_ids # You add: our actual subnet IDs
}
}Do This Next
- Generate one Terraform resource (or Pulumi/Ansible equivalent) with AI. Run plan. What would you change before applying?
- Document one "AI doesn't know" constraint for your infra — compliance, cost, or org rule. Keep it handy for future prompts.