Skip to main content

Configuration as Code

Configuration as Code manages settings in version-controlled, machine-readable files reviewed and deployed like application code. It removes environment drift, makes every change auditable, and lets teams recreate known-good configuration on demand.

Organization
ThoughtWorks
Published
Jan 1, 2016

Best Practice: Configuration as Code

Configuration as Code is the practice of defining application, system, and pipeline configuration in version-controlled, machine-readable files rather than setting it by hand or storing it in opaque consoles. Configuration changes are then reviewed, tested, and deployed with the same rigor as application code. A close relative of infrastructure as code, the technique removes drift between environments, makes every change auditable, and lets you recreate a known-good configuration on demand. For leaders, it brings transparency and control to a category of change that often causes outages.

Step-by-Step Implementation Guidance

  1. Externalize configuration from code into dedicated, versioned files.
  2. Store configuration in version control so every change is tracked and reviewable.
  3. Separate config by environment while sharing a common, parameterized structure.
  4. Validate configuration automatically with schema checks and linting in CI.
  5. Manage secrets separately in a secret store, never in plain config files.
  6. Deploy configuration through the pipeline so changes are tested and promoted, not hand-applied.
  7. Audit and roll back configuration using version history.

Common Mistakes Teams Make When Ignoring This Practice

  • Editing configuration directly in production consoles, creating untracked drift.
  • Hard-coding secrets in configuration files instead of a secret store.
  • Duplicating full config per environment rather than parameterizing shared structure.
  • Skipping validation, so a malformed config reaches production undetected.
  • Applying config changes by hand outside the pipeline, losing auditability.

Tools and Techniques That Support This Practice

  • Formats/tools: YAML, JSON, and HCL with templating via Helm, Kustomize, or Jsonnet.
  • Management: Ansible, Chef, and Puppet for system configuration.
  • Secrets: HashiCorp Vault, AWS Secrets Manager, and Sealed Secrets.
  • Validation: JSON Schema, conftest/OPA, and yamllint in CI.

How This Practice Applies to Different Migration Types

  • Cloud Migration: Define cloud service configuration as code so migrated environments are reproducible and drift-free.
  • Database Migration: Manage database parameters and connection settings as versioned config promoted through environments.
  • SaaS Migration: Capture SaaS tenant and integration settings as code for auditable, repeatable configuration.
  • Codebase Migration: Keep the migrated application's configuration in version control so behavior is consistent across environments.

Checklist

  • Configuration is externalized into versioned files.
  • All config changes are tracked in version control.
  • Environments share parameterized structure.
  • Configuration is validated automatically in CI.
  • Secrets live in a secret store, not config files.
  • Config is deployed and rolled back via the pipeline.

During modernization and migration work, configuration as code is most valuable when it is treated as a continuous discipline rather than a one-time setup. Teams that codify the practice, measure its outcomes, and review it regularly keep risk low and feedback fast as systems evolve. Start small with one team or service, prove the value with concrete metrics such as lead time and change failure rate, and then expand the practice across the portfolio. Pair it with the related practices in this library so that build, test, release, and operational concerns reinforce one another. Documenting decisions and automating enforcement makes the practice durable as people and priorities change, which is exactly what large, multi-team migrations demand to stay safe and predictable over time.