Infrastructure-as-Code Migration Readiness Checklist
A readiness checklist for bringing a manually managed cloud estate under IaC, gating on a clean zero-diff import, locked encrypted remote state, plan-on-PR CI, and a freeze on out-of-band console changes.
When to Use This Checklist
Use this when moving an existing, manually managed cloud estate under infrastructure-as-code (IaC). Many organizations grow a click-ops estate first and later need the reproducibility, review, and auditability that IaC provides. The tricky part is adopting IaC for resources that already exist and are serving traffic, without recreating or disrupting them.
This applies across Terraform, OpenTofu, Pulumi, CloudFormation, and Bicep, and to any cloud provider.
How to Use This Checklist
Start by inventorying what already exists, because you will import these resources rather than recreate them. Choose a tool and standardize module structure and naming before writing code at scale. Configure remote state with locking and encryption first; shared state without locking corrupts quickly.
The pivotal step is item five: import existing resources and iterate until plan shows zero changes. A clean plan is the proof that your code matches live reality and that an apply will not destroy anything. Then add CI with plan-on-PR, security scanning, and short-lived credentials, and freeze out-of-band console edits.
What Good Looks Like
A ready estate has a complete inventory, a chosen tool and module standard, and remote state with locking and encryption. Existing resources are imported and reconciled to a zero-diff plan, so applies are safe. A CI pipeline runs plan on every PR and apply on merge, with policy scanning and short-lived scoped credentials. Console changes to managed resources are frozen, environments are separated, and the team has been trained on the new flow.
Common Pitfalls
The most dangerous pitfall is applying IaC without importing first, which can destroy and recreate live resources. Shared remote state without locking leads to corrupt state and racey applies. Continuing to make console changes alongside IaC causes constant drift. Long-lived static credentials in CI are a serious security exposure. And attempting to convert the entire estate in one pass, rather than piloting on a low-risk group, multiplies the blast radius of mistakes.
Related Resources
Use Terraform module design patterns and the IaC security playbook for structure and safety, with pipeline-as-code and configuration-as-code for delivery. Secrets-management and least-privilege practices cover the CI credential model, and the migration guides help when changing IaC tools.