[vogtb]

Nice, that sounds ideal! I've always found it frustrating to use the AWS console for anything other than dashboards and one-off trouble shooting.

You don't ever have issues with teams not applying resource changes? I.e. contributor A adds a resource, but doesn't apply it, and then contributor B goes to apply their changes and sees unexpected resource changes that they potentially don't have the permission to create? I guess that would be as much of a cross-team problem as a technical one.

[dmlittle]

Most of the Terraform changes are done by the infrastructure team which is currently 5 people. We're pretty diligent about making sure that whatever is in our master branch in the repo is what the source of truth is and what our environment should look like. If there's anything that looks off it gets caught by running a plan before applying and we quickly sync up and make sure to push the changes upstream or override them. For the smaller changes that are performed by other teams, they need a stamp of approval from someone in our infrastructure team and we make sure to be proactive about being available to not block them as well as making sure the changes are applied properly.

That being said, our current approach will definitely not scale well and that is why we're going be looking into a CI/CD pipeline way of applying changes.

It's also worth noting that it took _a lot_ of effort to migrate everything into terraform. The infrastructure team took the initiative to migrate everything in a zero-downtime way such that we wouldn't be affecting the application teams.