The IaC Trap:Terraform vs. Bicep – Which One Wins?

1
00:00:00,000 --> 00:00:01,380
The assumption is simple.

2
00:00:01,380 --> 00:00:03,600
Infrastructure as code makes you faster.

3
00:00:03,600 --> 00:00:05,400
Removes the guesswork eliminates drift.

4
00:00:05,400 --> 00:00:07,080
You adopt it because the alternative,

5
00:00:07,080 --> 00:00:08,960
clicking around in the Azure portal,

6
00:00:08,960 --> 00:00:10,640
manually documenting changes,

7
00:00:10,640 --> 00:00:13,920
hoping someone remembers why a resource was configured that way,

8
00:00:13,920 --> 00:00:16,040
is untenable at scale.

9
00:00:16,040 --> 00:00:19,000
And when you choose your tool, the choice feels obvious.

10
00:00:19,000 --> 00:00:20,960
Terraform sits there as the industry standard,

11
00:00:20,960 --> 00:00:22,720
Cloud Agnostic, 20,000 modules.

12
00:00:22,720 --> 00:00:24,000
If you want to support multi-cloud,

13
00:00:24,000 --> 00:00:26,080
you pick Terraform or you pick Bicep

14
00:00:26,080 --> 00:00:27,440
because it's native to Azure,

15
00:00:27,440 --> 00:00:29,440
built by Microsoft, integrated with ARM,

16
00:00:29,440 --> 00:00:31,320
day zero support for new services.

17
00:00:31,320 --> 00:00:33,360
But there's a layer beneath that choice

18
00:00:33,360 --> 00:00:35,600
that nobody talks about, a structural layer.

19
00:00:35,600 --> 00:00:37,800
Because the real trap isn't which tool you pick,

20
00:00:37,800 --> 00:00:40,720
it's the model behind the tool, the operational philosophy.

21
00:00:40,720 --> 00:00:42,680
The assumptions baked into how the tool

22
00:00:42,680 --> 00:00:44,000
thinks about infrastructure.

23
00:00:44,000 --> 00:00:46,320
One model says,

24
00:00:46,320 --> 00:00:49,680
you maintain an explicit record of what exists and who changed it.

25
00:00:49,680 --> 00:00:52,200
The other says, ask the cloud, what's there right now?

26
00:00:52,200 --> 00:00:54,480
Those models have profoundly different consequences.

27
00:00:54,480 --> 00:00:56,960
They create different costs, different security postures,

28
00:00:56,960 --> 00:00:59,520
different governance requirements, different skill needs.

29
00:00:59,520 --> 00:01:01,400
And most organizations choose their tool

30
00:01:01,400 --> 00:01:03,280
without ever examining the model underneath.

31
00:01:03,280 --> 00:01:04,560
This is where it breaks.

32
00:01:04,560 --> 00:01:07,280
The state file as a database, you didn't plan for.

33
00:01:07,280 --> 00:01:09,920
Terraform's state file is fundamentally a database.

34
00:01:09,920 --> 00:01:12,040
It records what Terraform believes exists

35
00:01:12,040 --> 00:01:13,320
in your Azure environment.

36
00:01:13,320 --> 00:01:16,280
Every resource ID, every configuration attribute,

37
00:01:16,280 --> 00:01:18,560
every dependency, when you run Terraform plan,

38
00:01:18,560 --> 00:01:20,840
Terraform is asking a very specific question.

39
00:01:20,840 --> 00:01:22,040
What's in my state file?

40
00:01:22,040 --> 00:01:24,840
And what do I need to change to match the code I've written?

41
00:01:24,840 --> 00:01:26,880
The state file is Terraform's memory.

42
00:01:26,880 --> 00:01:28,920
But here's the problem that nobody leads with

43
00:01:28,920 --> 00:01:30,920
when they're pitching infrastructure as code.

44
00:01:30,920 --> 00:01:32,600
That memory has to live somewhere.

45
00:01:32,600 --> 00:01:33,920
It can't just exist in your laptop.

46
00:01:33,920 --> 00:01:36,160
So you set up an Azure storage account to hold it.

47
00:01:36,160 --> 00:01:38,480
You enable blob versioning so you can recover

48
00:01:38,480 --> 00:01:39,880
if something breaks and you add a lock table

49
00:01:39,880 --> 00:01:41,920
in Azure Cosmos or blob storage leases

50
00:01:41,920 --> 00:01:44,280
so that when two people run Terraform simultaneously,

51
00:01:44,280 --> 00:01:45,800
they don't both try to apply changes

52
00:01:45,800 --> 00:01:47,720
at the same time and corrupt the file.

53
00:01:47,720 --> 00:01:49,320
You encrypt it, you restrict access,

54
00:01:49,320 --> 00:01:51,480
you set up backup and disaster recovery,

55
00:01:51,480 --> 00:01:54,040
you've built infrastructure to manage the infrastructure manager.

56
00:01:54,040 --> 00:01:56,160
And that infrastructure has operational overhead,

57
00:01:56,160 --> 00:01:59,040
it has cost, it has failure modes, it requires governance.

58
00:01:59,040 --> 00:02:01,000
Someone has to monitor the state backend,

59
00:02:01,000 --> 00:02:03,560
someone has to respond when blob locking fails,

60
00:02:03,560 --> 00:02:05,400
someone has to reconcile what's in the state file

61
00:02:05,400 --> 00:02:07,440
with what's actually deployed when they diverge,

62
00:02:07,440 --> 00:02:10,680
and they will diverge, the structural weight compounds.

63
00:02:10,680 --> 00:02:13,400
Add a second team and now you have a coordination problem.

64
00:02:13,400 --> 00:02:14,920
Do they share the same state file?

65
00:02:14,920 --> 00:02:17,160
If they do concurrent runs, create contention,

66
00:02:17,160 --> 00:02:19,640
if they don't, you have to figure out how to prevent them

67
00:02:19,640 --> 00:02:21,480
from stepping on each other's infrastructure.

68
00:02:21,480 --> 00:02:24,840
Add a second environment, dev, staging, production,

69
00:02:24,840 --> 00:02:27,200
and now you're managing three separate state files.

70
00:02:27,200 --> 00:02:29,760
Add disaster recovery and now you're managing state

71
00:02:29,760 --> 00:02:30,840
across regions.

72
00:02:30,840 --> 00:02:32,680
Add a second cloud provider and the complexity

73
00:02:32,680 --> 00:02:34,120
doesn't scale linearly.

74
00:02:34,120 --> 00:02:35,160
It multiplies.

75
00:02:35,160 --> 00:02:36,840
Every team member adds friction.

76
00:02:36,840 --> 00:02:38,760
Every environment adds another state file

77
00:02:38,760 --> 00:02:40,200
to secure and monitor.

78
00:02:40,200 --> 00:02:42,760
Every concurrent run is a potential point of corruption.

79
00:02:42,760 --> 00:02:45,080
This is operational debt in its purest form,

80
00:02:45,080 --> 00:02:47,000
not the kind that compounds slowly,

81
00:02:47,000 --> 00:02:49,160
the kind that grows exponentially with scale,

82
00:02:49,160 --> 00:02:51,080
the kind that forces you to hire,

83
00:02:51,080 --> 00:02:53,160
a platform engineering team just to manage

84
00:02:53,160 --> 00:02:54,960
the state management infrastructure.

85
00:02:54,960 --> 00:02:57,080
Most organizations don't see this cost clearly

86
00:02:57,080 --> 00:02:58,280
because it's diffused.

87
00:02:58,280 --> 00:02:59,120
It's not one incident.

88
00:02:59,120 --> 00:03:00,920
It's a thousand small operational burdens

89
00:03:00,920 --> 00:03:02,840
absorbed by the team that runs Terraform.

90
00:03:02,840 --> 00:03:04,560
Five minutes here to debug a state lock

91
00:03:04,560 --> 00:03:05,840
that didn't clear properly.

92
00:03:05,840 --> 00:03:07,920
An hour there to manually reconcile state

93
00:03:07,920 --> 00:03:10,360
after a network failure interrupted an apply.

94
00:03:10,360 --> 00:03:12,480
A planning conversation about how to partition state

95
00:03:12,480 --> 00:03:14,760
across teams without creating chaos.

96
00:03:14,760 --> 00:03:17,200
None of those moments feel expensive individually,

97
00:03:17,200 --> 00:03:18,800
but collectively, they're the reason

98
00:03:18,800 --> 00:03:21,440
that organizations with mature Terraform deployments

99
00:03:21,440 --> 00:03:23,640
often end up with a dedicated platform team

100
00:03:23,640 --> 00:03:25,720
managing the orchestration layer.

101
00:03:25,720 --> 00:03:29,400
This architecture choice creates a specific vulnerability.

102
00:03:29,400 --> 00:03:31,360
The plaintext secret problem,

103
00:03:31,360 --> 00:03:33,760
but operational burden isn't the only consequence

104
00:03:33,760 --> 00:03:34,680
of that architecture.

105
00:03:34,680 --> 00:03:36,520
There's a security consequence that's worse.

106
00:03:36,520 --> 00:03:39,000
The state file doesn't just record what resources exist.

107
00:03:39,000 --> 00:03:40,640
It records their configuration

108
00:03:40,640 --> 00:03:43,320
and that includes values you'd never want exposed.

109
00:03:43,320 --> 00:03:45,440
Database passwords, API keys,

110
00:03:45,440 --> 00:03:48,000
storage account connection strings, access tokens,

111
00:03:48,000 --> 00:03:50,800
private IP addresses that reveal your network topology,

112
00:03:50,800 --> 00:03:53,240
SSH keys, all of it gets stored in the state file

113
00:03:53,240 --> 00:03:54,760
because Terraform needs that information

114
00:03:54,760 --> 00:03:56,600
to know what's currently deployed.

115
00:03:56,600 --> 00:03:59,320
Research shows that 22% of leaked cloud credentials

116
00:03:59,320 --> 00:04:01,640
originated from improperly secured state files.

117
00:04:01,640 --> 00:04:03,440
That's not a rounding error, that's a pattern,

118
00:04:03,440 --> 00:04:04,640
that's enough to matter.

119
00:04:04,640 --> 00:04:06,040
Here's where the model breaks down.

120
00:04:06,040 --> 00:04:08,560
When you mark something as sensitive in your HCL code,

121
00:04:08,560 --> 00:04:10,320
when you tell Terraform, don't print this

122
00:04:10,320 --> 00:04:12,760
in the console output, Terraform obeys.

123
00:04:12,760 --> 00:04:14,440
It redacts the value from your terminal,

124
00:04:14,440 --> 00:04:16,760
but the state file, the state file still stores it

125
00:04:16,760 --> 00:04:19,200
in plaintext json because Terraform needs it there

126
00:04:19,200 --> 00:04:20,480
to manage the resource.

127
00:04:20,480 --> 00:04:22,640
The sensitivity flag is just a UI courtesy,

128
00:04:22,640 --> 00:04:25,160
not actual protection, so your state file

129
00:04:25,160 --> 00:04:28,240
becomes a complete architectural map plus the credentials

130
00:04:28,240 --> 00:04:29,240
to everything in it.

131
00:04:29,240 --> 00:04:31,360
If someone gains access to your storage account,

132
00:04:31,360 --> 00:04:33,520
they get both, they see exactly what you're running,

133
00:04:33,520 --> 00:04:35,560
they see the connection strings to connect to it,

134
00:04:35,560 --> 00:04:37,720
they understand your entire infrastructure topology

135
00:04:37,720 --> 00:04:38,800
and have the keys.

136
00:04:38,800 --> 00:04:40,520
That's not just a technical problem,

137
00:04:40,520 --> 00:04:42,840
that's a single point of catastrophic failure.

138
00:04:42,840 --> 00:04:46,760
Most organizations respond by encrypting the state file at rest.

139
00:04:46,760 --> 00:04:49,200
They enable storage service encryption on the blob container,

140
00:04:49,200 --> 00:04:51,760
they feel safer, but encryption at rest only works

141
00:04:51,760 --> 00:04:53,160
if access control works, and that's

142
00:04:53,160 --> 00:04:54,840
where teams consistently stumble.

143
00:04:54,840 --> 00:04:56,520
Access control is the real problem,

144
00:04:56,520 --> 00:04:59,160
because state backends often live in a shared infrastructure

145
00:04:59,160 --> 00:05:01,120
account, because our bag gets complicated

146
00:05:01,120 --> 00:05:02,520
when you have multiple teams.

147
00:05:02,520 --> 00:05:05,160
Because we need to be able to run Terraform becomes

148
00:05:05,160 --> 00:05:07,960
everyone with contributor access can read the state file.

149
00:05:07,960 --> 00:05:10,040
And everyone with contributor access often

150
00:05:10,040 --> 00:05:11,360
includes people who shouldn't be

151
00:05:11,360 --> 00:05:13,800
reading database passwords for production systems.

152
00:05:13,800 --> 00:05:16,040
Teams often treat state backends with less rigor

153
00:05:16,040 --> 00:05:17,840
than they treat production databases.

154
00:05:17,840 --> 00:05:20,120
A production database has restricted access.

155
00:05:20,120 --> 00:05:22,760
Its logged, changes are monitored, but the storage account

156
00:05:22,760 --> 00:05:24,760
holding your Terraform state, that's often just

157
00:05:24,760 --> 00:05:26,200
sitting there in the same resource group

158
00:05:26,200 --> 00:05:28,800
as everything else with standard as your access patterns.

159
00:05:28,800 --> 00:05:31,400
The moment in order to ask who can read your infrastructure

160
00:05:31,400 --> 00:05:33,600
ledger, the answer is usually uncomfortable,

161
00:05:33,600 --> 00:05:36,720
because the answer is more people than should be able to.

162
00:05:36,720 --> 00:05:38,480
This creates a second structural problem.

163
00:05:38,480 --> 00:05:40,520
Your security posture depends on access control

164
00:05:40,520 --> 00:05:42,320
that's either weak or becomes increasingly

165
00:05:42,320 --> 00:05:44,800
difficult to manage as your organization grows.

166
00:05:44,800 --> 00:05:47,440
You can add encryption, you can add private endpoints,

167
00:05:47,440 --> 00:05:50,240
you can add diagnostic logging, all of it is necessary.

168
00:05:50,240 --> 00:05:52,200
None of it solves the fundamental issue,

169
00:05:52,200 --> 00:05:54,440
which is that the state file is a high value asset

170
00:05:54,440 --> 00:05:56,960
that's harder to protect than most organizations assume.

171
00:05:56,960 --> 00:05:58,560
And compliance frameworks know this.

172
00:05:58,560 --> 00:06:02,440
Heeper, PCI DSS, Sox, they all care deeply about

173
00:06:02,440 --> 00:06:05,200
who can access infrastructure metadata and credentials.

174
00:06:05,200 --> 00:06:08,200
The state file is the crown jewel of infrastructure credentials.

175
00:06:08,200 --> 00:06:09,960
And it lives in a system that was designed

176
00:06:09,960 --> 00:06:13,360
for operational simplicity, not security compartmentalization.

177
00:06:13,360 --> 00:06:15,120
This security burden isn't inherent

178
00:06:15,120 --> 00:06:16,920
to infrastructure as code itself.

179
00:06:16,920 --> 00:06:18,800
It's inherent to maintaining an explicit

180
00:06:18,800 --> 00:06:21,600
persistent state file as your source of truth.

181
00:06:21,600 --> 00:06:23,240
The multi-cloud myth exposed.

182
00:06:23,240 --> 00:06:24,920
Here's what Terraform vendors tell you.

183
00:06:24,920 --> 00:06:27,560
Write your infrastructure once and deploy it anywhere.

184
00:06:27,560 --> 00:06:31,600
Azure, AWS, GCP, your code is portable, your skills are portable,

185
00:06:31,600 --> 00:06:33,760
your modules are portable, you build a marketplace

186
00:06:33,760 --> 00:06:36,480
of reusable components that work across every cloud.

187
00:06:36,480 --> 00:06:38,400
That's the pitch, the reality is different.

188
00:06:38,400 --> 00:06:40,600
Terraform is cloud agnostic, your code is not.

189
00:06:40,600 --> 00:06:42,240
When you write Terraform for Azure,

190
00:06:42,240 --> 00:06:45,280
you're defining virtual networks, your specifying key vaults,

191
00:06:45,280 --> 00:06:47,440
your writing rules for network security groups,

192
00:06:47,440 --> 00:06:50,280
your configuring managed identities and role assignments

193
00:06:50,280 --> 00:06:52,640
using Azure's specific RBAC model.

194
00:06:52,640 --> 00:06:54,600
Every line of your HCL is Azure specific

195
00:06:54,600 --> 00:06:56,680
because your infrastructure is Azure specific.

196
00:06:56,680 --> 00:06:59,000
Now suppose you want to move that workload to AWS,

197
00:06:59,000 --> 00:07:01,880
you don't change the provider tag from Azure Rm to AWS,

198
00:07:01,880 --> 00:07:03,280
you don't run a search and replace,

199
00:07:03,280 --> 00:07:04,920
you rewrite the entire architecture.

200
00:07:04,920 --> 00:07:08,200
A virtual network becomes a VPC with a different subnet model.

201
00:07:08,200 --> 00:07:10,200
A key vault becomes AWS secrets manager

202
00:07:10,200 --> 00:07:11,880
with different access patterns.

203
00:07:11,880 --> 00:07:13,880
The managed identity model is completely different.

204
00:07:13,880 --> 00:07:15,680
The security group syntax is different,

205
00:07:15,680 --> 00:07:17,240
the tagging strategy might be different,

206
00:07:17,240 --> 00:07:19,000
the availability zone logic is different,

207
00:07:19,000 --> 00:07:21,160
it's not portability, it's starting over.

208
00:07:21,160 --> 00:07:24,160
But here's what actually happens in practice.

209
00:07:24,160 --> 00:07:26,280
Organizations adopt Terraform because they want

210
00:07:26,280 --> 00:07:28,840
multi-cloud optionality, they want to avoid being locked

211
00:07:28,840 --> 00:07:31,240
into Azure, so they build and maintain Terraform code

212
00:07:31,240 --> 00:07:32,680
across multiple clouds.

213
00:07:32,680 --> 00:07:34,360
They hire engineers who know Terraform

214
00:07:34,360 --> 00:07:36,400
generically instead of Azure deeply.

215
00:07:36,400 --> 00:07:38,000
They create modules that are generic enough

216
00:07:38,000 --> 00:07:40,200
to work on both platforms, which usually means

217
00:07:40,200 --> 00:07:41,600
they're optimized for neither.

218
00:07:41,600 --> 00:07:43,240
They're maintaining a tool that prevents them

219
00:07:43,240 --> 00:07:45,120
from going deep on any single cloud.

220
00:07:45,120 --> 00:07:47,920
This trade-off becomes obvious when you look at feature velocity.

221
00:07:47,920 --> 00:07:50,000
Azure releases new services constantly,

222
00:07:50,000 --> 00:07:52,440
new AI capabilities, new networking patterns,

223
00:07:52,440 --> 00:07:53,440
new policy features.

224
00:07:53,440 --> 00:07:55,040
When you're writing native as your bicep,

225
00:07:55,040 --> 00:07:56,720
you can use those features on day one.

226
00:07:56,720 --> 00:07:58,360
Your code compiles directly to ARM,

227
00:07:58,360 --> 00:08:00,400
you're not waiting for anyone with Terraform,

228
00:08:00,400 --> 00:08:02,760
you're waiting for the community provider maintainers

229
00:08:02,760 --> 00:08:05,120
to expose the new feature in HCL.

230
00:08:05,120 --> 00:08:07,560
Sometimes that happens in weeks, sometimes it takes months.

231
00:08:07,560 --> 00:08:09,880
If the feature is niche or the maintainers are busy,

232
00:08:09,880 --> 00:08:11,320
it might not happen at all.

233
00:08:11,320 --> 00:08:12,720
You end up with two choices.

234
00:08:12,720 --> 00:08:15,400
Use the newer feature through raw ARM templates

235
00:08:15,400 --> 00:08:17,080
and lose the Terraform abstraction

236
00:08:17,080 --> 00:08:18,680
or don't use the feature at all.

237
00:08:18,680 --> 00:08:20,840
This creates a specific architectural problem.

238
00:08:20,840 --> 00:08:23,400
You're choosing tool consistency over platform speed.

239
00:08:23,400 --> 00:08:26,920
You're optimizing for, "I could theoretically move to AWS someday,

240
00:08:26,920 --> 00:08:29,680
instead of, "I can use everything Azure offers me today."

241
00:08:29,680 --> 00:08:32,440
Most organizations that start with multi-cloud ambitions

242
00:08:32,440 --> 00:08:35,280
eventually realize they're either Azure first or multi-cloud,

243
00:08:35,280 --> 00:08:36,080
not both.

244
00:08:36,080 --> 00:08:38,280
The ones that are Azure first end up presenting Terraform

245
00:08:38,280 --> 00:08:39,560
because it's holding them back.

246
00:08:39,560 --> 00:08:41,200
The ones that are actually multi-cloud

247
00:08:41,200 --> 00:08:43,160
end up maintaining cloud-specific modules

248
00:08:43,160 --> 00:08:45,960
within the same code base anyway, which defeats the purpose.

249
00:08:45,960 --> 00:08:47,200
The tools aren't the problem.

250
00:08:47,200 --> 00:08:48,440
The model is.

251
00:08:48,440 --> 00:08:50,440
When you pick Terraform, you're accepting

252
00:08:50,440 --> 00:08:53,080
that consistency across clouds matters more than depth

253
00:08:53,080 --> 00:08:54,240
on a single platform.

254
00:08:54,240 --> 00:08:57,440
When you pick bicep, you're accepting that you're all in on Azure.

255
00:08:57,440 --> 00:08:59,240
One trade-off isn't inherently better,

256
00:08:59,240 --> 00:09:01,760
but most organizations don't make that trade-off consciously.

257
00:09:01,760 --> 00:09:02,680
They drift into it.

258
00:09:02,680 --> 00:09:04,640
They pick Terraform for the multi-cloud story

259
00:09:04,640 --> 00:09:06,200
and then never leave Azure.

260
00:09:06,200 --> 00:09:10,360
This trade-off becomes visible when you examine feature velocity.

261
00:09:10,360 --> 00:09:14,080
The day zero gap when new features matter as your ships fast.

262
00:09:14,080 --> 00:09:17,720
The platform released 175 distinct services last year.

263
00:09:17,720 --> 00:09:19,520
That number includes substantial updates

264
00:09:19,520 --> 00:09:22,160
to existing services, new API versions,

265
00:09:22,160 --> 00:09:24,600
new capabilities, new resource types.

266
00:09:24,600 --> 00:09:26,320
On any given week, something changes.

267
00:09:26,320 --> 00:09:28,160
A new AI model becomes deployable.

268
00:09:28,160 --> 00:09:31,320
A new policy evaluation method, a new networking construct,

269
00:09:31,320 --> 00:09:32,760
a new compliance feature.

270
00:09:32,760 --> 00:09:34,760
When Azure ships something, it's available immediately.

271
00:09:34,760 --> 00:09:36,320
You can use it through the Azure CLI,

272
00:09:36,320 --> 00:09:37,600
you can use it through the portal,

273
00:09:37,600 --> 00:09:39,080
you can use it through ARM templates

274
00:09:39,080 --> 00:09:41,800
because ARM is the control plane that Azure uses internally.

275
00:09:41,800 --> 00:09:43,360
Bicep compiles directly to ARM,

276
00:09:43,360 --> 00:09:45,680
so bicep gets it immediately Terraform doesn't.

277
00:09:45,680 --> 00:09:48,080
Terraform's Azure R&M provider is community-driven.

278
00:09:48,080 --> 00:09:50,040
It's open source, it's maintained by engineers

279
00:09:50,040 --> 00:09:51,080
who volunteer their time.

280
00:09:51,080 --> 00:09:52,560
When a new Azure service ships,

281
00:09:52,560 --> 00:09:55,640
one of these maintainers has to notice, understand the API,

282
00:09:55,640 --> 00:09:58,320
write the Terraform resource definition, test it,

283
00:09:58,320 --> 00:10:00,760
and get it merged into the provider code base.

284
00:10:00,760 --> 00:10:03,200
Then a new version of the provider has to be released,

285
00:10:03,200 --> 00:10:05,200
then you have to update your local provider version

286
00:10:05,200 --> 00:10:06,800
to get access to the new resource.

287
00:10:06,800 --> 00:10:07,920
That process takes time.

288
00:10:07,920 --> 00:10:09,520
Sometimes weeks, sometimes months.

289
00:10:09,520 --> 00:10:12,000
For niche features, sometimes it never happens at all.

290
00:10:12,000 --> 00:10:13,640
Here's what this looks like in practice.

291
00:10:13,640 --> 00:10:15,880
Azure releases a new AI service endpoint.

292
00:10:15,880 --> 00:10:18,040
You want to wire it into your infrastructure.

293
00:10:18,040 --> 00:10:20,920
With bicep, you write the resource definition, compile, and deploy.

294
00:10:20,920 --> 00:10:21,600
It works.

295
00:10:21,600 --> 00:10:24,400
With Terraform, you check the Azure R&M provider documentation.

296
00:10:24,400 --> 00:10:25,880
The resource doesn't exist yet.

297
00:10:25,880 --> 00:10:26,840
You have two choices.

298
00:10:26,840 --> 00:10:28,600
Wait for the community to implement it

299
00:10:28,600 --> 00:10:30,520
or drop down into raw ARM templates

300
00:10:30,520 --> 00:10:31,920
and lose the Terraform abstraction.

301
00:10:31,920 --> 00:10:34,400
This isn't theoretical, this happens constantly.

302
00:10:34,400 --> 00:10:37,280
Regulated industries care about this more than most.

303
00:10:37,280 --> 00:10:39,280
Compliance features ship in Azure first.

304
00:10:39,280 --> 00:10:40,680
If you're running Terraform,

305
00:10:40,680 --> 00:10:42,840
you might not be able to deploy a new compliance control

306
00:10:42,840 --> 00:10:44,920
because the Terraform provider hasn't caught up.

307
00:10:44,920 --> 00:10:47,800
Your governance team needs a policy that Azure released last month.

308
00:10:47,800 --> 00:10:49,440
You can't use it through code.

309
00:10:49,440 --> 00:10:50,840
You either use it through the portal,

310
00:10:50,840 --> 00:10:53,720
which means it's not ISE anymore, or you wait.

311
00:10:53,720 --> 00:10:55,280
The irony is sharp.

312
00:10:55,280 --> 00:10:57,600
Bicep is accused of locking you into Azure.

313
00:10:57,600 --> 00:10:58,440
And it does.

314
00:10:58,440 --> 00:10:59,800
You can't use the bicep template to provision

315
00:10:59,800 --> 00:11:00,960
infrastructure in AWS.

316
00:11:00,960 --> 00:11:02,000
That's the trade-off.

317
00:11:02,000 --> 00:11:03,240
But the other side of that trade-off

318
00:11:03,240 --> 00:11:06,200
is that you get access to everything Azure offers immediately.

319
00:11:06,200 --> 00:11:09,240
Terraform is accused of being cloud-agnostic, which it is.

320
00:11:09,240 --> 00:11:11,200
But that agnosticism comes at a cost.

321
00:11:11,200 --> 00:11:12,280
You're not locked into Azure.

322
00:11:12,280 --> 00:11:14,320
You're locked into a slower version of Azure.

323
00:11:14,320 --> 00:11:16,920
An older feature set, a lagging API surface,

324
00:11:16,920 --> 00:11:19,320
which kind of lock-in is worse depends on your strategy.

325
00:11:19,320 --> 00:11:21,640
If your Azure only, the answer is obvious.

326
00:11:21,640 --> 00:11:23,800
Terraform's agnosticism buys you nothing.

327
00:11:23,800 --> 00:11:26,080
You're paying for a delay for an organization

328
00:11:26,080 --> 00:11:28,480
that's committed to Azure as its primary platform

329
00:11:28,480 --> 00:11:30,000
that delay is pure cost.

330
00:11:30,000 --> 00:11:31,960
Features ship, you can't use them.

331
00:11:31,960 --> 00:11:33,680
Competitors using bicep can.

332
00:11:33,680 --> 00:11:35,880
The organizational impact is subtle but real.

333
00:11:35,880 --> 00:11:38,680
Terraform teams often end up with a backlog of infrastructure

334
00:11:38,680 --> 00:11:41,080
improvements that are blocked on provider updates.

335
00:11:41,080 --> 00:11:42,600
Bicep teams just do the work.

336
00:11:42,600 --> 00:11:43,520
This compounds.

337
00:11:43,520 --> 00:11:46,200
After a year, the bicep organization has deployed capabilities

338
00:11:46,200 --> 00:11:49,560
and patterns, the Terraform organization is still waiting for.

339
00:11:49,560 --> 00:11:51,880
This gap reveals what native actually means.

340
00:11:51,880 --> 00:11:53,280
It doesn't mean pretty syntax.

341
00:11:53,280 --> 00:11:54,720
It doesn't mean integrated tooling.

342
00:11:54,720 --> 00:11:57,040
It means you get access to the platform the moment it ships.

343
00:11:57,040 --> 00:11:59,240
It means when a Azure's architects build a new feature,

344
00:11:59,240 --> 00:12:01,200
you can immediately use it in code.

345
00:12:01,200 --> 00:12:02,920
It means the tool isn't the bottleneck

346
00:12:02,920 --> 00:12:05,720
between your intentions and the platform's capabilities.

347
00:12:05,720 --> 00:12:08,960
The day zero gap is a structural advantage, not a tactical one.

348
00:12:08,960 --> 00:12:11,360
It's the difference between using what's available today

349
00:12:11,360 --> 00:12:13,160
and using what was available three months ago

350
00:12:13,160 --> 00:12:14,920
when the provider finally caught up.

351
00:12:14,920 --> 00:12:17,160
Understanding this gap moves the conversation away

352
00:12:17,160 --> 00:12:19,280
from ideology and into outcomes.

353
00:12:19,280 --> 00:12:22,840
Bicep's stateless model, the architectural shift,

354
00:12:22,840 --> 00:12:24,920
the fundamental difference between Terraform and bicep

355
00:12:24,920 --> 00:12:25,760
isn't syntax.

356
00:12:25,760 --> 00:12:27,640
It's where the source of truth lives.

357
00:12:27,640 --> 00:12:30,600
In Terraform, the state file is the source of truth.

358
00:12:30,600 --> 00:12:33,000
When you ask Terraform, what should I change?

359
00:12:33,000 --> 00:12:35,280
It's comparing your code against what's in the state file.

360
00:12:35,280 --> 00:12:36,880
The state file is the memory.

361
00:12:36,880 --> 00:12:39,040
The state file is what Terraform trusts.

362
00:12:39,040 --> 00:12:40,440
Azure is just the runtime,

363
00:12:40,440 --> 00:12:42,600
the place where those changes actually happen.

364
00:12:42,600 --> 00:12:43,800
Bicep flips this.

365
00:12:43,800 --> 00:12:46,840
In bicep, Azure Resource Manager is the source of truth.

366
00:12:46,840 --> 00:12:48,520
When you deploy a bicep template,

367
00:12:48,520 --> 00:12:50,240
you're not managing a separate artifact

368
00:12:50,240 --> 00:12:51,680
that remembers what's deployed.

369
00:12:51,680 --> 00:12:53,520
You're sending a desired state to ARM

370
00:12:53,520 --> 00:12:55,160
and asking it to reconcile.

371
00:12:55,160 --> 00:12:56,680
ARM looks at what you're asking for.

372
00:12:56,680 --> 00:12:58,160
ARM looks at what actually exists.

373
00:12:58,160 --> 00:13:00,040
ARM figures out what needs to change.

374
00:13:00,040 --> 00:13:01,080
Then ARM makes it happen.

375
00:13:01,080 --> 00:13:02,240
There is no state file.

376
00:13:02,240 --> 00:13:03,640
There is no separate database.

377
00:13:03,640 --> 00:13:05,320
There is no locking mechanism.

378
00:13:05,320 --> 00:13:06,800
There is no back end to secure.

379
00:13:06,800 --> 00:13:08,440
There is no version history to manage.

380
00:13:08,440 --> 00:13:09,840
There is no recovery strategy

381
00:13:09,840 --> 00:13:11,680
for when the state file gets corrupted.

382
00:13:11,680 --> 00:13:13,480
The complexity simply doesn't exist.

383
00:13:13,480 --> 00:13:15,000
Instead of maintaining infrastructure

384
00:13:15,000 --> 00:13:16,880
to manage the infrastructure manager,

385
00:13:16,880 --> 00:13:19,080
you're just writing code and sending it to the platform.

386
00:13:19,080 --> 00:13:21,560
The platform does what platforms are supposed to do.

387
00:13:21,560 --> 00:13:24,120
It reconciles your intent with current reality.

388
00:13:24,120 --> 00:13:24,800
That's its job.

389
00:13:24,800 --> 00:13:26,000
That's what ARM was built for.

390
00:13:26,000 --> 00:13:27,880
This changes everything operationally.

391
00:13:27,880 --> 00:13:29,480
You don't need to set up a storage account

392
00:13:29,480 --> 00:13:30,680
for the state back end.

393
00:13:30,680 --> 00:13:31,800
You don't need to configure

394
00:13:31,800 --> 00:13:34,080
a blob locking to prevent concurrent corruption.

395
00:13:34,080 --> 00:13:37,120
You don't need to encrypt the state or restrict access to it.

396
00:13:37,120 --> 00:13:39,760
You don't need monitoring to watch for state lock timeouts.

397
00:13:39,760 --> 00:13:41,600
You don't need incident response procedures

398
00:13:41,600 --> 00:13:43,680
for when state gets corrupted during a fail-deploy.

399
00:13:43,680 --> 00:13:44,760
None of that exists.

400
00:13:44,760 --> 00:13:46,720
You write code, you deploy code.

401
00:13:46,720 --> 00:13:48,320
ARM handles the reconciliation.

402
00:13:48,320 --> 00:13:49,280
That's the model.

403
00:13:49,280 --> 00:13:50,360
The way this actually works

404
00:13:50,360 --> 00:13:52,240
is through incremental deployments.

405
00:13:52,240 --> 00:13:54,160
When you send a bicep template to ARM,

406
00:13:54,160 --> 00:13:56,320
you're describing the resources you want to exist

407
00:13:56,320 --> 00:13:58,560
in a particular scope, a resource group,

408
00:13:58,560 --> 00:14:00,320
a subscription, whatever.

409
00:14:00,320 --> 00:14:01,760
ARM asks, "What's already there?

410
00:14:01,760 --> 00:14:02,600
What do you want?

411
00:14:02,600 --> 00:14:03,600
What needs to change?"

412
00:14:03,600 --> 00:14:05,880
Then it changes only the things that need changing.

413
00:14:05,880 --> 00:14:08,760
The responsibility shifts from the tool to the platform.

414
00:14:08,760 --> 00:14:11,680
Terraform says, "I'm responsible for knowing what's deployed.

415
00:14:11,680 --> 00:14:14,840
You tell me what you want, and I'll figure out the delta."

416
00:14:14,840 --> 00:14:16,520
ARM says, "I'm the control plane.

417
00:14:16,520 --> 00:14:18,480
I know what's deployed because I deployed it.

418
00:14:18,480 --> 00:14:21,120
You describe what you want, and I'll handle the rest."

419
00:14:21,120 --> 00:14:23,360
One model pushes state management responsibility

420
00:14:23,360 --> 00:14:25,480
onto the organization using the tool.

421
00:14:25,480 --> 00:14:27,280
The other model pushes it onto the platform,

422
00:14:27,280 --> 00:14:28,360
which is built to handle it.

423
00:14:28,360 --> 00:14:29,720
This is a structural advantage

424
00:14:29,720 --> 00:14:31,120
that compounds over time.

425
00:14:31,120 --> 00:14:33,120
You don't need a platform team to manage state.

426
00:14:33,120 --> 00:14:34,720
You don't need coordination protocols

427
00:14:34,720 --> 00:14:36,160
between teams sharing state.

428
00:14:36,160 --> 00:14:38,280
You don't need to partition state across environments

429
00:14:38,280 --> 00:14:39,640
and manage the boundaries.

430
00:14:39,640 --> 00:14:41,840
You don't need to worry about state lock contention

431
00:14:41,840 --> 00:14:44,240
when three teams try to deploy simultaneously.

432
00:14:44,240 --> 00:14:46,440
Each team sends code to ARM independently.

433
00:14:46,440 --> 00:14:47,840
ARM handles it.

434
00:14:47,840 --> 00:14:49,000
The trade-off is real.

435
00:14:49,000 --> 00:14:51,760
With Terraform, you get an explicit plan before you apply.

436
00:14:51,760 --> 00:14:53,440
You see exactly what's going to change.

437
00:14:53,440 --> 00:14:55,280
You can review it, you can approve it.

438
00:14:55,280 --> 00:14:57,200
With bicep, you don't get that explicit plan,

439
00:14:57,200 --> 00:14:58,040
not in the same way.

440
00:14:58,040 --> 00:15:00,880
You get a what-if operation that shows you what would change,

441
00:15:00,880 --> 00:15:02,480
but it's not the same as a plan.

442
00:15:02,480 --> 00:15:04,160
It's a prediction based on live data,

443
00:15:04,160 --> 00:15:07,000
not a comparison between code and a static state file.

444
00:15:07,000 --> 00:15:07,920
That's the cost.

445
00:15:07,920 --> 00:15:10,120
You lose the explicit, reviewable plan.

446
00:15:10,120 --> 00:15:11,960
But you gain something harder to quantify.

447
00:15:11,960 --> 00:15:14,800
You gain alignment with how the platform actually works.

448
00:15:14,800 --> 00:15:16,800
You stop thinking about state as something you manage.

449
00:15:16,800 --> 00:15:18,840
You start thinking about code as a declaration

450
00:15:18,840 --> 00:15:20,480
that the platform reconciles.

451
00:15:20,480 --> 00:15:22,880
This architectural difference cascades into governance

452
00:15:22,880 --> 00:15:25,880
and security in ways that aren't obvious at first.

453
00:15:25,880 --> 00:15:27,840
The what-if operation, live diagnostics,

454
00:15:27,840 --> 00:15:29,320
versus static plans.

455
00:15:29,320 --> 00:15:31,560
When you run Terraform plan, you're asking Terraform

456
00:15:31,560 --> 00:15:33,760
a straightforward question, what changed?

457
00:15:33,760 --> 00:15:35,680
But that question has a hidden complexity.

458
00:15:35,680 --> 00:15:39,040
Terraform compares three things, your code, the state file.

459
00:15:39,040 --> 00:15:40,880
What's actually in Azure right now?

460
00:15:40,880 --> 00:15:43,040
It pulls the live data, it does a refresh,

461
00:15:43,040 --> 00:15:44,560
and then it compares all three to figure out

462
00:15:44,560 --> 00:15:45,640
what needs to change.

463
00:15:45,640 --> 00:15:46,840
This should work perfectly.

464
00:15:46,840 --> 00:15:48,800
In theory, the state file matches reality.

465
00:15:48,800 --> 00:15:50,440
In practice, it often doesn't.

466
00:15:50,440 --> 00:15:51,800
The state file is stale.

467
00:15:51,800 --> 00:15:54,440
Someone made a manual change in the portal last week.

468
00:15:54,440 --> 00:15:56,800
Another team member applied a different configuration

469
00:15:56,800 --> 00:15:57,800
through a script.

470
00:15:57,800 --> 00:16:01,000
A resource got deleted because of a failed policy enforcement.

471
00:16:01,000 --> 00:16:02,880
Maybe the network failed halfway through an apply

472
00:16:02,880 --> 00:16:04,320
and corrupted the state file.

473
00:16:04,320 --> 00:16:06,040
Now the state file doesn't match Azure.

474
00:16:06,040 --> 00:16:08,600
So when Terraform runs plan, it's predicting changes

475
00:16:08,600 --> 00:16:10,120
based on data, it doesn't trust.

476
00:16:10,120 --> 00:16:13,040
You see a plan that looks safe, you approve it, you apply it,

477
00:16:13,040 --> 00:16:15,320
and something breaks because the state file lied.

478
00:16:15,320 --> 00:16:16,520
Bicep doesn't have this problem

479
00:16:16,520 --> 00:16:18,200
because it doesn't maintain a state file.

480
00:16:18,200 --> 00:16:19,520
When you run what-if in bicep,

481
00:16:19,520 --> 00:16:21,000
you're asking a different question.

482
00:16:21,000 --> 00:16:23,000
What would change if I deployed this right now?

483
00:16:23,000 --> 00:16:25,240
Bicep talks directly to the arm control plane.

484
00:16:25,240 --> 00:16:26,440
It sends your desired state.

485
00:16:26,440 --> 00:16:28,240
Arm responds with what currently exists.

486
00:16:28,240 --> 00:16:29,640
Bicep shows you the delta.

487
00:16:29,640 --> 00:16:32,240
That delta is based on live data pulled seconds ago,

488
00:16:32,240 --> 00:16:34,800
not cashed data that might be stale by weeks.

489
00:16:34,800 --> 00:16:36,680
The different sounds technical, it's not.

490
00:16:36,680 --> 00:16:39,400
It's the difference between a prediction and a live question.

491
00:16:39,400 --> 00:16:40,520
Terraform predicts.

492
00:16:40,520 --> 00:16:43,320
Bicep asks, "One is based on potentially stale state.

493
00:16:43,320 --> 00:16:45,600
The other is based on reality as it exists right now.

494
00:16:45,600 --> 00:16:47,280
This matters most in drift detection.

495
00:16:47,280 --> 00:16:49,280
Drift, the gap between what your code says

496
00:16:49,280 --> 00:16:51,920
should exist and what actually exists, is inevitable.

497
00:16:51,920 --> 00:16:53,600
Someone makes an emergency change.

498
00:16:53,600 --> 00:16:55,880
A policy violation gets remediated automatically.

499
00:16:55,880 --> 00:16:57,920
A resource gets deleted accidentally.

500
00:16:57,920 --> 00:17:00,360
Any number of things can diverge your live infrastructure

501
00:17:00,360 --> 00:17:01,320
from your code.

502
00:17:01,320 --> 00:17:03,720
Terraform detects drift by comparing state to code.

503
00:17:03,720 --> 00:17:05,080
But if the state file is stale,

504
00:17:05,080 --> 00:17:06,880
it won't detect the drift correctly.

505
00:17:06,880 --> 00:17:09,000
You end up running scheduled drift detection jobs.

506
00:17:09,000 --> 00:17:11,000
Scan your infrastructure every 15 minutes,

507
00:17:11,000 --> 00:17:13,960
every hour, every day, hoping to catch inconsistencies.

508
00:17:13,960 --> 00:17:16,600
Large organizations run drift detection constantly

509
00:17:16,600 --> 00:17:18,920
because they can't afford for state to be wrong.

510
00:17:18,920 --> 00:17:21,080
It's operational labor that exists entirely

511
00:17:21,080 --> 00:17:23,400
because you're maintaining a separate source of truth.

512
00:17:23,400 --> 00:17:25,280
Bicep doesn't need drift detection jobs.

513
00:17:25,280 --> 00:17:27,880
Every deployment is a drift check against live reality.

514
00:17:27,880 --> 00:17:28,720
You deploy.

515
00:17:28,720 --> 00:17:30,080
Arm shows you what changed.

516
00:17:30,080 --> 00:17:31,280
That's your drift signal.

517
00:17:31,280 --> 00:17:32,720
You're always looking at current state

518
00:17:32,720 --> 00:17:34,520
because arm is the control plane.

519
00:17:34,520 --> 00:17:35,600
It knows what's there.

520
00:17:35,600 --> 00:17:37,080
The more significant advantage appears

521
00:17:37,080 --> 00:17:38,720
when you layer in governance.

522
00:17:38,720 --> 00:17:41,600
Azure policy is Azure's built-in enforcement engine.

523
00:17:41,600 --> 00:17:43,240
It evaluates resources against rules

524
00:17:43,240 --> 00:17:45,720
and can block deployments that violate policy.

525
00:17:45,720 --> 00:17:47,880
When a bicep deployment hits the arm control plane,

526
00:17:47,880 --> 00:17:50,800
arm checks it against every policy that applies to that scope.

527
00:17:50,800 --> 00:17:53,240
If it violates policy, the deployment fails

528
00:17:53,240 --> 00:17:54,600
before anything changes.

529
00:17:54,600 --> 00:17:56,480
You see the policy violation immediately.

530
00:17:56,480 --> 00:17:58,360
Terraform doesn't have this integration.

531
00:17:58,360 --> 00:18:00,760
You apply a terraform deployment arm accepts it.

532
00:18:00,760 --> 00:18:02,120
The resources get created.

533
00:18:02,120 --> 00:18:03,920
Then Azure policy runs its evaluation.

534
00:18:03,920 --> 00:18:05,720
If the resources violate policy,

535
00:18:05,720 --> 00:18:07,440
they get flagged as non-compliant

536
00:18:07,440 --> 00:18:09,200
but the deployment already happened.

537
00:18:09,200 --> 00:18:11,200
You created resources that shouldn't exist

538
00:18:11,200 --> 00:18:12,800
then discovered that afterward.

539
00:18:12,800 --> 00:18:14,120
The timing difference is real.

540
00:18:14,120 --> 00:18:16,720
Bicep prevents violations before they create resources.

541
00:18:16,720 --> 00:18:19,080
Terraform discovers violations after it's too late.

542
00:18:19,080 --> 00:18:20,400
This creates a practical difference

543
00:18:20,400 --> 00:18:21,800
in your deployment experience.

544
00:18:21,800 --> 00:18:23,680
With bicep, you see fewer surprises.

545
00:18:23,680 --> 00:18:25,160
Your feedback loop is tighter.

546
00:18:25,160 --> 00:18:27,760
Your governance is integrated into the deployment process,

547
00:18:27,760 --> 00:18:29,360
not bolted on after the fact.

548
00:18:29,360 --> 00:18:31,160
With Terraform, you're managing policies

549
00:18:31,160 --> 00:18:33,360
as a separate concern from deployment.

550
00:18:33,360 --> 00:18:34,520
The integration with governance

551
00:18:34,520 --> 00:18:36,920
is where native tooling reveals its real advantage.

552
00:18:36,920 --> 00:18:40,000
The module ecosystem, reuse versus standardization.

553
00:18:40,000 --> 00:18:41,960
The promise of Terraform is reuse at scale.

554
00:18:41,960 --> 00:18:44,760
The Terraform registry has 20,000 community modules.

555
00:18:44,760 --> 00:18:47,800
20,000, across 100 plus providers, AWS modules,

556
00:18:47,800 --> 00:18:50,120
Azure modules, Kubernetes modules, data doc modules.

557
00:18:50,120 --> 00:18:52,120
You name the platform, someone wrote a Terraform module

558
00:18:52,120 --> 00:18:53,720
for it, the ecosystem is massive.

559
00:18:53,720 --> 00:18:56,520
The breadth is undeniable as your has something different,

560
00:18:56,520 --> 00:18:58,160
as your verified modules.

561
00:18:58,160 --> 00:19:02,320
AVM, not 20,000 modules, maybe a few hundred carefully curated ones.

562
00:19:02,320 --> 00:19:04,800
Built by Microsoft, tested against Azure patterns,

563
00:19:04,800 --> 00:19:06,560
versioned, maintained.

564
00:19:06,560 --> 00:19:08,640
Opinionated about how you should deploy things,

565
00:19:08,640 --> 00:19:11,480
one is a marketplace, the other is a library of standards.

566
00:19:11,480 --> 00:19:12,600
The difference reveals itself

567
00:19:12,600 --> 00:19:14,160
when you try to use the modules.

568
00:19:14,160 --> 00:19:16,640
A Terraform module is designed to work generically.

569
00:19:16,640 --> 00:19:18,600
It abstracts away cloud-specific details

570
00:19:18,600 --> 00:19:20,400
so it can run on multiple providers.

571
00:19:20,400 --> 00:19:21,240
That sounds useful.

572
00:19:21,240 --> 00:19:24,000
In practice, it means the module is optimized for none of them.

573
00:19:24,000 --> 00:19:26,120
It implements the lowest common denominator,

574
00:19:26,120 --> 00:19:27,880
the features that work everywhere.

575
00:19:27,880 --> 00:19:29,640
It skips Azure-specific capabilities

576
00:19:29,640 --> 00:19:31,440
because they don't exist in AWS.

577
00:19:31,440 --> 00:19:33,440
It uses patterns that work across clouds,

578
00:19:33,440 --> 00:19:36,320
even if Azure has better patterns for that specific service.

579
00:19:36,320 --> 00:19:38,440
You get breadth, you lose depth.

580
00:19:38,440 --> 00:19:41,040
An AVM module is built for Azure specifically.

581
00:19:41,040 --> 00:19:42,920
It knows about Azure resource patterns.

582
00:19:42,920 --> 00:19:44,640
It knows about Azure naming conventions.

583
00:19:44,640 --> 00:19:46,640
It knows about Azure governance integration.

584
00:19:46,640 --> 00:19:48,280
It knows that when you deploy a key vault,

585
00:19:48,280 --> 00:19:50,160
you should enable purge protection.

586
00:19:50,160 --> 00:19:52,720
It knows you should configure diagnostic settings automatically.

587
00:19:52,720 --> 00:19:54,080
It knows about soft delete.

588
00:19:54,080 --> 00:19:55,920
It knows about our back best practices.

589
00:19:55,920 --> 00:19:57,760
These things aren't optional nice to have.

590
00:19:57,760 --> 00:19:58,760
They're built in.

591
00:19:58,760 --> 00:20:00,160
This isn't just convenience.

592
00:20:00,160 --> 00:20:01,440
This is knowledge.

593
00:20:01,440 --> 00:20:04,520
Every AVM module encodes years of operational experience

594
00:20:04,520 --> 00:20:06,120
using that service at scale.

595
00:20:06,120 --> 00:20:07,600
It's not just a resource wrapper.

596
00:20:07,600 --> 00:20:10,360
It's a distilled version of what Microsoft and Enterprise customers

597
00:20:10,360 --> 00:20:13,160
learned about operating that service responsibly.

598
00:20:13,160 --> 00:20:14,560
The hidden cost of Terraform's breadth

599
00:20:14,560 --> 00:20:16,600
becomes apparent when you try to maintain it.

600
00:20:16,600 --> 00:20:18,320
You inherit 20,000 modules.

601
00:20:18,320 --> 00:20:19,400
Many of them outdated.

602
00:20:19,400 --> 00:20:20,480
Some are abandoned.

603
00:20:20,480 --> 00:20:22,040
Some have conflicting patterns.

604
00:20:22,040 --> 00:20:23,600
Some use different naming conventions.

605
00:20:23,600 --> 00:20:26,920
Some follow AWS best practices and translate poorly to Azure.

606
00:20:26,920 --> 00:20:28,600
You're trying to build consistency

607
00:20:28,600 --> 00:20:31,200
across a marketplace that has no consistency.

608
00:20:31,200 --> 00:20:33,120
So organizations create internal Terraform modules.

609
00:20:33,120 --> 00:20:34,480
They wrap the community modules.

610
00:20:34,480 --> 00:20:35,400
They add governance.

611
00:20:35,400 --> 00:20:36,680
They add naming patterns.

612
00:20:36,680 --> 00:20:38,560
They add defaults that make sense for Azure.

613
00:20:38,560 --> 00:20:40,880
Essentially, they build what AVM already is.

614
00:20:40,880 --> 00:20:42,440
They've added layers of abstraction

615
00:20:42,440 --> 00:20:44,720
trying to solve the generic module problem.

616
00:20:44,720 --> 00:20:47,360
They've rebuilt the solution that already exists in AVM.

617
00:20:47,360 --> 00:20:49,920
The organizational friction is subtle but cumulative.

618
00:20:49,920 --> 00:20:52,680
Teams spend time evaluating which module to use.

619
00:20:52,680 --> 00:20:53,840
Which one is maintained?

620
00:20:53,840 --> 00:20:55,240
Which one has better documentation?

621
00:20:55,240 --> 00:20:56,640
Which one aligns with your patterns?

622
00:20:56,640 --> 00:20:58,320
You're making decisions about decisions

623
00:20:58,320 --> 00:20:59,680
that AVM eliminates.

624
00:20:59,680 --> 00:21:01,200
This doesn't mean AVM is perfect.

625
00:21:01,200 --> 00:21:02,280
The catalog is smaller.

626
00:21:02,280 --> 00:21:04,800
If you need something super niche, it might not exist.

627
00:21:04,800 --> 00:21:06,040
But for the core services,

628
00:21:06,040 --> 00:21:09,640
compute networking data, identity, AVM has you covered.

629
00:21:09,640 --> 00:21:11,160
And what's there is built an assumption

630
00:21:11,160 --> 00:21:14,400
that you're optimizing for Azure, not hedging for AWS.

631
00:21:14,400 --> 00:21:15,800
The ecosystem difference reflects

632
00:21:15,800 --> 00:21:18,280
the fundamental philosophy about tool scope.

633
00:21:18,280 --> 00:21:21,040
Terraform asks, what if you need to go anywhere?

634
00:21:21,040 --> 00:21:23,160
AVM asks, how do we optimize for here?

635
00:21:23,160 --> 00:21:25,600
One, two treats its platform as a negotiation.

636
00:21:25,600 --> 00:21:26,960
The other treats it as home.

637
00:21:26,960 --> 00:21:28,840
The choice between them isn't about modules.

638
00:21:28,840 --> 00:21:30,880
It's about whether your organization is maintaining

639
00:21:30,880 --> 00:21:33,000
tooling consistency across many platforms

640
00:21:33,000 --> 00:21:34,520
or building depth on one platform.

641
00:21:34,520 --> 00:21:36,760
If you are Azure only, AVM's opinionated approach

642
00:21:36,760 --> 00:21:38,160
saves engineering effort.

643
00:21:38,160 --> 00:21:39,720
If you are genuinely multi-cloud,

644
00:21:39,720 --> 00:21:41,960
Terraform's generic breadth makes sense.

645
00:21:41,960 --> 00:21:43,640
But most organizations that pick Terraform

646
00:21:43,640 --> 00:21:45,280
for multi-cloud optionality

647
00:21:45,280 --> 00:21:48,440
end up maintaining Azure specific modules inside Terraform anyway.

648
00:21:48,440 --> 00:21:50,880
They're solving the generic module problem manually,

649
00:21:50,880 --> 00:21:52,400
which means they're paying twice.

650
00:21:52,400 --> 00:21:54,920
State management as governance infrastructure.

651
00:21:54,920 --> 00:21:56,960
The state file is more than a technical problem.

652
00:21:56,960 --> 00:21:58,400
It's also a governance artifact.

653
00:21:58,400 --> 00:22:01,320
When you maintain a state file, you're maintaining a ledger.

654
00:22:01,320 --> 00:22:03,840
That ledger records every resource you're managing.

655
00:22:03,840 --> 00:22:05,000
It records configuration.

656
00:22:05,000 --> 00:22:07,040
It records who deployed what and when.

657
00:22:07,040 --> 00:22:10,200
It records change history if you version the back end properly.

658
00:22:10,200 --> 00:22:12,840
It becomes the canonical record of your infrastructure.

659
00:22:12,840 --> 00:22:14,600
This is actually useful for governance.

660
00:22:14,600 --> 00:22:17,240
If an auditor asks what resources are under ISE management,

661
00:22:17,240 --> 00:22:19,080
the state file answers that question.

662
00:22:19,080 --> 00:22:21,960
If someone wants to know who deployed a particular resource,

663
00:22:21,960 --> 00:22:24,160
the state file, combined with your Git history

664
00:22:24,160 --> 00:22:26,240
and back end versioning, can tell you,

665
00:22:26,240 --> 00:22:28,640
if you need to prove that a specific configuration

666
00:22:28,640 --> 00:22:30,480
was in place at a specific time,

667
00:22:30,480 --> 00:22:32,320
the state file provides evidence.

668
00:22:32,320 --> 00:22:33,960
But that evidence comes at a cost.

669
00:22:33,960 --> 00:22:35,400
You have to secure the ledger.

670
00:22:35,400 --> 00:22:36,520
You have to version it.

671
00:22:36,520 --> 00:22:37,360
You have to back it up.

672
00:22:37,360 --> 00:22:38,720
You have to control access to it.

673
00:22:38,720 --> 00:22:40,800
You have to monitor who reads it and when.

674
00:22:40,800 --> 00:22:43,040
You have to ensure that the people who can modify it

675
00:22:43,040 --> 00:22:44,400
are authorized to do so.

676
00:22:44,400 --> 00:22:46,240
You have to handle the mechanics of change tracking.

677
00:22:46,240 --> 00:22:47,920
You have to figure out how long to keep history

678
00:22:47,920 --> 00:22:49,040
and when to archive it.

679
00:22:49,040 --> 00:22:50,640
That's not a state management problem.

680
00:22:50,640 --> 00:22:52,000
That's a data governance problem.

681
00:22:52,000 --> 00:22:53,520
You've created a critical data asset

682
00:22:53,520 --> 00:22:55,240
and now you have to govern it like one.

683
00:22:55,240 --> 00:22:57,240
Bicep inverts this.

684
00:22:57,240 --> 00:22:59,480
Instead of terraform maintaining a centralized state

685
00:22:59,480 --> 00:23:01,040
file as the infrastructure record,

686
00:23:01,040 --> 00:23:03,280
bicep delegates the record keeping to Azure.

687
00:23:03,280 --> 00:23:05,480
Azure activity logs become your audit trail.

688
00:23:05,480 --> 00:23:06,840
Every deployment gets logged.

689
00:23:06,840 --> 00:23:09,760
Every change gets recorded with timestamps and principles.

690
00:23:09,760 --> 00:23:11,560
Every policy check leaves a trace.

691
00:23:11,560 --> 00:23:14,360
You can query what changed, who changed it when it happened.

692
00:23:14,360 --> 00:23:15,600
And what the result was.

693
00:23:15,600 --> 00:23:18,200
This is governance that the platform provides natively.

694
00:23:18,200 --> 00:23:19,200
You don't have to build it.

695
00:23:19,200 --> 00:23:20,160
You don't have to maintain it.

696
00:23:20,160 --> 00:23:22,440
It's already there as part of how Azure operates.

697
00:23:22,440 --> 00:23:24,000
The difference is architectural.

698
00:23:24,000 --> 00:23:26,080
Terraform centralizes infrastructure decisions

699
00:23:26,080 --> 00:23:27,200
into the state file.

700
00:23:27,200 --> 00:23:29,120
The state file is the single point of record.

701
00:23:29,120 --> 00:23:30,400
Everything flows through it.

702
00:23:30,400 --> 00:23:31,520
If you need governance data,

703
00:23:31,520 --> 00:23:32,960
you're extracting it from the state.

704
00:23:32,960 --> 00:23:34,120
If you need audit trails,

705
00:23:34,120 --> 00:23:35,920
you're building them on top of state versioning

706
00:23:35,920 --> 00:23:36,960
and backend logging.

707
00:23:36,960 --> 00:23:38,800
You're layering governance onto the tool.

708
00:23:38,800 --> 00:23:41,200
Bicep distributes responsibility differently.

709
00:23:41,200 --> 00:23:42,800
The code defines intent.

710
00:23:42,800 --> 00:23:44,720
Azure enforces reality.

711
00:23:44,720 --> 00:23:46,520
The audit trail lives in Azure's logs,

712
00:23:46,520 --> 00:23:48,360
not in a separate artifact.

713
00:23:48,360 --> 00:23:50,400
The governance happens at the platform level,

714
00:23:50,400 --> 00:23:51,640
not at the tool level.

715
00:23:51,640 --> 00:23:53,160
This creates a separation of concerns

716
00:23:53,160 --> 00:23:54,840
that matters operationally.

717
00:23:54,840 --> 00:23:56,600
With Terraform, your governance team

718
00:23:56,600 --> 00:23:58,200
has to understand the state file.

719
00:23:58,200 --> 00:24:00,400
They have to understand which state backend you're using.

720
00:24:00,400 --> 00:24:02,280
They have to understand who can access it.

721
00:24:02,280 --> 00:24:04,480
They have to design policies around state mutations.

722
00:24:04,480 --> 00:24:06,240
They have to ensure that state modifications

723
00:24:06,240 --> 00:24:08,720
go through the proper change control process.

724
00:24:08,720 --> 00:24:10,920
Your governance is entangled with two mechanics.

725
00:24:10,920 --> 00:24:13,840
With Bicep, your governance team works with Azure natively.

726
00:24:13,840 --> 00:24:15,160
They configure Azure policy.

727
00:24:15,160 --> 00:24:16,040
They set up RBAC.

728
00:24:16,040 --> 00:24:17,600
They enable activity logs.

729
00:24:17,600 --> 00:24:19,640
They design role-based access to subscriptions

730
00:24:19,640 --> 00:24:20,480
and resource groups.

731
00:24:20,480 --> 00:24:22,120
They're using tools they already understand

732
00:24:22,120 --> 00:24:23,800
for managing cloud resources.

733
00:24:23,800 --> 00:24:25,480
Bicep is just the authoring layer.

734
00:24:25,480 --> 00:24:27,760
The compliance implications shift accordingly.

735
00:24:27,760 --> 00:24:30,480
If your audit requirements demand proof of change control,

736
00:24:30,480 --> 00:24:32,960
Terraform's explicit state tracking gives you that.

737
00:24:32,960 --> 00:24:34,040
You conversion the state,

738
00:24:34,040 --> 00:24:35,640
lock changes behind approvals

739
00:24:35,640 --> 00:24:37,480
and maintain a complete change log.

740
00:24:37,480 --> 00:24:39,920
If your audit requirements demand role-based access

741
00:24:39,920 --> 00:24:41,120
and activity logging,

742
00:24:41,120 --> 00:24:43,760
Bicep's reliance on Azure's native audit capabilities

743
00:24:43,760 --> 00:24:44,600
satisfies that.

744
00:24:44,600 --> 00:24:46,600
You're not managing a separate security domain

745
00:24:46,600 --> 00:24:48,040
for infrastructure code.

746
00:24:48,040 --> 00:24:50,280
Different organizations have different compliance needs.

747
00:24:50,280 --> 00:24:52,840
Some care deeply about an explicit versioned record

748
00:24:52,840 --> 00:24:54,440
of infrastructure decisions.

749
00:24:54,440 --> 00:24:56,040
Some care about proving that all changes

750
00:24:56,040 --> 00:24:58,880
went through proper RBAC gates and left audit trails.

751
00:24:58,880 --> 00:25:00,960
Terraform excels at the first requirement.

752
00:25:00,960 --> 00:25:03,640
Bicep leverages Azure's strength at the second.

753
00:25:03,640 --> 00:25:05,040
Understanding these governance models

754
00:25:05,040 --> 00:25:07,560
reveals where operational complexity actually lives.

755
00:25:07,560 --> 00:25:09,040
It's not just about managing state.

756
00:25:09,040 --> 00:25:11,000
It's about how you want infrastructure governance

757
00:25:11,000 --> 00:25:12,440
to work in your organization.

758
00:25:12,440 --> 00:25:14,240
Do you want a dedicated governance system?

759
00:25:14,240 --> 00:25:15,480
Or do you want governance to flow

760
00:25:15,480 --> 00:25:17,480
through your existing platform controls?

761
00:25:17,480 --> 00:25:18,560
That's the real choice.

762
00:25:18,560 --> 00:25:20,320
The drift detection reality check.

763
00:25:20,320 --> 00:25:21,320
Drift is inevitable.

764
00:25:21,320 --> 00:25:22,320
It's not a failure mode.

765
00:25:22,320 --> 00:25:23,880
It's not something you prevent.

766
00:25:23,880 --> 00:25:25,800
It happens because organizations don't exist

767
00:25:25,800 --> 00:25:26,920
in a steady state.

768
00:25:26,920 --> 00:25:28,880
Someone deploys a patch to a server

769
00:25:28,880 --> 00:25:31,000
through the portal because waiting for code review

770
00:25:31,000 --> 00:25:33,400
took too long and the vulnerability was critical.

771
00:25:33,400 --> 00:25:35,360
A developer spins up a test database

772
00:25:35,360 --> 00:25:37,800
to debug something and forgets to tear it down.

773
00:25:37,800 --> 00:25:39,800
A policy violation gets auto-remediated,

774
00:25:39,800 --> 00:25:41,520
changing a configuration you didn't realize

775
00:25:41,520 --> 00:25:42,480
was non-compliant.

776
00:25:42,480 --> 00:25:45,080
A resource gets deleted by accident and restored from backup,

777
00:25:45,080 --> 00:25:46,760
but the state file wasn't updated.

778
00:25:46,760 --> 00:25:48,240
Any of these things causes drift.

779
00:25:48,240 --> 00:25:50,080
The infrastructure you're managing diverges

780
00:25:50,080 --> 00:25:52,040
from what your code says should be there,

781
00:25:52,040 --> 00:25:53,720
how you handle that divergence determines

782
00:25:53,720 --> 00:25:57,040
whether drift becomes a liability or just a fact of life.

783
00:25:57,040 --> 00:25:58,840
With Terraform, drift is a problem

784
00:25:58,840 --> 00:26:00,320
that requires management.

785
00:26:00,320 --> 00:26:02,440
When someone makes a change outside Terraform,

786
00:26:02,440 --> 00:26:04,040
any change, no matter how small,

787
00:26:04,040 --> 00:26:05,400
the state file becomes stale.

788
00:26:05,400 --> 00:26:07,120
The state file now claims something

789
00:26:07,120 --> 00:26:10,080
has configured one way, but Azure has it configured differently.

790
00:26:10,080 --> 00:26:11,680
The next time you run Terraform plan,

791
00:26:11,680 --> 00:26:12,800
Terraform is confused.

792
00:26:12,800 --> 00:26:14,360
It's comparing code against a state file

793
00:26:14,360 --> 00:26:15,640
that doesn't match reality.

794
00:26:15,640 --> 00:26:17,640
It doesn't know if the discrepancy is intentional

795
00:26:17,640 --> 00:26:18,680
or a mistake.

796
00:26:18,680 --> 00:26:21,160
So it either proposes to override the life change

797
00:26:21,160 --> 00:26:22,080
or it does nothing.

798
00:26:22,080 --> 00:26:24,600
And now you have two versions of the truth floating around.

799
00:26:24,600 --> 00:26:25,960
You can't leave drift unresolved

800
00:26:25,960 --> 00:26:28,520
because it breaks your ability to trust Terraform's plans.

801
00:26:28,520 --> 00:26:29,760
So you run drift detection.

802
00:26:29,760 --> 00:26:31,760
Large organizations don't do this manually

803
00:26:31,760 --> 00:26:33,120
and they run scheduled jobs.

804
00:26:33,120 --> 00:26:35,160
Every 15 minutes, every hour, every day,

805
00:26:35,160 --> 00:26:36,680
depending on how much they care,

806
00:26:36,680 --> 00:26:38,160
they scan the live infrastructure

807
00:26:38,160 --> 00:26:39,880
and compare it to the state file.

808
00:26:39,880 --> 00:26:41,120
They generate a drift report.

809
00:26:41,120 --> 00:26:43,200
They show teams what changed outside Terraform.

810
00:26:43,200 --> 00:26:44,800
Then they either update the state file

811
00:26:44,800 --> 00:26:47,000
to match reality or run Terraform apply

812
00:26:47,000 --> 00:26:48,160
to override the changes.

813
00:26:48,160 --> 00:26:49,320
This is operational work.

814
00:26:49,320 --> 00:26:50,120
It's time.

815
00:26:50,120 --> 00:26:50,960
It's engineering.

816
00:26:50,960 --> 00:26:52,400
It's infrastructure you have to maintain

817
00:26:52,400 --> 00:26:54,120
to keep Terraform working correctly.

818
00:26:54,120 --> 00:26:56,400
Bicep doesn't have this problem in the same way

819
00:26:56,400 --> 00:26:58,720
because Azure is the source of truth, not the code.

820
00:26:58,720 --> 00:27:01,640
When you deploy bicep, you're sending a desired state to ARM.

821
00:27:01,640 --> 00:27:03,160
ARM looks at what's currently deployed,

822
00:27:03,160 --> 00:27:04,600
ARM figures out the gap.

823
00:27:04,600 --> 00:27:06,320
ARM changes only what needs changing.

824
00:27:06,320 --> 00:27:07,920
There is no state file getting stale.

825
00:27:07,920 --> 00:27:10,480
There is no comparison between two versions of the truth.

826
00:27:10,480 --> 00:27:11,800
But drift still happens.

827
00:27:11,800 --> 00:27:14,000
Someone still makes a change outside bicep.

828
00:27:14,000 --> 00:27:15,720
A resource still gets modified manually

829
00:27:15,720 --> 00:27:17,320
or through another automation system.

830
00:27:17,320 --> 00:27:19,640
The infrastructure diverges from your code.

831
00:27:19,640 --> 00:27:21,480
The difference is what that means operationally.

832
00:27:21,480 --> 00:27:24,880
With bicep, drift doesn't break your ability to deploy safely.

833
00:27:24,880 --> 00:27:26,800
Your next deployment will still work correctly

834
00:27:26,800 --> 00:27:28,480
because you're always asking ARM,

835
00:27:28,480 --> 00:27:30,120
what's actually there right now?

836
00:27:30,120 --> 00:27:32,480
Not what's in my cashed state file?

837
00:27:32,480 --> 00:27:34,840
The drift gets reconciled during the next deployment.

838
00:27:34,840 --> 00:27:38,040
You don't need scheduled drift detection jobs running continuously.

839
00:27:38,040 --> 00:27:40,600
You don't need a separate system to keep the state consistent.

840
00:27:40,600 --> 00:27:42,400
You deploy. ARM handles it.

841
00:27:42,400 --> 00:27:44,200
There's still visibility if you want it.

842
00:27:44,200 --> 00:27:46,160
Azure activity logs show what changed.

843
00:27:46,160 --> 00:27:48,320
Azure resource graph can show you current state.

844
00:27:48,320 --> 00:27:51,040
But you're not managing drift as an operational burden.

845
00:27:51,040 --> 00:27:53,480
You're observing it as a side effect of how the system works.

846
00:27:53,480 --> 00:27:56,000
The difference becomes acute in large organizations.

847
00:27:56,000 --> 00:27:58,120
A Fortune 500 company running terraform

848
00:27:58,120 --> 00:28:01,160
might have dozens of drift detection pipelines running constantly.

849
00:28:01,160 --> 00:28:03,080
Thousands of resources, multiple clouds,

850
00:28:03,080 --> 00:28:05,360
teams making changes across different systems.

851
00:28:05,360 --> 00:28:07,240
The drift detection overhead is substantial.

852
00:28:07,240 --> 00:28:10,520
Your running jobs just to keep terraforms understanding of reality

853
00:28:10,520 --> 00:28:12,760
from diverging too far from actual reality.

854
00:28:12,760 --> 00:28:15,680
The operational burden reveals where terraforms explicit state

855
00:28:15,680 --> 00:28:17,200
becomes a liability.

856
00:28:17,200 --> 00:28:19,240
You've built an elaborate system to manage the gap

857
00:28:19,240 --> 00:28:20,640
between what the state file claims

858
00:28:20,640 --> 00:28:21,680
and what's actually deployed.

859
00:28:21,680 --> 00:28:22,840
The system works.

860
00:28:22,840 --> 00:28:25,160
But it's work and that work is only necessary

861
00:28:25,160 --> 00:28:27,400
because you chose a tool that requires it.

862
00:28:27,400 --> 00:28:28,960
The human factor compounds this.

863
00:28:28,960 --> 00:28:30,400
Teams make emergency changes.

864
00:28:30,400 --> 00:28:31,960
It's 3 a.m. and production is down

865
00:28:31,960 --> 00:28:34,720
and nobody has time to wait for code review and pipeline validation.

866
00:28:34,720 --> 00:28:35,960
So someone fixes it directly.

867
00:28:35,960 --> 00:28:37,280
Terraform now has a problem.

868
00:28:37,280 --> 00:28:39,440
That drift detection job will find it tomorrow.

869
00:28:39,440 --> 00:28:40,960
But today your state is wrong.

870
00:28:40,960 --> 00:28:42,520
Human behavior is inevitable.

871
00:28:42,520 --> 00:28:44,720
Tools that require teams to fight their own instincts

872
00:28:44,720 --> 00:28:45,880
create friction.

873
00:28:45,880 --> 00:28:47,280
Azure Policy Integration.

874
00:28:47,280 --> 00:28:49,880
Native Enforcement versus bolted on controls.

875
00:28:49,880 --> 00:28:52,120
Azure Policy is Azure's governance engine.

876
00:28:52,120 --> 00:28:54,080
It evaluates resources against rules.

877
00:28:54,080 --> 00:28:55,640
It can enforce configurations.

878
00:28:55,640 --> 00:28:56,720
It can audit compliance.

879
00:28:56,720 --> 00:28:59,760
It can even remediate violations automatically in some cases.

880
00:28:59,760 --> 00:29:02,480
It's the mechanism that prevents teams from deploying things

881
00:29:02,480 --> 00:29:03,640
they shouldn't deploy.

882
00:29:03,640 --> 00:29:05,640
It's where your compliance requirements

883
00:29:05,640 --> 00:29:07,640
become actual constraints in the system.

884
00:29:07,640 --> 00:29:09,960
The question is, when does that enforcement happen

885
00:29:09,960 --> 00:29:12,600
with BICEP it happens before your infrastructure exists?

886
00:29:12,600 --> 00:29:14,760
When you send a BICEP template to ARM,

887
00:29:14,760 --> 00:29:18,160
something specific happens before any resources get created.

888
00:29:18,160 --> 00:29:20,680
ARM evaluates your deployment against every Azure policy

889
00:29:20,680 --> 00:29:22,000
that applies to that scope.

890
00:29:22,000 --> 00:29:24,880
If your deployment violates policy, the deployment fails.

891
00:29:24,880 --> 00:29:27,400
It doesn't create resources and then discover the violation.

892
00:29:27,400 --> 00:29:28,320
It stops beforehand.

893
00:29:28,320 --> 00:29:30,080
You see the policy violation immediately.

894
00:29:30,080 --> 00:29:31,920
You fix your code, you deploy again.

895
00:29:31,920 --> 00:29:33,040
The feedback loop is tight.

896
00:29:33,040 --> 00:29:34,640
This is pre-flight validation.

897
00:29:34,640 --> 00:29:35,560
It's prevention.

898
00:29:35,560 --> 00:29:37,000
Terraform doesn't work this way.

899
00:29:37,000 --> 00:29:38,240
You write your Terraform code.

900
00:29:38,240 --> 00:29:39,360
You run Terraform Apply.

901
00:29:39,360 --> 00:29:42,360
Terraform talks to the Azure APIs and creates the resources.

902
00:29:42,360 --> 00:29:43,560
The resources exist now.

903
00:29:43,560 --> 00:29:45,680
After they exist, after Terraform is done,

904
00:29:45,680 --> 00:29:47,040
Azure Policy evaluates them.

905
00:29:47,040 --> 00:29:49,800
If they violate policy, the resources become non-compliant.

906
00:29:49,800 --> 00:29:50,920
But they're already created.

907
00:29:50,920 --> 00:29:53,120
You have to delete them and rewrite your code.

908
00:29:53,120 --> 00:29:54,200
Then you have to apply again.

909
00:29:54,200 --> 00:29:55,160
The timing is different.

910
00:29:55,160 --> 00:29:56,800
The operational experience is different.

911
00:29:56,800 --> 00:29:58,400
Here's where this becomes real.

912
00:29:58,400 --> 00:30:01,920
Imagine you have an Azure policy that requires all storage accounts

913
00:30:01,920 --> 00:30:03,600
to have encryption enabled.

914
00:30:03,600 --> 00:30:06,200
With Bicep, if your template tries to create a storage account

915
00:30:06,200 --> 00:30:09,080
without encryption, the what if operation fails before you deploy.

916
00:30:09,080 --> 00:30:10,120
You see the error.

917
00:30:10,120 --> 00:30:11,800
You add the encryption configuration.

918
00:30:11,800 --> 00:30:13,280
You deploy again and it works.

919
00:30:13,280 --> 00:30:15,360
You never created a non-compliant resource.

920
00:30:15,360 --> 00:30:18,240
With Terraform, you create the storage account without encryption.

921
00:30:18,240 --> 00:30:19,280
It exists for a moment.

922
00:30:19,280 --> 00:30:21,160
Then Azure Policy flags it as non-compliant.

923
00:30:21,160 --> 00:30:23,360
Now you have a non-compliant resource in production.

924
00:30:23,360 --> 00:30:25,040
It might get automatically remediated

925
00:30:25,040 --> 00:30:26,840
if your policy is set up that way.

926
00:30:26,840 --> 00:30:29,080
Or it might just sit there marked as non-compliant

927
00:30:29,080 --> 00:30:30,440
until someone notices.

928
00:30:30,440 --> 00:30:32,640
Either way, the resource existed in a bad state

929
00:30:32,640 --> 00:30:34,000
before governance courted.

930
00:30:34,000 --> 00:30:35,200
One prevents the violation.

931
00:30:35,200 --> 00:30:37,240
One discovers it after it happens.

932
00:30:37,240 --> 00:30:39,880
The difference multiplies across your organization.

933
00:30:39,880 --> 00:30:42,080
Teams deploy infrastructure constantly.

934
00:30:42,080 --> 00:30:43,960
If every deployment creates resources

935
00:30:43,960 --> 00:30:46,400
that might be non-compliant before governance catches them,

936
00:30:46,400 --> 00:30:48,960
you're creating compliance incidents continuously.

937
00:30:48,960 --> 00:30:51,800
You're managing the aftermath instead of preventing the problem.

938
00:30:51,800 --> 00:30:53,800
Bicep's native integration with Azure Policy

939
00:30:53,800 --> 00:30:56,280
means governance is built into the deployment process.

940
00:30:56,280 --> 00:30:57,920
Policy definitions, initiatives,

941
00:30:57,920 --> 00:31:00,360
and assignments are resources you define in Bicep.

942
00:31:00,360 --> 00:31:01,680
They're not bolted on afterward.

943
00:31:01,680 --> 00:31:03,440
They're part of your infrastructure code.

944
00:31:03,440 --> 00:31:05,080
You version them. You test them.

945
00:31:05,080 --> 00:31:07,600
You deploy them alongside your other infrastructure.

946
00:31:07,600 --> 00:31:09,760
Governance becomes part of how you define systems

947
00:31:09,760 --> 00:31:12,960
not a separate system that checks your work after the fact.

948
00:31:12,960 --> 00:31:15,320
Terraform's integration with Azure Policy still works,

949
00:31:15,320 --> 00:31:17,280
but the policy itself is separate.

950
00:31:17,280 --> 00:31:19,480
You define your infrastructure in Terraform.

951
00:31:19,480 --> 00:31:21,280
You define your policies somewhere else.

952
00:31:21,280 --> 00:31:23,000
Through the portal or through Terraform

953
00:31:23,000 --> 00:31:25,600
using the Azure AM Policy Definition Resource

954
00:31:25,600 --> 00:31:27,320
or through another tool entirely.

955
00:31:27,320 --> 00:31:29,280
The policies exist. They apply.

956
00:31:29,280 --> 00:31:30,600
But they're not tightly integrated

957
00:31:30,600 --> 00:31:31,880
with your deployment workflow.

958
00:31:31,880 --> 00:31:35,120
There are separate concerns that happens to run against your resources.

959
00:31:35,120 --> 00:31:36,600
Some organizations bridge this gap

960
00:31:36,600 --> 00:31:38,000
with external policy engines.

961
00:31:38,000 --> 00:31:40,000
Sentinel if you're using Terraform Cloud.

962
00:31:40,000 --> 00:31:41,880
OPA if you want an open source option.

963
00:31:41,880 --> 00:31:43,520
These are policy as code engines

964
00:31:43,520 --> 00:31:46,160
that evaluate your Terraform plans before they apply.

965
00:31:46,160 --> 00:31:47,560
They add that prevention layer,

966
00:31:47,560 --> 00:31:48,600
but they're another tool.

967
00:31:48,600 --> 00:31:50,160
They're another system to maintain.

968
00:31:50,160 --> 00:31:51,520
They add complexity.

969
00:31:51,520 --> 00:31:54,080
When Azure Policy Violation Surface after deployment,

970
00:31:54,080 --> 00:31:55,520
there's also a cost to fixing them.

971
00:31:55,520 --> 00:31:56,760
You have to update your code.

972
00:31:56,760 --> 00:31:57,840
You have to redeploy.

973
00:31:57,840 --> 00:31:59,840
If the policy has a remediation action,

974
00:31:59,840 --> 00:32:01,840
resources might get automatically fixed,

975
00:32:01,840 --> 00:32:04,000
but you still had a moment of non-compliance.

976
00:32:04,000 --> 00:32:06,240
You still had resources in a bad state.

977
00:32:06,240 --> 00:32:07,440
In regulated industries,

978
00:32:07,440 --> 00:32:09,480
that moment might require documentation.

979
00:32:09,480 --> 00:32:11,320
It might require incident reporting.

980
00:32:11,320 --> 00:32:14,080
It might trigger audits, fewer failed deployments,

981
00:32:14,080 --> 00:32:16,080
faster feedback, tighter control.

982
00:32:16,080 --> 00:32:17,240
That's what you get when governance

983
00:32:17,240 --> 00:32:19,560
is integrated into the deployment platform itself,

984
00:32:19,560 --> 00:32:20,960
not bolted on afterward.

985
00:32:20,960 --> 00:32:22,720
The practical impact is that bicep teams

986
00:32:22,720 --> 00:32:24,640
spend less time fighting compliance.

987
00:32:24,640 --> 00:32:26,520
Terraform teams spend more time managing

988
00:32:26,520 --> 00:32:29,280
the gap between code validation and governance enforcement.

989
00:32:29,280 --> 00:32:31,440
Both deployments eventually become compliant.

990
00:32:31,440 --> 00:32:33,240
The mechanisms ensure that.

991
00:32:33,240 --> 00:32:34,440
But the path there is different.

992
00:32:34,440 --> 00:32:37,400
One prevents violations, one discovers and remediates them.

993
00:32:37,400 --> 00:32:39,200
Which model you prefer depends on your tolerance

994
00:32:39,200 --> 00:32:40,520
for non-compliant resources,

995
00:32:40,520 --> 00:32:42,240
existing momentarily and your willingness

996
00:32:42,240 --> 00:32:44,360
to maintain external policy engines.

997
00:32:44,360 --> 00:32:45,440
Both are valid choices.

998
00:32:45,440 --> 00:32:46,960
Neither is categorically better,

999
00:32:46,960 --> 00:32:48,160
but they're structurally different

1000
00:32:48,160 --> 00:32:49,880
in how they handle governance.

1001
00:32:49,880 --> 00:32:51,560
The cost of operational complexity.

1002
00:32:51,560 --> 00:32:53,280
Here's what nobody quantifies clearly

1003
00:32:53,280 --> 00:32:54,600
when they're pitching Terraform.

1004
00:32:54,600 --> 00:32:57,360
The infrastructure you build to run Terraform isn't free.

1005
00:32:57,360 --> 00:32:59,720
It has cost, it has operational surface area,

1006
00:32:59,720 --> 00:33:00,760
it has failure modes.

1007
00:33:00,760 --> 00:33:03,600
Every component you add to make Terraform work reliably

1008
00:33:03,600 --> 00:33:05,560
introduces another thing that can break.

1009
00:33:05,560 --> 00:33:06,760
You need a remote backend.

1010
00:33:06,760 --> 00:33:08,400
That's a storage account or S3 bucket

1011
00:33:08,400 --> 00:33:10,120
or Terraform cloud subscription.

1012
00:33:10,120 --> 00:33:11,640
That backend needs encryption.

1013
00:33:11,640 --> 00:33:13,160
It needs versioning, it needs backup.

1014
00:33:13,160 --> 00:33:14,240
Someone has to monitor it.

1015
00:33:14,240 --> 00:33:16,600
If the backend goes down, Terraform can't work.

1016
00:33:16,600 --> 00:33:19,400
If the backend gets corrupted, Terraform can't work.

1017
00:33:19,400 --> 00:33:20,800
You've added a critical dependency.

1018
00:33:20,800 --> 00:33:23,600
You need locking, blob leases or dynamo DB tables

1019
00:33:23,600 --> 00:33:24,840
or some other mechanism to prevent

1020
00:33:24,840 --> 00:33:26,680
concurrent corruption of the state file.

1021
00:33:26,680 --> 00:33:28,000
Locking adds latency.

1022
00:33:28,000 --> 00:33:29,200
Locking can time out.

1023
00:33:29,200 --> 00:33:31,400
Lock time outs are their own class of incident.

1024
00:33:31,400 --> 00:33:34,000
One engineer's Terraform run didn't finish properly.

1025
00:33:34,000 --> 00:33:35,200
The lock didn't clear.

1026
00:33:35,200 --> 00:33:36,880
Now everyone else is blocked.

1027
00:33:36,880 --> 00:33:38,520
Someone has to manually clear the lock.

1028
00:33:38,520 --> 00:33:39,520
That's operational work.

1029
00:33:39,520 --> 00:33:40,960
You need encryption, add rest,

1030
00:33:40,960 --> 00:33:43,640
and transit with key management with access policies.

1031
00:33:43,640 --> 00:33:46,520
Multiple teams probably need access to different state files.

1032
00:33:46,520 --> 00:33:48,680
So you're managing our back for the backend.

1033
00:33:48,680 --> 00:33:50,000
Add a second cloud provider

1034
00:33:50,000 --> 00:33:52,600
and you're managing encryption in our back in both places.

1035
00:33:52,600 --> 00:33:53,960
You need monitoring and alerting,

1036
00:33:53,960 --> 00:33:55,160
state backend performance,

1037
00:33:55,160 --> 00:33:56,600
state backend availability,

1038
00:33:56,600 --> 00:33:57,880
concurrent lock attempts,

1039
00:33:57,880 --> 00:34:00,320
failed deployments that leave locks in a bad state.

1040
00:34:00,320 --> 00:34:01,680
These don't monitor themselves.

1041
00:34:01,680 --> 00:34:03,680
You're adding observability infrastructure.

1042
00:34:03,680 --> 00:34:05,280
Each of these components is necessary.

1043
00:34:05,280 --> 00:34:08,320
None of them are optional if you want Terraform to work reliably.

1044
00:34:08,320 --> 00:34:10,800
But collectively, they represent operational complexity

1045
00:34:10,800 --> 00:34:13,480
that exists only because you chose to maintain

1046
00:34:13,480 --> 00:34:14,680
an external state file.

1047
00:34:14,680 --> 00:34:16,840
State corruption happens despite all this.

1048
00:34:16,840 --> 00:34:19,640
Concurrent runs sometimes don't coordinate properly.

1049
00:34:19,640 --> 00:34:21,880
Network failures interrupt applies midstream.

1050
00:34:21,880 --> 00:34:23,880
Misconfigured lock timeouts cause deadlocks

1051
00:34:23,880 --> 00:34:26,040
when the state file gets corrupted recovery is manual.

1052
00:34:26,040 --> 00:34:27,160
You're restoring from backup.

1053
00:34:27,160 --> 00:34:28,800
You're manually editing the state file

1054
00:34:28,800 --> 00:34:30,480
with Terraform state commands.

1055
00:34:30,480 --> 00:34:32,640
You're verifying that the state matches reality.

1056
00:34:32,640 --> 00:34:33,520
If you mess this up,

1057
00:34:33,520 --> 00:34:35,680
you delete production resources by accident.

1058
00:34:35,680 --> 00:34:36,840
This is not theoretical.

1059
00:34:36,840 --> 00:34:38,520
This is what happens in organizations

1060
00:34:38,520 --> 00:34:40,720
large enough to have Terraform at scale.

1061
00:34:40,720 --> 00:34:43,680
The real cost emerges when you ask who runs this.

1062
00:34:43,680 --> 00:34:45,680
Someone has to be the Terraform person.

1063
00:34:45,680 --> 00:34:48,040
Or more accurately, someone has to be the platform engineering

1064
00:34:48,040 --> 00:34:49,880
team that owns Terraform infrastructure.

1065
00:34:49,880 --> 00:34:51,680
In small organizations, that's one person.

1066
00:34:51,680 --> 00:34:54,440
In medium organizations, that's a team of two or three.

1067
00:34:54,440 --> 00:34:56,880
In large organizations, that's a full platform engineering group.

1068
00:34:56,880 --> 00:34:57,600
Why?

1069
00:34:57,600 --> 00:34:59,800
Because Terraform requires operational oversight

1070
00:34:59,800 --> 00:35:01,640
that regular infrastructure doesn't.

1071
00:35:01,640 --> 00:35:02,920
You're not just deploying things.

1072
00:35:02,920 --> 00:35:05,240
You're managing the system that manages deployments.

1073
00:35:05,240 --> 00:35:06,680
You're tuning backend performance.

1074
00:35:06,680 --> 00:35:08,440
You're responding to lock failures.

1075
00:35:08,440 --> 00:35:10,120
You're recovering from state corruption.

1076
00:35:10,120 --> 00:35:12,440
You're managing authentication to the backend.

1077
00:35:12,440 --> 00:35:14,200
You're updating provider versions.

1078
00:35:14,200 --> 00:35:15,920
You're maintaining Terraform modules.

1079
00:35:15,920 --> 00:35:18,680
You're handling questions about can I do X with Terraform?

1080
00:35:18,680 --> 00:35:22,320
This is invisible to executives who see we're using IAC

1081
00:35:22,320 --> 00:35:25,040
and assume they've scaled their infrastructure automation.

1082
00:35:25,040 --> 00:35:25,560
They haven't.

1083
00:35:25,560 --> 00:35:27,000
They've built a second infrastructure

1084
00:35:27,000 --> 00:35:29,400
that requires dedicated engineering to operate.

1085
00:35:29,400 --> 00:35:31,080
Bicep doesn't have this problem.

1086
00:35:31,080 --> 00:35:32,400
Azure handles state.

1087
00:35:32,400 --> 00:35:34,000
It handles consistency.

1088
00:35:34,000 --> 00:35:35,320
It handles locking.

1089
00:35:35,320 --> 00:35:36,640
It handles recovery.

1090
00:35:36,640 --> 00:35:38,320
Your responsibility is the code.

1091
00:35:38,320 --> 00:35:39,880
Azure handles everything else.

1092
00:35:39,880 --> 00:35:42,080
This doesn't require a platform engineering team.

1093
00:35:42,080 --> 00:35:44,840
It requires people who understand Azure and can write bicep.

1094
00:35:44,840 --> 00:35:46,280
That's a different skill set.

1095
00:35:46,280 --> 00:35:48,440
A smaller team can operate bicep effectively

1096
00:35:48,440 --> 00:35:50,560
because the operational complexity is delegated

1097
00:35:50,560 --> 00:35:51,320
to the platform.

1098
00:35:51,320 --> 00:35:53,320
This has organizational implications.

1099
00:35:53,320 --> 00:35:56,640
Organizations using Terraform need platform engineering people.

1100
00:35:56,640 --> 00:35:58,800
Organizations using bicep can distribute

1101
00:35:58,800 --> 00:36:01,520
Terraform responsibilities across standard Azure operations

1102
00:36:01,520 --> 00:36:02,200
teams.

1103
00:36:02,200 --> 00:36:03,680
The difference in headcount is real.

1104
00:36:03,680 --> 00:36:06,040
The difference in hiring difficulty is real.

1105
00:36:06,040 --> 00:36:08,360
Smaller teams can operate bicep effectively

1106
00:36:08,360 --> 00:36:09,600
with standard Azure skills.

1107
00:36:09,600 --> 00:36:11,640
Larger teams running Terraform have to hire people

1108
00:36:11,640 --> 00:36:13,320
who specialize in Terraform operations.

1109
00:36:13,320 --> 00:36:14,320
That's a rare skill set.

1110
00:36:14,320 --> 00:36:15,440
It's harder to hire for.

1111
00:36:15,440 --> 00:36:16,680
It's more expensive.

1112
00:36:16,680 --> 00:36:19,000
The hidden cost of Terraform isn't the tool.

1113
00:36:19,000 --> 00:36:20,520
It's the people you have to hire

1114
00:36:20,520 --> 00:36:22,360
to keep the tool working reliably.

1115
00:36:22,360 --> 00:36:24,000
The skill set divergence.

1116
00:36:24,000 --> 00:36:25,880
The skills Terraform demands are different

1117
00:36:25,880 --> 00:36:27,080
from what bicep demands.

1118
00:36:27,080 --> 00:36:29,360
And that difference matters more than most organizations

1119
00:36:29,360 --> 00:36:31,960
realize when they're evaluating which tool to adopt.

1120
00:36:31,960 --> 00:36:34,760
Terraform expertise requires understanding several layers.

1121
00:36:34,760 --> 00:36:37,600
You need to know HCL, the Terraform language.

1122
00:36:37,600 --> 00:36:39,320
You need to understand how providers work

1123
00:36:39,320 --> 00:36:40,720
and how to evaluate them.

1124
00:36:40,720 --> 00:36:42,880
You need to understand state management patterns.

1125
00:36:42,880 --> 00:36:44,920
You need to understand how to structure modules

1126
00:36:44,920 --> 00:36:47,000
for reuse across multiple clouds.

1127
00:36:47,000 --> 00:36:48,720
You need to know how to handle provider

1128
00:36:48,720 --> 00:36:50,560
versioning and dependency management

1129
00:36:50,560 --> 00:36:53,000
across an ecosystem of 100 plus providers.

1130
00:36:53,000 --> 00:36:56,280
You need to troubleshoot state corruption and lock failures.

1131
00:36:56,280 --> 00:36:57,960
You need to design back end strategies

1132
00:36:57,960 --> 00:37:00,120
that work across different cloud providers

1133
00:37:00,120 --> 00:37:02,080
with different authentication mechanisms.

1134
00:37:02,080 --> 00:37:03,320
This is a complete skill set.

1135
00:37:03,320 --> 00:37:05,240
It's also a two focused skill set.

1136
00:37:05,240 --> 00:37:06,840
You're becoming an expert in Terraform.

1137
00:37:06,840 --> 00:37:08,840
You're becoming skilled at orchestrating multiple clouds

1138
00:37:08,840 --> 00:37:10,400
through a single abstraction layer.

1139
00:37:10,400 --> 00:37:13,240
You're becoming good at the meta task of managing a system

1140
00:37:13,240 --> 00:37:14,760
that manages infrastructure.

1141
00:37:14,760 --> 00:37:16,600
Bicep expertise is different.

1142
00:37:16,600 --> 00:37:19,720
You need to know bicep syntax, which is simpler than HCL.

1143
00:37:19,720 --> 00:37:21,560
You need to understand Azure resource manager,

1144
00:37:21,560 --> 00:37:24,480
how it actually works, what it does, what it can and can't do.

1145
00:37:24,480 --> 00:37:26,480
You need to understand ARM templates

1146
00:37:26,480 --> 00:37:27,960
because bicep compiles to ARM.

1147
00:37:27,960 --> 00:37:29,720
You need to know Azure services deeply.

1148
00:37:29,720 --> 00:37:31,680
You need to understand RBIAC in Azure.

1149
00:37:31,680 --> 00:37:33,880
You need to understand how Azure policy works.

1150
00:37:33,880 --> 00:37:35,200
You need to understand networking

1151
00:37:35,200 --> 00:37:37,920
in Azure identity in Azure security in Azure.

1152
00:37:37,920 --> 00:37:40,000
You need to understand what each Azure service

1153
00:37:40,000 --> 00:37:42,480
actually does and how it integrates with other services.

1154
00:37:42,480 --> 00:37:43,920
This is also a complete skill set.

1155
00:37:43,920 --> 00:37:45,720
But it's a platform focused skill set.

1156
00:37:45,720 --> 00:37:47,520
You're becoming an expert in Azure.

1157
00:37:47,520 --> 00:37:50,080
You're becoming skilled at using the platform's capabilities

1158
00:37:50,080 --> 00:37:50,960
effectively.

1159
00:37:50,960 --> 00:37:52,600
You're becoming good at the actual task

1160
00:37:52,600 --> 00:37:53,960
of deploying infrastructure.

1161
00:37:53,960 --> 00:37:56,080
Here's where the portability disappears.

1162
00:37:56,080 --> 00:37:58,360
People assume Terraform skills transfer.

1163
00:37:58,360 --> 00:37:59,320
You learn Terraform.

1164
00:37:59,320 --> 00:38:01,440
You can use it on AWS, Azure and GCP.

1165
00:38:01,440 --> 00:38:02,520
You can move between clouds.

1166
00:38:02,520 --> 00:38:03,800
Your skills are portable.

1167
00:38:03,800 --> 00:38:05,760
But they're only portable at the tool level.

1168
00:38:05,760 --> 00:38:07,160
The moment you move to a different cloud,

1169
00:38:07,160 --> 00:38:08,360
your code doesn't move.

1170
00:38:08,360 --> 00:38:10,160
Your architectural knowledge doesn't move.

1171
00:38:10,160 --> 00:38:11,320
You know how to write Terraform.

1172
00:38:11,320 --> 00:38:14,720
You don't know how AWS actually works or how GCP actually works.

1173
00:38:14,720 --> 00:38:16,400
You have to learn the services again.

1174
00:38:16,400 --> 00:38:18,800
You have to learn the resource patterns for each cloud.

1175
00:38:18,800 --> 00:38:20,480
You have to learn the naming conventions

1176
00:38:20,480 --> 00:38:22,600
and best practices for each ecosystem.

1177
00:38:22,600 --> 00:38:23,560
So you're portable.

1178
00:38:23,560 --> 00:38:25,280
But your infrastructure knowledge isn't.

1179
00:38:25,280 --> 00:38:28,000
Someone with deep bicep and Azure expertise is the opposite.

1180
00:38:28,000 --> 00:38:30,720
They can't move to AWS and take their bicep skills with them.

1181
00:38:30,720 --> 00:38:32,600
bicep only works on Azure.

1182
00:38:32,600 --> 00:38:34,160
But their knowledge of how Azure works,

1183
00:38:34,160 --> 00:38:35,520
how to design systems on Azure,

1184
00:38:35,520 --> 00:38:37,760
how to use Azure's native capabilities effectively.

1185
00:38:37,760 --> 00:38:39,080
That's valuable and durable.

1186
00:38:39,080 --> 00:38:40,280
That expertise ages well.

1187
00:38:40,280 --> 00:38:42,120
That person is genuinely expert in Azure,

1188
00:38:42,120 --> 00:38:44,080
not generically competent on multiple clouds.

1189
00:38:44,080 --> 00:38:45,520
The hiring market reflects this.

1190
00:38:45,520 --> 00:38:47,560
Terraform expertise is more widely known.

1191
00:38:47,560 --> 00:38:48,520
More people have used it.

1192
00:38:48,520 --> 00:38:50,920
More people can show you Terraform code on their resume.

1193
00:38:50,920 --> 00:38:53,880
So finding people who know Terraform is easier, they're more common.

1194
00:38:53,880 --> 00:38:55,200
But common skills are cheaper.

1195
00:38:55,200 --> 00:38:56,400
They're easier to replace.

1196
00:38:56,400 --> 00:38:59,120
The market can monetize the skills that many people have.

1197
00:38:59,120 --> 00:39:00,840
Bicep expertise is rarer.

1198
00:39:00,840 --> 00:39:02,600
Fewer people have worked with it deeply.

1199
00:39:02,600 --> 00:39:04,600
The people who have tend to be Azure focused,

1200
00:39:04,600 --> 00:39:06,600
which means they've invested in learning the platform.

1201
00:39:06,600 --> 00:39:07,800
That's harder to replace.

1202
00:39:07,800 --> 00:39:09,680
That expertise is less commoditized.

1203
00:39:09,680 --> 00:39:12,560
And the market pays better for skills that are harder to find.

1204
00:39:12,560 --> 00:39:14,440
This creates a career trajectory question.

1205
00:39:14,440 --> 00:39:15,560
Do you want to be the person

1206
00:39:15,560 --> 00:39:18,480
who's good at orchestrating infrastructure across multiple clouds?

1207
00:39:18,480 --> 00:39:20,680
Or do you want to be the person who's genuinely expert

1208
00:39:20,680 --> 00:39:23,400
in one cloud and can design sophisticated systems

1209
00:39:23,400 --> 00:39:24,320
on that platform?

1210
00:39:24,320 --> 00:39:26,800
The second path tends to pay better long term.

1211
00:39:26,800 --> 00:39:28,560
Because you're not maintaining tool expertise,

1212
00:39:28,560 --> 00:39:31,160
your building platform expertise, that compounds.

1213
00:39:31,160 --> 00:39:33,800
That becomes increasingly valuable as your cloud grows.

1214
00:39:33,800 --> 00:39:35,800
Team alignment follows the same pattern.

1215
00:39:35,800 --> 00:39:37,600
Your terraform skills align with your tool.

1216
00:39:37,600 --> 00:39:40,320
Your bicep skills align with your infrastructure,

1217
00:39:40,320 --> 00:39:41,680
where you invest matters.

1218
00:39:41,680 --> 00:39:44,600
The open tofu question, when licensing becomes governance,

1219
00:39:44,600 --> 00:39:46,320
this is where your ISE choice stops being

1220
00:39:46,320 --> 00:39:47,560
just a technical decision.

1221
00:39:47,560 --> 00:39:50,280
In 2023, Hashikop changed terraform's license.

1222
00:39:50,280 --> 00:39:53,560
They moved from MPL 2.0, a permissive open source license

1223
00:39:53,560 --> 00:39:55,440
that lets anyone use the software for anything

1224
00:39:55,440 --> 00:39:57,040
to the business source license.

1225
00:39:57,040 --> 00:39:58,720
BSL is a source available license

1226
00:39:58,720 --> 00:40:00,600
that restricts commercial competitive use.

1227
00:40:00,600 --> 00:40:02,040
You can read the code.

1228
00:40:02,040 --> 00:40:04,280
You can't build a competing product on top of it.

1229
00:40:04,280 --> 00:40:06,320
You can't use it to deliver infrastructure as a service

1230
00:40:06,320 --> 00:40:09,040
as a business unless you pay Hashikop for a commercial license.

1231
00:40:09,040 --> 00:40:10,840
The community responded by forking.

1232
00:40:10,840 --> 00:40:12,360
Open tofu is that fork.

1233
00:40:12,360 --> 00:40:15,360
It's the same code-based terraform was before the license change.

1234
00:40:15,360 --> 00:40:18,160
Same HCL syntax, same provider ecosystem,

1235
00:40:18,160 --> 00:40:19,920
same state model, same everything.

1236
00:40:19,920 --> 00:40:20,760
The only difference?

1237
00:40:20,760 --> 00:40:22,320
It's governed by the Linux Foundation

1238
00:40:22,320 --> 00:40:24,920
as an open source project under MPL 2.0.

1239
00:40:24,920 --> 00:40:26,240
That license is always I approved.

1240
00:40:26,240 --> 00:40:29,360
It means anyone can do anything with the code without restrictions.

1241
00:40:29,360 --> 00:40:32,360
By 2026, Open tofu is capturing a meaningful piece

1242
00:40:32,360 --> 00:40:34,240
of new infrastructure projects.

1243
00:40:34,240 --> 00:40:37,480
Estimates put it at about 35% of new IAC projects

1244
00:40:37,480 --> 00:40:39,560
up from roughly 10% in 2024.

1245
00:40:39,560 --> 00:40:40,600
That's not a small number.

1246
00:40:40,600 --> 00:40:42,720
That's a structural shift happening in real time.

1247
00:40:42,720 --> 00:40:45,000
The governance change is what drives this adoption,

1248
00:40:45,000 --> 00:40:46,560
not feature parity.

1249
00:40:46,560 --> 00:40:49,480
Open tofu is technically equivalent to terraform at this point.

1250
00:40:49,480 --> 00:40:52,400
They're close enough that switching between them is straightforward.

1251
00:40:52,400 --> 00:40:54,120
But the licensing difference changes

1252
00:40:54,120 --> 00:40:56,840
who controls your infrastructure orchestration tool.

1253
00:40:56,840 --> 00:40:59,480
With terraform, Hashikop, now owned by IBM,

1254
00:40:59,480 --> 00:41:00,920
controls what happens next.

1255
00:41:00,920 --> 00:41:02,320
If they change the license further,

1256
00:41:02,320 --> 00:41:04,840
if they decide to monetize features you currently use.

1257
00:41:04,840 --> 00:41:07,640
If they sunset community providers in favor of paid ones,

1258
00:41:07,640 --> 00:41:10,480
you're dependent on a corporation's strategic decisions.

1259
00:41:10,480 --> 00:41:12,720
That dependency is fine if you trust the corporation

1260
00:41:12,720 --> 00:41:14,480
and their incentives align with yours.

1261
00:41:14,480 --> 00:41:16,840
But some organizations don't want that dependency.

1262
00:41:16,840 --> 00:41:18,840
EU procurement laws increasingly prefer

1263
00:41:18,840 --> 00:41:22,680
OSI-approved licenses for critical infrastructure software.

1264
00:41:22,680 --> 00:41:25,840
Governments want to know they can fork the tool if they need to.

1265
00:41:25,840 --> 00:41:28,640
They want to know they're not dependent on a vendor's goodwill.

1266
00:41:28,640 --> 00:41:29,920
They want legal certainty

1267
00:41:29,920 --> 00:41:32,560
that the tool will always be available under the same terms.

1268
00:41:32,560 --> 00:41:33,840
Open tofu provides that.

1269
00:41:33,840 --> 00:41:35,800
Terraform doesn't.

1270
00:41:35,800 --> 00:41:37,760
Regulated industries care about this too.

1271
00:41:37,760 --> 00:41:40,000
Financial institutions, healthcare organizations

1272
00:41:40,000 --> 00:41:42,160
and utilities are moving toward open tofu

1273
00:41:42,160 --> 00:41:45,600
for new projects, specifically because of the licensing model.

1274
00:41:45,600 --> 00:41:48,720
They want open source guarantees, not source available arrangements.

1275
00:41:48,720 --> 00:41:50,400
It's not that terraform is bad.

1276
00:41:50,400 --> 00:41:52,920
It's that they want legal certainty about their tooling.

1277
00:41:52,920 --> 00:41:54,600
This creates an interesting tension.

1278
00:41:54,600 --> 00:41:57,240
Organizations with substantial existing terraform investments

1279
00:41:57,240 --> 00:41:58,560
keep using terraform.

1280
00:41:58,560 --> 00:42:00,160
Migration is expensive.

1281
00:42:00,160 --> 00:42:01,760
Migration is disruptive.

1282
00:42:01,760 --> 00:42:03,880
The licensing model isn't a blocker if you've already

1283
00:42:03,880 --> 00:42:05,520
built your platform on terraform.

1284
00:42:05,520 --> 00:42:06,800
You'll probably keep running it.

1285
00:42:06,800 --> 00:42:09,520
But new projects increasingly start on open tofu.

1286
00:42:09,520 --> 00:42:11,240
Organizations are deliberately choosing

1287
00:42:11,240 --> 00:42:13,560
to adopt open tofu for Greenfield infrastructure

1288
00:42:13,560 --> 00:42:16,280
to avoid creating new dependencies on BSL licensing.

1289
00:42:16,280 --> 00:42:18,040
Some organizations are running both.

1290
00:42:18,040 --> 00:42:20,840
Terraform for legacy systems, open tofu for new ones.

1291
00:42:20,840 --> 00:42:23,280
They're hedging, they're keeping optionality.

1292
00:42:23,280 --> 00:42:25,280
This dual engine approach is becoming standard

1293
00:42:25,280 --> 00:42:26,520
in larger organizations.

1294
00:42:26,520 --> 00:42:27,640
You maintain what you have.

1295
00:42:27,640 --> 00:42:30,360
You build new things with what you prefer strategically.

1296
00:42:30,360 --> 00:42:32,040
Bicep sidesteps this entirely.

1297
00:42:32,040 --> 00:42:33,520
Bicep is MIT licensed.

1298
00:42:33,520 --> 00:42:34,600
MIT is permissive.

1299
00:42:34,600 --> 00:42:36,280
It's open source without restrictions.

1300
00:42:36,280 --> 00:42:37,560
There's no license conversation.

1301
00:42:37,560 --> 00:42:38,600
There's no governance risk.

1302
00:42:38,600 --> 00:42:40,160
Microsoft publishes the code.

1303
00:42:40,160 --> 00:42:40,840
You use it.

1304
00:42:40,840 --> 00:42:42,720
If Microsoft ever changes course,

1305
00:42:42,720 --> 00:42:45,080
the last open source version will be usable forever

1306
00:42:45,080 --> 00:42:46,240
under the MIT license.

1307
00:42:46,240 --> 00:42:47,440
That's not theoretical protection.

1308
00:42:47,440 --> 00:42:49,240
That's how open source licensing works.

1309
00:42:49,240 --> 00:42:51,720
This licensing clarity is becoming a competitive advantage

1310
00:42:51,720 --> 00:42:52,520
for bicep.

1311
00:42:52,520 --> 00:42:55,160
Organizations evaluating IAC tools are now asking

1312
00:42:55,160 --> 00:42:56,840
licensing questions upfront.

1313
00:42:56,840 --> 00:42:58,640
Is this too going to be free forever?

1314
00:42:58,640 --> 00:43:00,080
Can we fork it if we need to?

1315
00:43:00,080 --> 00:43:01,920
Can we build on top of it without legal risk?

1316
00:43:01,920 --> 00:43:02,960
Terraform's answer is no.

1317
00:43:02,960 --> 00:43:04,120
Open tofu's answer is yes.

1318
00:43:04,120 --> 00:43:05,360
Bicep's answer is yes.

1319
00:43:05,360 --> 00:43:06,680
That's not a technical difference.

1320
00:43:06,680 --> 00:43:07,840
That's a strategic difference.

1321
00:43:07,840 --> 00:43:10,280
Your IAC tool choice is now a governance decision.

1322
00:43:10,280 --> 00:43:11,520
It's about long term control.

1323
00:43:11,520 --> 00:43:12,800
It's about whether you're comfortable

1324
00:43:12,800 --> 00:43:14,920
being dependent on a vendor's licensing model

1325
00:43:14,920 --> 00:43:16,400
or whether you want the certainty

1326
00:43:16,400 --> 00:43:17,760
that open source provides.

1327
00:43:17,760 --> 00:43:19,040
Neither choice is wrong,

1328
00:43:19,040 --> 00:43:21,000
but it's a choice your board and your legal team

1329
00:43:21,000 --> 00:43:22,040
should understand.

1330
00:43:22,040 --> 00:43:24,240
Because unlike a technical tool evaluation,

1331
00:43:24,240 --> 00:43:26,440
licensing has consequences that last for years.

1332
00:43:27,440 --> 00:43:29,360
The multi-team coordination problem.

1333
00:43:29,360 --> 00:43:31,880
The moment you add a second team is when the state file problem

1334
00:43:31,880 --> 00:43:33,480
becomes a coordination problem.

1335
00:43:33,480 --> 00:43:35,840
In a small organization, one team owns Terraform.

1336
00:43:35,840 --> 00:43:37,080
They deploy infrastructure.

1337
00:43:37,080 --> 00:43:38,680
The state file sits in a back end.

1338
00:43:38,680 --> 00:43:39,800
Nobody else touches it.

1339
00:43:39,800 --> 00:43:40,560
This works.

1340
00:43:40,560 --> 00:43:41,840
Life is simple.

1341
00:43:41,840 --> 00:43:43,360
Then your organization grows.

1342
00:43:43,360 --> 00:43:45,920
You hire a second platform team, a networking team,

1343
00:43:45,920 --> 00:43:46,880
a security team.

1344
00:43:46,880 --> 00:43:49,120
Different teams need to deploy different resources.

1345
00:43:49,120 --> 00:43:51,080
They all need to touch the same infrastructure.

1346
00:43:51,080 --> 00:43:53,840
Now they all need to share access to the same state file.

1347
00:43:53,840 --> 00:43:55,320
This is where things get complicated.

1348
00:43:55,320 --> 00:43:57,440
Terraform has workspaces to handle this.

1349
00:43:57,440 --> 00:43:58,720
You can have separate state files

1350
00:43:58,720 --> 00:44:01,520
per environment, DevState, StagingState, ProDState.

1351
00:44:01,520 --> 00:44:02,920
Each workspace is isolated.

1352
00:44:02,920 --> 00:44:05,480
Teams working on Dev can't accidentally corrupt the ProDState.

1353
00:44:05,480 --> 00:44:06,320
That's helpful.

1354
00:44:06,320 --> 00:44:08,200
But it's only isolation at the environment level.

1355
00:44:08,200 --> 00:44:09,920
Within a single environment,

1356
00:44:09,920 --> 00:44:11,360
if multiple teams are deploying,

1357
00:44:11,360 --> 00:44:13,080
they're still sharing a state file.

1358
00:44:13,080 --> 00:44:15,480
Team A is deploying networking changes.

1359
00:44:15,480 --> 00:44:19,120
Team B is deploying compute resources in the same environment.

1360
00:44:19,120 --> 00:44:20,960
Both are talking to the same state file.

1361
00:44:20,960 --> 00:44:23,480
If they run Terraform apply at the same time,

1362
00:44:23,480 --> 00:44:26,000
the locking mechanism is supposed to prevent corruption.

1363
00:44:26,000 --> 00:44:28,520
One applies first, the other waits for the lock to clear,

1364
00:44:28,520 --> 00:44:29,520
then it applies.

1365
00:44:29,520 --> 00:44:31,000
In theory, this works perfectly.

1366
00:44:31,000 --> 00:44:32,440
In practice, timeouts happen.

1367
00:44:32,440 --> 00:44:33,720
Network failures happen.

1368
00:44:33,720 --> 00:44:35,240
Locks don't clear cleanly.

1369
00:44:35,240 --> 00:44:37,440
One team's apply gets interrupted midway through,

1370
00:44:37,440 --> 00:44:39,800
leaving the state file in an inconsistent state.

1371
00:44:39,800 --> 00:44:40,960
The lock doesn't clear.

1372
00:44:40,960 --> 00:44:42,080
Now the other team is blocked.

1373
00:44:42,080 --> 00:44:43,840
Someone has to manually clear the lock.

1374
00:44:43,840 --> 00:44:45,000
That's operational work.

1375
00:44:45,000 --> 00:44:46,680
That's someone getting paged at 3am

1376
00:44:46,680 --> 00:44:48,600
because a lock didn't clear cleanly.

1377
00:44:48,600 --> 00:44:50,280
That's troubleshooting state corruption

1378
00:44:50,280 --> 00:44:53,040
while the rest of the team is blocked waiting for their deployment.

1379
00:44:53,040 --> 00:44:54,440
State locking prevents corruption,

1380
00:44:54,440 --> 00:44:56,280
but doesn't prevent logical conflicts.

1381
00:44:56,280 --> 00:44:59,880
Team A and Team B are both applying changes to the same resource group.

1382
00:44:59,880 --> 00:45:01,400
They're not modifying the same resource.

1383
00:45:01,400 --> 00:45:02,760
They're modifying different things.

1384
00:45:02,760 --> 00:45:04,960
But they're both talking to the same state back end

1385
00:45:04,960 --> 00:45:07,400
and something in that coordination goes sideways.

1386
00:45:07,400 --> 00:45:10,680
Maybe Team A's change depends on a network configuration

1387
00:45:10,680 --> 00:45:12,520
that Team B is also modifying.

1388
00:45:12,520 --> 00:45:15,920
Maybe Team A creates a subnet that Team B tried to create at the same time.

1389
00:45:15,920 --> 00:45:18,480
The resources get created, the state file gets updated,

1390
00:45:18,480 --> 00:45:20,480
but now the intended configuration is wrong

1391
00:45:20,480 --> 00:45:22,400
because the teams didn't coordinate their changes.

1392
00:45:22,400 --> 00:45:24,160
You can't prevent this with better locking.

1393
00:45:24,160 --> 00:45:25,680
You prevent this with process.

1394
00:45:25,680 --> 00:45:26,840
Teams have to coordinate.

1395
00:45:26,840 --> 00:45:28,640
They have to know what the other teams are doing.

1396
00:45:28,640 --> 00:45:31,360
They have to schedule their deployments so they don't collide.

1397
00:45:31,360 --> 00:45:32,640
That's operational overhead.

1398
00:45:32,640 --> 00:45:33,520
That's meetings.

1399
00:45:33,520 --> 00:45:34,720
That's change windows.

1400
00:45:34,720 --> 00:45:35,640
That's friction.

1401
00:45:35,640 --> 00:45:38,480
The coordination overhead grows exponentially as you add teams.

1402
00:45:38,480 --> 00:45:40,600
Two teams need to coordinate deployments occasionally.

1403
00:45:40,600 --> 00:45:42,280
Three teams need more coordination.

1404
00:45:42,280 --> 00:45:44,120
Five teams need constant coordination.

1405
00:45:44,120 --> 00:45:46,840
Ten teams need a whole separate coordination function

1406
00:45:46,840 --> 00:45:48,880
just to make sure deployments don't collide.

1407
00:45:48,880 --> 00:45:50,240
Bicep doesn't have this problem

1408
00:45:50,240 --> 00:45:52,800
because there's no shared state to coordinate around.

1409
00:45:52,800 --> 00:45:56,200
Each team sends their bicep code to ARM independently.

1410
00:45:56,200 --> 00:45:58,040
Team A deploys, Team B deploys.

1411
00:45:58,040 --> 00:46:00,480
They're both talking to the same control plane, ARM,

1412
00:46:00,480 --> 00:46:03,120
but they're not fighting over a shared state file.

1413
00:46:03,120 --> 00:46:05,440
ARM figures out what each team is asking for.

1414
00:46:05,440 --> 00:46:08,320
ARM figures out if there are conflicts, ARM resolves them

1415
00:46:08,320 --> 00:46:10,560
according to the order the requests arrive.

1416
00:46:10,560 --> 00:46:12,920
Teams don't need to coordinate deployment windows.

1417
00:46:12,920 --> 00:46:14,960
Teams don't need to schedule their changes.

1418
00:46:14,960 --> 00:46:16,880
Teams don't need to avoid stepping on each other.

1419
00:46:16,880 --> 00:46:18,960
Team autonomy changes operationally.

1420
00:46:18,960 --> 00:46:20,920
Smaller teams can own their infrastructure

1421
00:46:20,920 --> 00:46:22,320
without global coordination.

1422
00:46:22,320 --> 00:46:24,600
A team can decide to deploy infrastructure on Tuesday

1423
00:46:24,600 --> 00:46:26,960
without checking whether another team is deploying Wednesday.

1424
00:46:26,960 --> 00:46:28,880
They just deploy, ARM handles it.

1425
00:46:28,880 --> 00:46:30,480
Scaling becomes a different problem.

1426
00:46:30,480 --> 00:46:33,760
With Terraform, Scaling means managing coordination overhead.

1427
00:46:33,760 --> 00:46:35,280
Your adding process, adding meetings,

1428
00:46:35,280 --> 00:46:38,240
adding communication channels, the operational burden grows.

1429
00:46:38,240 --> 00:46:40,280
With bicep, Scaling means adding more teams.

1430
00:46:40,280 --> 00:46:41,840
The platform handles the concurrency.

1431
00:46:41,840 --> 00:46:43,320
The coordination overhead doesn't grow

1432
00:46:43,320 --> 00:46:45,840
because there is no shared state to coordinate.

1433
00:46:45,840 --> 00:46:48,360
This coordination complexity becomes critical

1434
00:46:48,360 --> 00:46:50,440
when you're running large organizations.

1435
00:46:50,440 --> 00:46:51,920
When you have dozens of teams deploying

1436
00:46:51,920 --> 00:46:53,480
to the same Azure environment,

1437
00:46:53,480 --> 00:46:56,200
when you have infrastructure that multiple teams depend on,

1438
00:46:56,200 --> 00:46:59,200
when you need autonomy but can't afford coordination meetings,

1439
00:46:59,200 --> 00:47:01,600
one model centralizes control into the state file

1440
00:47:01,600 --> 00:47:03,560
which creates coordination requirements,

1441
00:47:03,560 --> 00:47:05,640
the other distributes control to the platform

1442
00:47:05,640 --> 00:47:07,200
which eliminates them.

1443
00:47:07,200 --> 00:47:09,360
The regulatory and audit alignment.

1444
00:47:09,360 --> 00:47:12,520
When regulators show up, they want one thing above all else.

1445
00:47:12,520 --> 00:47:13,200
Proof.

1446
00:47:13,200 --> 00:47:15,520
They want to know who changed what, when it happened,

1447
00:47:15,520 --> 00:47:17,720
why it happened, they want a traceable path

1448
00:47:17,720 --> 00:47:19,800
from decision to deployment to current state.

1449
00:47:19,800 --> 00:47:22,440
They want evidence that the change went through the proper controls.

1450
00:47:22,440 --> 00:47:24,080
They want to know that whoever made the change

1451
00:47:24,080 --> 00:47:25,080
was authorized to make it.

1452
00:47:25,080 --> 00:47:25,680
That's audit.

1453
00:47:25,680 --> 00:47:27,360
That's the currency of regulated industries.

1454
00:47:27,360 --> 00:47:30,240
Terraform and bicep answer these requirements differently.

1455
00:47:30,240 --> 00:47:32,280
Terraform's advantage here is explicit.

1456
00:47:32,280 --> 00:47:33,680
The state file is a ledger.

1457
00:47:33,680 --> 00:47:36,400
It records every resource Terraform is managing.

1458
00:47:36,400 --> 00:47:38,520
It records the configuration of each resource.

1459
00:47:38,520 --> 00:47:40,840
If you version your state back and properly

1460
00:47:40,840 --> 00:47:43,280
and you should, you have complete version history.

1461
00:47:43,280 --> 00:47:45,800
You can see what the state file looked like six months ago.

1462
00:47:45,800 --> 00:47:47,400
You can see what change between then and now.

1463
00:47:47,400 --> 00:47:49,960
You can see who made each change by cross-referencing

1464
00:47:49,960 --> 00:47:51,280
with your git history.

1465
00:47:51,280 --> 00:47:52,720
The state file becomes evidence.

1466
00:47:52,720 --> 00:47:55,000
It becomes proof that your managing infrastructure

1467
00:47:55,000 --> 00:47:57,520
according to code, not making random console changes.

1468
00:47:57,520 --> 00:47:59,440
This is what regulators want to see.

1469
00:47:59,440 --> 00:48:00,840
When a compliance auditor asks,

1470
00:48:00,840 --> 00:48:02,960
how do I know this database is encrypted?

1471
00:48:02,960 --> 00:48:04,440
You can show them the state file.

1472
00:48:04,440 --> 00:48:05,200
There it is.

1473
00:48:05,200 --> 00:48:06,240
Encryption enabled.

1474
00:48:06,240 --> 00:48:08,160
This is the configuration that Terraform deployed.

1475
00:48:08,160 --> 00:48:09,240
This is when it was deployed.

1476
00:48:09,240 --> 00:48:10,680
This is who approved the change.

1477
00:48:10,680 --> 00:48:12,840
The state file is your audit artifact.

1478
00:48:12,840 --> 00:48:16,320
Terraform's explicit change tracking also maps to compliance frameworks.

1479
00:48:16,320 --> 00:48:18,600
S-OX requires that critical system changes

1480
00:48:18,600 --> 00:48:20,280
go through change control.

1481
00:48:20,280 --> 00:48:22,680
The state file plus git history proves that.

1482
00:48:22,680 --> 00:48:25,640
HIPAA requires that infrastructure changes be auditable.

1483
00:48:25,640 --> 00:48:27,800
The state file and version history provide that.

1484
00:48:27,800 --> 00:48:30,320
PCI DSS requires that access to critical systems

1485
00:48:30,320 --> 00:48:31,640
be controlled and logged.

1486
00:48:31,640 --> 00:48:34,880
The state back and locking and access control demonstrate that.

1487
00:48:34,880 --> 00:48:37,440
For regulated industries, Terraform's model aligns

1488
00:48:37,440 --> 00:48:40,200
well with how compliance frameworks think about infrastructure.

1489
00:48:40,200 --> 00:48:41,960
But there's a cost to this alignment.

1490
00:48:41,960 --> 00:48:44,720
You have to actually build and maintain the audit trail.

1491
00:48:44,720 --> 00:48:46,400
Your state back end has to be versioned.

1492
00:48:46,400 --> 00:48:48,120
Your access control has to be logged.

1493
00:48:48,120 --> 00:48:50,400
Your state file has to be secured against tampering.

1494
00:48:50,400 --> 00:48:51,440
These aren't automatic.

1495
00:48:51,440 --> 00:48:53,680
They're things you have to deliberately configure and operate.

1496
00:48:53,680 --> 00:48:55,320
If you don't, you have no audit trail.

1497
00:48:55,320 --> 00:48:57,560
You have a tool that looks like it's managing infrastructure,

1498
00:48:57,560 --> 00:48:59,400
but you have no proof that the changes actually

1499
00:48:59,400 --> 00:49:00,640
went through proper controls.

1500
00:49:00,640 --> 00:49:02,840
Bicep handles audit differently.

1501
00:49:02,840 --> 00:49:04,320
Bicep doesn't maintain a state file,

1502
00:49:04,320 --> 00:49:05,880
so there's no state-based audit trail.

1503
00:49:05,880 --> 00:49:08,360
Instead, your audit trail comes from Azure itself.

1504
00:49:08,360 --> 00:49:10,400
As your activity logs record every deployment,

1505
00:49:10,400 --> 00:49:12,640
they record who initiated it when it happened.

1506
00:49:12,640 --> 00:49:14,720
What resources were created or modified?

1507
00:49:14,720 --> 00:49:16,440
Azure logs are tamper evident.

1508
00:49:16,440 --> 00:49:18,880
They go to Azure Monitor and Log Analytics,

1509
00:49:18,880 --> 00:49:20,720
which are themselves auditable systems.

1510
00:49:20,720 --> 00:49:22,440
You're not relying on Terraforms versioning.

1511
00:49:22,440 --> 00:49:24,400
You're relying on Azure's logging infrastructure.

1512
00:49:24,400 --> 00:49:27,840
This sounds less explicit than Terraforms state-based tracking,

1513
00:49:27,840 --> 00:49:29,400
but it's actually more robust.

1514
00:49:29,400 --> 00:49:31,200
Azure activity logs are continuous.

1515
00:49:31,200 --> 00:49:33,200
They're not dependent on your configuration.

1516
00:49:33,200 --> 00:49:35,080
They don't require you to version anything.

1517
00:49:35,080 --> 00:49:37,080
They flow to a centralized logging system

1518
00:49:37,080 --> 00:49:38,320
that's designed for audit.

1519
00:49:38,320 --> 00:49:39,200
They're encrypted.

1520
00:49:39,200 --> 00:49:40,440
They're access-controlled.

1521
00:49:40,440 --> 00:49:42,600
They're compliant with every major framework

1522
00:49:42,600 --> 00:49:45,400
because they're part of Azure's own compliance infrastructure.

1523
00:49:45,400 --> 00:49:47,320
Azure Policy Compliance adds another layer.

1524
00:49:47,320 --> 00:49:48,560
When you deploy with Bicep,

1525
00:49:48,560 --> 00:49:50,400
Azure Policy evaluates the deployment

1526
00:49:50,400 --> 00:49:52,160
against every policy that applies.

1527
00:49:52,160 --> 00:49:53,360
That evaluation is logged.

1528
00:49:53,360 --> 00:49:55,640
You have a record of what passed and what failed.

1529
00:49:55,640 --> 00:49:57,760
You have proof that governance was enforced.

1530
00:49:57,760 --> 00:50:00,000
For regulatory alignment, this changes

1531
00:50:00,000 --> 00:50:02,120
how you satisfy compliance requirements.

1532
00:50:02,120 --> 00:50:04,800
Instead of proving that you're using IAC correctly,

1533
00:50:04,800 --> 00:50:07,080
which requires you to maintain a proper state-backend

1534
00:50:07,080 --> 00:50:08,200
and versioning system,

1535
00:50:08,200 --> 00:50:10,480
you're proving that you're using Azure correctly.

1536
00:50:10,480 --> 00:50:12,920
You're using built-in logging and policy enforcement.

1537
00:50:12,920 --> 00:50:15,080
Both are part of Azure's compliance story.

1538
00:50:15,080 --> 00:50:18,360
Multigristiction complexity exposes another difference.

1539
00:50:18,360 --> 00:50:20,320
If you operate in Europe and North America,

1540
00:50:20,320 --> 00:50:22,560
policies differ, data residency laws differ,

1541
00:50:22,560 --> 00:50:23,960
audit requirements differ.

1542
00:50:23,960 --> 00:50:25,920
Terraforms state model is the same everywhere.

1543
00:50:25,920 --> 00:50:28,080
You build the same state management system in Europe

1544
00:50:28,080 --> 00:50:29,440
as you do in North America,

1545
00:50:29,440 --> 00:50:31,280
but compliance requirements are different.

1546
00:50:31,280 --> 00:50:33,240
You end up with a state management system

1547
00:50:33,240 --> 00:50:35,240
that works everywhere but satisfies compliance

1548
00:50:35,240 --> 00:50:36,400
differently everywhere.

1549
00:50:36,400 --> 00:50:38,640
Bicep uses Azure's regional infrastructure

1550
00:50:38,640 --> 00:50:40,440
as you're logging as you're policy enforcement

1551
00:50:40,440 --> 00:50:42,920
as you're compliance certifications, they're regional.

1552
00:50:42,920 --> 00:50:45,360
Your audit trail respects jurisdictional boundaries

1553
00:50:45,360 --> 00:50:47,320
because it's built on Azure's boundaries.

1554
00:50:47,320 --> 00:50:49,080
This becomes critical when auditors ask

1555
00:50:49,080 --> 00:50:50,280
whether your infrastructure matches

1556
00:50:50,280 --> 00:50:51,600
your declared compliance posture

1557
00:50:51,600 --> 00:50:53,280
across multiple jurisdictions.

1558
00:50:53,280 --> 00:50:55,120
Terraforms answer requires you to prove it

1559
00:50:55,120 --> 00:50:57,160
through state-versioning and access control.

1560
00:50:57,160 --> 00:50:58,840
Bicep's answer is that you're using

1561
00:50:58,840 --> 00:51:00,720
Azure's native compliance infrastructure,

1562
00:51:00,720 --> 00:51:03,040
which handles multi-Jurisdiction complexity

1563
00:51:03,040 --> 00:51:05,000
as part of how the platform operates.

1564
00:51:05,000 --> 00:51:08,240
Neither requires you to choose between control and compliance,

1565
00:51:08,240 --> 00:51:11,040
but they distribute the responsibility differently.

1566
00:51:11,040 --> 00:51:14,720
The AI and agentic automation layer, by 2026,

1567
00:51:14,720 --> 00:51:16,840
AI is touching infrastructure code in ways

1568
00:51:16,840 --> 00:51:19,120
that were purely theoretical a few years ago.

1569
00:51:19,120 --> 00:51:21,240
AI agents can read infrastructure requirements

1570
00:51:21,240 --> 00:51:23,080
and generate bicep or Terraform.

1571
00:51:23,080 --> 00:51:24,880
AI can review your infrastructure code

1572
00:51:24,880 --> 00:51:26,360
and suggest improvements.

1573
00:51:26,360 --> 00:51:29,320
AI can identify resources that aren't compliant with policies.

1574
00:51:29,320 --> 00:51:31,400
AI can even propose changes automatically.

1575
00:51:31,400 --> 00:51:33,160
Some organizations are beginning to experiment

1576
00:51:33,160 --> 00:51:35,040
with AI that doesn't just suggest changes,

1577
00:51:35,040 --> 00:51:37,200
but actually initiates them, creates the pull request,

1578
00:51:37,200 --> 00:51:38,880
runs the tests, waits for approval.

1579
00:51:38,880 --> 00:51:41,360
This is happening, it's not coming, it's here now.

1580
00:51:41,360 --> 00:51:43,000
But there's a massive trust gap.

1581
00:51:43,000 --> 00:51:47,240
Research from 2026 shows that only about 34% of organizations

1582
00:51:47,240 --> 00:51:48,880
say they trust an AI agent

1583
00:51:48,880 --> 00:51:51,600
to make autonomous production infrastructure changes.

1584
00:51:51,600 --> 00:51:54,560
And when you dig into why, the answer is consistent.

1585
00:51:54,560 --> 00:51:55,840
Lack of guardrails.

1586
00:51:55,840 --> 00:51:58,160
Teams don't know how to constrain what the AI can do.

1587
00:51:58,160 --> 00:51:59,280
They don't know how to prevent it

1588
00:51:59,280 --> 00:52:00,800
from making dangerous changes.

1589
00:52:00,800 --> 00:52:02,000
They don't know who's responsible

1590
00:52:02,000 --> 00:52:04,440
if the AI generates a change that breaks production.

1591
00:52:04,440 --> 00:52:05,760
That's the guardrail problem.

1592
00:52:05,760 --> 00:52:08,360
How do you let AI augment your infrastructure automation

1593
00:52:08,360 --> 00:52:09,680
without losing control?

1594
00:52:09,680 --> 00:52:12,240
How do you say yes, you can generate this code,

1595
00:52:12,240 --> 00:52:13,760
but no, you can't do that.

1596
00:52:13,760 --> 00:52:15,320
How do you implement policy enforcement

1597
00:52:15,320 --> 00:52:18,440
that applies equally to AI initiated changes

1598
00:52:18,440 --> 00:52:20,000
and human initiated changes?

1599
00:52:20,000 --> 00:52:21,920
Terraform and bicep answer this differently.

1600
00:52:21,920 --> 00:52:22,960
And the difference matters more

1601
00:52:22,960 --> 00:52:25,360
as AI becomes more involved in ISC authorship.

1602
00:52:25,360 --> 00:52:27,200
With Terraform, the external control layer

1603
00:52:27,200 --> 00:52:28,920
is policy as code engines.

1604
00:52:28,920 --> 00:52:31,240
Sentinel if you're using Terraform Cloud.

1605
00:52:31,240 --> 00:52:34,840
OPA, open policy agent if you want an open source option.

1606
00:52:34,840 --> 00:52:37,800
These engines evaluate Terraform plans before they apply.

1607
00:52:37,800 --> 00:52:39,760
If the plan violates policy, it fails.

1608
00:52:39,760 --> 00:52:41,840
The AI can generate code, but the policy engine

1609
00:52:41,840 --> 00:52:43,520
validates that code before it runs.

1610
00:52:43,520 --> 00:52:44,680
The guardrail is external.

1611
00:52:44,680 --> 00:52:45,400
It's bolted on.

1612
00:52:45,400 --> 00:52:47,960
It works, but it's another system to maintain.

1613
00:52:47,960 --> 00:52:50,760
Bicep's guardrails are native to the deployment process.

1614
00:52:50,760 --> 00:52:52,600
Azure policy evaluates every deployment

1615
00:52:52,600 --> 00:52:55,160
against every policy that applies to that scope.

1616
00:52:55,160 --> 00:52:57,720
AI generated code hits the same policy validation

1617
00:52:57,720 --> 00:52:59,120
that human-written code hits.

1618
00:52:59,120 --> 00:53:00,200
The guardrail is built in.

1619
00:53:00,200 --> 00:53:01,240
It's part of the platform.

1620
00:53:01,240 --> 00:53:02,840
It doesn't require a separate engine.

1621
00:53:02,840 --> 00:53:04,880
It doesn't require a separate configuration.

1622
00:53:04,880 --> 00:53:07,000
It just works.

1623
00:53:07,000 --> 00:53:08,640
This distinction becomes critical when

1624
00:53:08,640 --> 00:53:10,600
you think about governance at scale.

1625
00:53:10,600 --> 00:53:12,680
If AI is going to generate infrastructure changes,

1626
00:53:12,680 --> 00:53:14,160
you need confidence that those changes

1627
00:53:14,160 --> 00:53:15,520
can't violate governance.

1628
00:53:15,520 --> 00:53:17,560
With Terraform, you have to build that confidence

1629
00:53:17,560 --> 00:53:19,240
through policy as code engines.

1630
00:53:19,240 --> 00:53:20,960
You have to ensure those engines are running.

1631
00:53:20,960 --> 00:53:23,000
You have to ensure they are configured correctly.

1632
00:53:23,000 --> 00:53:24,200
You have to maintain them.

1633
00:53:24,200 --> 00:53:26,000
With bicep, that confidence is inherent

1634
00:53:26,000 --> 00:53:27,680
to how the system works.

1635
00:53:27,680 --> 00:53:30,560
Attribution and liability add another layer to this problem.

1636
00:53:30,560 --> 00:53:32,800
When a human rights code, they're responsible for it.

1637
00:53:32,800 --> 00:53:34,400
They review it, they approve it.

1638
00:53:34,400 --> 00:53:36,040
There's a clear chain of accountability.

1639
00:53:36,040 --> 00:53:37,920
When AI rights code, who's responsible?

1640
00:53:37,920 --> 00:53:39,560
Did the AI make a bad decision?

1641
00:53:39,560 --> 00:53:41,360
Did the human who approved it miss something?

1642
00:53:41,360 --> 00:53:43,120
If a failure happens, who's on the hook?

1643
00:53:43,120 --> 00:53:44,680
This is partly a legal question.

1644
00:53:44,680 --> 00:53:46,920
But operationally, it drives how you structure

1645
00:53:46,920 --> 00:53:47,880
your approval flows.

1646
00:53:47,880 --> 00:53:50,920
Some organizations are implementing tiered approval systems.

1647
00:53:50,920 --> 00:53:53,360
Low-risk changes, adding a tag, modifying

1648
00:53:53,360 --> 00:53:56,160
a non-critical resource parameter can be approved quickly.

1649
00:53:56,160 --> 00:53:58,560
High-risk changes, modifying network policies,

1650
00:53:58,560 --> 00:54:00,760
changing database settings, creating new service

1651
00:54:00,760 --> 00:54:02,960
principles, require multiple approvals,

1652
00:54:02,960 --> 00:54:06,720
and might require human review, even if an AI suggested them.

1653
00:54:06,720 --> 00:54:08,400
Terraform's model doesn't enforce this.

1654
00:54:08,400 --> 00:54:11,120
You have to build the approval logic into your pipeline.

1655
00:54:11,120 --> 00:54:14,320
Biceps model integrates with Azure R-Back and Azure Policy,

1656
00:54:14,320 --> 00:54:17,240
which naturally encode risk tiers into role-based access.

1657
00:54:17,240 --> 00:54:19,840
A junior engineer might only be able to deploy to dev.

1658
00:54:19,840 --> 00:54:21,920
A senior engineer can deploy to prod.

1659
00:54:21,920 --> 00:54:24,160
That risk structuring is native to the platform.

1660
00:54:24,160 --> 00:54:27,640
The future of infrastructure automation is AI augmented.

1661
00:54:27,640 --> 00:54:30,240
But the tools governance model determines how safely AI

1662
00:54:30,240 --> 00:54:31,120
can participate.

1663
00:54:31,120 --> 00:54:33,040
Terraform requires you to bolt on governance.

1664
00:54:33,040 --> 00:54:34,720
Bicep has governance built in.

1665
00:54:34,720 --> 00:54:35,920
But that's not a minor difference.

1666
00:54:35,920 --> 00:54:38,680
That's an architectural advantage that compounds as AI

1667
00:54:38,680 --> 00:54:41,120
becomes more involved in infrastructure authorship.

1668
00:54:41,120 --> 00:54:43,360
The enterprise platform engineering reality.

1669
00:54:43,360 --> 00:54:45,240
Platform engineering is the function that emerged

1670
00:54:45,240 --> 00:54:47,040
when organizations realized they needed

1671
00:54:47,040 --> 00:54:48,480
infrastructure abstraction.

1672
00:54:48,480 --> 00:54:50,960
Instead of every team managing their own cloud accounts

1673
00:54:50,960 --> 00:54:52,600
and making their own architectural decisions,

1674
00:54:52,600 --> 00:54:54,000
platform teams build frameworks.

1675
00:54:54,000 --> 00:54:55,920
They publish self-service infrastructure.

1676
00:54:55,920 --> 00:54:57,840
They encode standards into templates.

1677
00:54:57,840 --> 00:55:00,320
They provide safe rails that let application teams

1678
00:55:00,320 --> 00:55:02,520
deploy quickly without breaking governance.

1679
00:55:02,520 --> 00:55:04,560
The IAC tool choice becomes critical here

1680
00:55:04,560 --> 00:55:07,280
because the platform team is choosing what abstraction layer

1681
00:55:07,280 --> 00:55:10,560
sits between application teams and the cloud itself.

1682
00:55:10,560 --> 00:55:13,040
Terraform often becomes the platform orchestration engine

1683
00:55:13,040 --> 00:55:13,840
in this model.

1684
00:55:13,840 --> 00:55:16,320
A platform team builds a Terraform module library.

1685
00:55:16,320 --> 00:55:18,520
They create modules for networks, for compute,

1686
00:55:18,520 --> 00:55:20,280
for databases, all the building blocks

1687
00:55:20,280 --> 00:55:21,800
that application teams need.

1688
00:55:21,800 --> 00:55:23,480
Application teams consume those modules.

1689
00:55:23,480 --> 00:55:27,320
They write simple Terraform code that stacks modules together.

1690
00:55:27,320 --> 00:55:30,360
The platform team owns the complex infrastructure patterns.

1691
00:55:30,360 --> 00:55:32,080
The application teams get self-service

1692
00:55:32,080 --> 00:55:34,560
without having to understand the platform deeply.

1693
00:55:34,560 --> 00:55:36,360
Terraforms reach across multiple clouds,

1694
00:55:36,360 --> 00:55:38,040
makes it attractive for platform teams

1695
00:55:38,040 --> 00:55:39,560
that operate heterogeneously.

1696
00:55:39,560 --> 00:55:41,120
You have a few services on AWS,

1697
00:55:41,120 --> 00:55:42,880
a few on Azure, a few on GCP.

1698
00:55:42,880 --> 00:55:45,240
The platform team wants one language, one tool,

1699
00:55:45,240 --> 00:55:47,720
one way of managing infrastructure across all of them.

1700
00:55:47,720 --> 00:55:49,040
Terraform provides that.

1701
00:55:49,040 --> 00:55:50,840
But Terraform at platform scale introduces

1702
00:55:50,840 --> 00:55:53,840
the state coordination problem we discussed earlier on steroids.

1703
00:55:53,840 --> 00:55:55,360
The platform team has central modules.

1704
00:55:55,360 --> 00:55:57,280
Application teams are using those modules.

1705
00:55:57,280 --> 00:55:59,800
Everything flows through the same state backend.

1706
00:55:59,800 --> 00:56:02,480
The platform team is deploying foundational infrastructure.

1707
00:56:02,480 --> 00:56:04,400
Application teams are deploying on top of it.

1708
00:56:04,400 --> 00:56:07,040
If the platform teams state and the application teams state

1709
00:56:07,040 --> 00:56:08,680
collide, you have cascading failures.

1710
00:56:08,680 --> 00:56:11,640
The coordination overhead becomes the platform team's job.

1711
00:56:11,640 --> 00:56:14,040
Biceps role in platform engineering is different.

1712
00:56:14,040 --> 00:56:16,040
Biceps is typically used for landing zones

1713
00:56:16,040 --> 00:56:18,160
and foundational infrastructure patterns.

1714
00:56:18,160 --> 00:56:21,080
A platform team designs landing zone templates in Bicep.

1715
00:56:21,080 --> 00:56:23,200
These are predefined Azure subscription structures,

1716
00:56:23,200 --> 00:56:25,560
networks, policies, logging, baseline resources.

1717
00:56:25,560 --> 00:56:28,320
When a new team leads infrastructure, they get a landing zone.

1718
00:56:28,320 --> 00:56:31,720
The bicep template creates the entire zone automatically.

1719
00:56:31,720 --> 00:56:34,200
Application teams then deploy their own infrastructure

1720
00:56:34,200 --> 00:56:35,520
on top of the landing zone.

1721
00:56:35,520 --> 00:56:37,880
They might use bicep, they might use something else.

1722
00:56:37,880 --> 00:56:39,360
But the foundational architecture comes

1723
00:56:39,360 --> 00:56:41,280
from the platform teams bicep templates.

1724
00:56:41,280 --> 00:56:42,800
This creates a cleaner separation.

1725
00:56:42,800 --> 00:56:44,800
The platform team owns the landing zone,

1726
00:56:44,800 --> 00:56:47,240
the Azure specific foundational pattern.

1727
00:56:47,240 --> 00:56:50,000
The application teams own their services on top of that pattern.

1728
00:56:50,000 --> 00:56:51,960
They're not fighting over a shared state file.

1729
00:56:51,960 --> 00:56:54,200
They're deploying into a predefined structure.

1730
00:56:54,200 --> 00:56:56,360
Governance is baked into the landing zone itself.

1731
00:56:56,360 --> 00:56:58,680
Networks are pre-segmented, logging is predefined,

1732
00:56:58,680 --> 00:57:01,840
policies are configured, application teams inherit all of that.

1733
00:57:01,840 --> 00:57:03,520
The hybrid pattern is becoming standard

1734
00:57:03,520 --> 00:57:05,200
in enterprise platform engineering.

1735
00:57:05,200 --> 00:57:08,240
Terraform handles orchestration across multiple clouds.

1736
00:57:08,240 --> 00:57:09,840
It handles the meta layer, the platforms

1737
00:57:09,840 --> 00:57:11,280
that span different infrastructure.

1738
00:57:11,280 --> 00:57:13,720
Bicep handles the Azure layer specifically.

1739
00:57:13,720 --> 00:57:16,080
You're using both because they're solving different problems

1740
00:57:16,080 --> 00:57:17,840
at different architectural levels.

1741
00:57:17,840 --> 00:57:20,520
A real example, a platform team at a large organization

1742
00:57:20,520 --> 00:57:22,520
might use Terraform to orchestrate landing zones

1743
00:57:22,520 --> 00:57:24,680
across Azure, AWS and GCP.

1744
00:57:24,680 --> 00:57:26,600
Each cloud has a different orchestration

1745
00:57:26,600 --> 00:57:28,040
because the clouds are different.

1746
00:57:28,040 --> 00:57:30,240
But within Azure, they're using bicep templates

1747
00:57:30,240 --> 00:57:32,800
for the Azure specific landing zone structure.

1748
00:57:32,800 --> 00:57:34,880
Application teams deploy bicep on top of that.

1749
00:57:34,880 --> 00:57:37,240
This distributes complexity appropriately.

1750
00:57:37,240 --> 00:57:40,280
Terraform manages the complexity of multi-cloud orchestration.

1751
00:57:40,280 --> 00:57:42,840
Bicep manages the complexity of being native to Azure.

1752
00:57:42,840 --> 00:57:44,920
Neither tool is responsible for both.

1753
00:57:44,920 --> 00:57:47,960
Neither tool is stretched beyond its architectural purpose.

1754
00:57:47,960 --> 00:57:49,880
Module reusability works at both levels.

1755
00:57:49,880 --> 00:57:52,400
The Terraform modules are cross-cloud abstractions.

1756
00:57:52,400 --> 00:57:55,160
The bicep modules are Azure specific patterns.

1757
00:57:55,160 --> 00:57:57,480
Teams consuming these modules don't have to understand

1758
00:57:57,480 --> 00:57:58,360
the distinction.

1759
00:57:58,360 --> 00:58:01,240
They just use what the platform team provides.

1760
00:58:01,240 --> 00:58:03,840
Governance enforcement happens at both levels too.

1761
00:58:03,840 --> 00:58:05,840
Terraform policy as code at the platform layer

1762
00:58:05,840 --> 00:58:08,160
ensures that what gets orchestrated across clouds

1763
00:58:08,160 --> 00:58:09,320
follow standards.

1764
00:58:09,320 --> 00:58:11,320
Bicep based Azure policy enforcement

1765
00:58:11,320 --> 00:58:13,680
at the Azure layer ensures that what gets deployed

1766
00:58:13,680 --> 00:58:15,640
within Azure follows Azure governance.

1767
00:58:15,640 --> 00:58:17,400
Governance isn't competing with itself.

1768
00:58:17,400 --> 00:58:19,440
It's working at appropriate scopes.

1769
00:58:19,440 --> 00:58:22,680
Self-service becomes easier when the platform provides structure.

1770
00:58:22,680 --> 00:58:24,920
Instead of teams wrestling with the full complexity

1771
00:58:24,920 --> 00:58:27,560
of multi-cloud orchestration or Azure specific networking,

1772
00:58:27,560 --> 00:58:29,120
they're working within a framework.

1773
00:58:29,120 --> 00:58:32,040
The platform team has already decided which patterns are safe.

1774
00:58:32,040 --> 00:58:33,720
Teams pick a pattern and deploy.

1775
00:58:33,720 --> 00:58:35,520
Governance is implicit in the structure.

1776
00:58:35,520 --> 00:58:37,960
This is where platform engineering maturity lives.

1777
00:58:37,960 --> 00:58:39,200
Not in choosing one tool,

1778
00:58:39,200 --> 00:58:42,200
but in structuring how multiple tools work together appropriately.

1779
00:58:42,200 --> 00:58:44,960
Platform architecture decisions usually force this hybrid approach

1780
00:58:44,960 --> 00:58:46,760
because no single tool is optimized

1781
00:58:46,760 --> 00:58:48,520
for every layer of abstraction.

1782
00:58:48,520 --> 00:58:51,920
The teams that mature past this recognize it and embrace it.

1783
00:58:51,920 --> 00:58:54,080
The true cost of ownership calculation.

1784
00:58:54,080 --> 00:58:55,720
The real cost of your IAC choice

1785
00:58:55,720 --> 00:58:57,440
isn't what you pay for the software.

1786
00:58:57,440 --> 00:58:59,200
It's what you pay to keep it running.

1787
00:58:59,200 --> 00:59:02,520
Most organizations evaluate IAC tools based on license cost.

1788
00:59:02,520 --> 00:59:05,520
Terraform is free, bicep is free, the evaluation ends there.

1789
00:59:05,520 --> 00:59:08,960
But this math ignores everything that actually costs money.

1790
00:59:08,960 --> 00:59:11,160
Terraform requires infrastructure to operate.

1791
00:59:11,160 --> 00:59:13,760
A remote backend, whether that's Terraform cloud

1792
00:59:13,760 --> 00:59:17,440
and Azure storage account or an S3 bucket costs money.

1793
00:59:17,440 --> 00:59:19,480
Not much individually, but it compounds.

1794
00:59:19,480 --> 00:59:21,000
You're paying for storage.

1795
00:59:21,000 --> 00:59:22,640
You're paying for redundancy.

1796
00:59:22,640 --> 00:59:24,160
You're paying for backup retention.

1797
00:59:24,160 --> 00:59:25,440
If you're using Terraform cloud,

1798
00:59:25,440 --> 00:59:27,080
you're paying their subscription fee.

1799
00:59:27,080 --> 00:59:29,800
If you're using a custom backend orchestrator like Spacelift

1800
00:59:29,800 --> 00:59:32,280
or Scala, you're paying their licensing costs.

1801
00:59:32,280 --> 00:59:34,360
None of these are trivial when you multiply them

1802
00:59:34,360 --> 00:59:37,160
across dozens of workspaces across multiple environments.

1803
00:59:37,160 --> 00:59:38,680
Then there's the operational cost.

1804
00:59:38,680 --> 00:59:40,080
Someone has to monitor the backend.

1805
00:59:40,080 --> 00:59:42,720
Someone has to troubleshoot state corruption when it happens.

1806
00:59:42,720 --> 00:59:44,840
Someone has to run backup and restore procedures.

1807
00:59:44,840 --> 00:59:47,640
Someone has to manage access control to the backend itself.

1808
00:59:47,640 --> 00:59:49,000
This isn't a one-time effort.

1809
00:59:49,000 --> 00:59:50,680
This is ongoing operational overhead.

1810
00:59:50,680 --> 00:59:52,280
biceps infrastructure cost is zero.

1811
00:59:52,280 --> 00:59:53,760
Azure handles everything.

1812
00:59:53,760 --> 00:59:55,600
You pay for the resources you deploy.

1813
00:59:55,600 --> 00:59:58,680
You don't pay for the infrastructure that manages the deployment.

1814
00:59:58,680 --> 01:00:00,280
But then consider the inverse cost.

1815
01:00:00,280 --> 01:00:01,760
biceps locks you to Azure.

1816
01:00:01,760 --> 01:00:04,560
If your strategy shifts and you need to operate on multiple clouds,

1817
01:00:04,560 --> 01:00:05,720
biceps can't go with you.

1818
01:00:05,720 --> 01:00:08,040
You'd have to migrate to a tool at Spance Clouds.

1819
01:00:08,040 --> 01:00:09,440
That migration is expensive.

1820
01:00:09,440 --> 01:00:10,880
That retraining is expensive.

1821
01:00:10,880 --> 01:00:12,920
Terraform, even if it costs more to operate,

1822
01:00:12,920 --> 01:00:14,640
at least preserves your optionality.

1823
01:00:14,640 --> 01:00:17,720
This matters only if multi-cloud is actually your strategy.

1824
01:00:17,720 --> 01:00:21,080
If you say your multi-cloud, but you're really 95% Azure,

1825
01:00:21,080 --> 01:00:22,680
the cost of that optionality is money

1826
01:00:22,680 --> 01:00:24,600
you're spending on insurance you don't need.

1827
01:00:24,600 --> 01:00:26,160
If you're genuinely multi-cloud,

1828
01:00:26,160 --> 01:00:28,560
running significant workloads on different platforms,

1829
01:00:28,560 --> 01:00:31,440
the cost of switching away from Terraform is enormous.

1830
01:00:31,440 --> 01:00:33,400
Skill development is a less obvious cost

1831
01:00:33,400 --> 01:00:34,520
that compounds over years.

1832
01:00:34,520 --> 01:00:36,920
If you choose Terraform, you're training your team on Terraform.

1833
01:00:36,920 --> 01:00:37,560
That's courses.

1834
01:00:37,560 --> 01:00:38,400
It's mentorship.

1835
01:00:38,400 --> 01:00:41,240
It's time spent learning the tool rather than solving problems.

1836
01:00:41,240 --> 01:00:43,640
If you choose bicep, you're training your team on bicep

1837
01:00:43,640 --> 01:00:45,160
and deeper Azure understanding.

1838
01:00:45,160 --> 01:00:46,920
The upfront training cost is similar,

1839
01:00:46,920 --> 01:00:48,640
but the long term payoff differs.

1840
01:00:48,640 --> 01:00:51,040
Terraform skills are more widely available on the market.

1841
01:00:51,040 --> 01:00:53,600
If you need to hire, you can find people who know Terraform,

1842
01:00:53,600 --> 01:00:55,360
but those people aren't necessarily cheaper.

1843
01:00:55,360 --> 01:00:56,840
They're actually more expensive

1844
01:00:56,840 --> 01:00:58,440
because the skill is commoditized.

1845
01:00:58,440 --> 01:01:00,200
Bicep expertise is rarer.

1846
01:01:00,200 --> 01:01:02,360
When you find someone who knows bicep deeply,

1847
01:01:02,360 --> 01:01:04,800
they are usually genuinely expert in Azure.

1848
01:01:04,800 --> 01:01:07,520
That costs more upfront, but it holds value longer.

1849
01:01:07,520 --> 01:01:10,280
Migration costs should scare you more than they do.

1850
01:01:10,280 --> 01:01:12,560
If you're running meaningful infrastructure on Terraform,

1851
01:01:12,560 --> 01:01:13,920
and you decide to move to bicep,

1852
01:01:13,920 --> 01:01:15,400
that's not a simple tool swap.

1853
01:01:15,400 --> 01:01:17,120
You're rewriting infrastructure code,

1854
01:01:17,120 --> 01:01:19,400
you're retraining teams, you're testing everything,

1855
01:01:19,400 --> 01:01:21,240
you're managing risk during cutover.

1856
01:01:21,240 --> 01:01:22,600
Large migrations take months.

1857
01:01:22,600 --> 01:01:24,760
Large migrations cost six figures easily.

1858
01:01:24,760 --> 01:01:27,080
Most organizations never actually do this migration

1859
01:01:27,080 --> 01:01:28,600
because the cost is too high.

1860
01:01:28,600 --> 01:01:29,800
This creates switching costs

1861
01:01:29,800 --> 01:01:31,480
that affect your options going forward.

1862
01:01:31,480 --> 01:01:33,600
You've already paid the cost to adopt Terraform.

1863
01:01:33,600 --> 01:01:34,880
The cost to switch is so high

1864
01:01:34,880 --> 01:01:37,720
that you'll live with Terraform even if a better option emerges.

1865
01:01:37,720 --> 01:01:40,040
That's lock-in that comes from operational investment,

1866
01:01:40,040 --> 01:01:41,240
not licensing.

1867
01:01:41,240 --> 01:01:44,040
Incident response costs are real, but often uncounted.

1868
01:01:44,040 --> 01:01:45,680
When something breaks in Terraform,

1869
01:01:45,680 --> 01:01:48,400
state corruption locking issues provide a misbehavior,

1870
01:01:48,400 --> 01:01:49,520
someone has to fix it.

1871
01:01:49,520 --> 01:01:51,120
They have to understand state management.

1872
01:01:51,120 --> 01:01:52,560
They have to know how to recover.

1873
01:01:52,560 --> 01:01:54,120
They might have to restore from backup.

1874
01:01:54,120 --> 01:01:57,200
Incident response for Terraform requires Terraform expertise.

1875
01:01:57,200 --> 01:01:58,560
Bicep incidents are different.

1876
01:01:58,560 --> 01:01:59,440
If a deployment fails,

1877
01:01:59,440 --> 01:02:02,040
you're troubleshooting bicep code or Azure behavior,

1878
01:02:02,040 --> 01:02:04,000
you're not troubleshooting a state management system.

1879
01:02:04,000 --> 01:02:05,440
That's a different cost profile.

1880
01:02:05,440 --> 01:02:08,680
Audit and compliance costs depend on your regulatory requirements.

1881
01:02:08,680 --> 01:02:11,440
Terraform's explicit state tracking can reduce audit cost

1882
01:02:11,440 --> 01:02:13,320
if you're already maintaining state versioning

1883
01:02:13,320 --> 01:02:14,320
and backend logging.

1884
01:02:14,320 --> 01:02:16,400
Bicep's reliance on Azure's native logging

1885
01:02:16,400 --> 01:02:18,360
might simplify audit if you're already

1886
01:02:18,360 --> 01:02:20,040
instrumented for Azure compliance.

1887
01:02:20,040 --> 01:02:21,880
The trick with true cost of ownership

1888
01:02:21,880 --> 01:02:23,480
is that it's never just one number.

1889
01:02:23,480 --> 01:02:25,000
It's the sum of infrastructure costs,

1890
01:02:25,000 --> 01:02:26,960
operational overhead, skill acquisition,

1891
01:02:26,960 --> 01:02:29,120
optionality preservation, migration risk,

1892
01:02:29,120 --> 01:02:31,360
incident response and compliance alignment.

1893
01:02:31,360 --> 01:02:34,400
Wait each factor differently depending on your strategy.

1894
01:02:34,400 --> 01:02:36,640
An organization committing long term to Azure

1895
01:02:36,640 --> 01:02:39,240
probably weighs biceps simplicity more heavily.

1896
01:02:39,240 --> 01:02:41,640
An organization deliberately building multi-cloud

1897
01:02:41,640 --> 01:02:44,920
might accept Terraform's operational burden for that flexibility.

1898
01:02:44,920 --> 01:02:46,720
The cost calculation reveals

1899
01:02:46,720 --> 01:02:49,080
where your long term investment should actually flow,

1900
01:02:49,080 --> 01:02:50,600
not toward the cheapest tool,

1901
01:02:50,600 --> 01:02:52,760
toward the tool whose operational model aligns

1902
01:02:52,760 --> 01:02:54,960
with how you actually work.

1903
01:02:54,960 --> 01:02:58,120
The decision framework went to choose which tool.

1904
01:02:58,120 --> 01:03:00,440
Here's where all of this converges into an actual choice.

1905
01:03:00,440 --> 01:03:03,520
You can't choose based on which tool is better.

1906
01:03:03,520 --> 01:03:06,560
Both are mature, both work, both have distinct trade-offs.

1907
01:03:06,560 --> 01:03:08,320
The choice is about which trade-off aligns

1908
01:03:08,320 --> 01:03:11,640
with your actual situation, not the situation you want to be in.

1909
01:03:11,640 --> 01:03:13,080
The one you're actually in right now.

1910
01:03:13,080 --> 01:03:15,040
If your infrastructure lives exclusively in Azure,

1911
01:03:15,040 --> 01:03:16,160
the logic is straightforward.

1912
01:03:16,160 --> 01:03:18,400
Bicep is faster, bicep is simpler,

1913
01:03:18,400 --> 01:03:20,680
bicep integrates natively with governance.

1914
01:03:20,680 --> 01:03:21,880
You don't get multi-cloud reach,

1915
01:03:21,880 --> 01:03:23,720
but you're not using multi-cloud reach.

1916
01:03:23,720 --> 01:03:26,320
The operational simplicity pays dividends immediately.

1917
01:03:26,320 --> 01:03:28,960
Smaller teams can operate it less infrastructure overhead,

1918
01:03:28,960 --> 01:03:30,240
faster feature adoption.

1919
01:03:30,240 --> 01:03:33,080
This is the default path for Azure only organizations.

1920
01:03:33,080 --> 01:03:36,120
But if you're running significant workloads on multiple clouds,

1921
01:03:36,120 --> 01:03:37,880
that simplicity doesn't apply.

1922
01:03:37,880 --> 01:03:39,680
You need one language, one tool,

1923
01:03:39,680 --> 01:03:42,320
one deployment pattern that works across environments.

1924
01:03:42,320 --> 01:03:45,000
Terraformer Open Tofu is non-negotiable here.

1925
01:03:45,000 --> 01:03:46,560
You accept the state management overhead

1926
01:03:46,560 --> 01:03:49,400
because the alternative, maintaining different IAC tools

1927
01:03:49,400 --> 01:03:52,280
for different clouds is even more complex operationally.

1928
01:03:52,280 --> 01:03:54,600
The coordination overhead of managing multiple tools

1929
01:03:54,600 --> 01:03:56,920
across multiple clouds exceeds the overhead

1930
01:03:56,920 --> 01:03:58,400
of managing Terraform state.

1931
01:03:58,400 --> 01:04:01,280
Most large organizations end up somewhere between these poles.

1932
01:04:01,280 --> 01:04:03,680
They're Azure first, but they have some workloads elsewhere,

1933
01:04:03,680 --> 01:04:05,600
or they're genuinely multi-cloud.

1934
01:04:05,600 --> 01:04:07,280
The answer often becomes hybrid.

1935
01:04:07,280 --> 01:04:09,320
Terraform handles what spans clouds.

1936
01:04:09,320 --> 01:04:10,880
The cross-cloud orchestration layer,

1937
01:04:10,880 --> 01:04:12,040
the central governance,

1938
01:04:12,040 --> 01:04:13,800
the things that touch multiple platforms.

1939
01:04:13,800 --> 01:04:15,960
Bicep handles what's Azure-specific,

1940
01:04:15,960 --> 01:04:18,080
landing zones, foundational patterns,

1941
01:04:18,080 --> 01:04:20,520
Azure native services, they're not competing,

1942
01:04:20,520 --> 01:04:23,400
they're solving different problems at different architectural levels.

1943
01:04:23,400 --> 01:04:25,840
Your team structure matters more than most organizations

1944
01:04:25,840 --> 01:04:27,480
realize when they're making this choice.

1945
01:04:27,480 --> 01:04:29,760
If you have a centralized platform engineering team,

1946
01:04:29,760 --> 01:04:32,280
responsible for infrastructure across the organization,

1947
01:04:32,280 --> 01:04:33,600
Terraform often makes sense.

1948
01:04:33,600 --> 01:04:35,320
The platform team owns the complexity.

1949
01:04:35,320 --> 01:04:37,600
They manage state, they manage coordination,

1950
01:04:37,600 --> 01:04:40,600
they build the modules, everyone else consumes what they provide.

1951
01:04:40,600 --> 01:04:42,880
This concentrates the operational burden in one team,

1952
01:04:42,880 --> 01:04:43,960
which can handle it.

1953
01:04:43,960 --> 01:04:46,560
It also means that tool choice is a platform team decision,

1954
01:04:46,560 --> 01:04:48,200
not a distributed team decision,

1955
01:04:48,200 --> 01:04:50,680
but if your organizational structure is more distributed,

1956
01:04:50,680 --> 01:04:53,040
different teams owning their own infrastructure,

1957
01:04:53,040 --> 01:04:55,720
different business units managing different cloud accounts,

1958
01:04:55,720 --> 01:04:59,080
the coordination overhead of shared state becomes unbearable.

1959
01:04:59,080 --> 01:05:01,800
Biceps, stateless model suddenly becomes an advantage.

1960
01:05:01,800 --> 01:05:03,720
Teams can deploy independently.

1961
01:05:03,720 --> 01:05:05,560
They don't need global coordination.

1962
01:05:05,560 --> 01:05:07,440
They don't need permission from a central platform team

1963
01:05:07,440 --> 01:05:09,360
to deploy on Tuesday versus Thursday.

1964
01:05:09,360 --> 01:05:12,400
That autonomy has real value in decentralized organizations.

1965
01:05:12,400 --> 01:05:14,440
Regulatory requirements add another consideration

1966
01:05:14,440 --> 01:05:15,800
that's often overlooked.

1967
01:05:15,800 --> 01:05:19,240
If your audit function cares deeply about explicit change tracking,

1968
01:05:19,240 --> 01:05:21,200
who changed what, when and why,

1969
01:05:21,200 --> 01:05:23,000
Terraform's state-based audit trail

1970
01:05:23,000 --> 01:05:25,440
might align better with what auditors expect to see.

1971
01:05:25,440 --> 01:05:26,640
The state file is a ledger.

1972
01:05:26,640 --> 01:05:28,000
You can show it to auditors.

1973
01:05:28,000 --> 01:05:30,520
Biceps reliance on Azure's native logging works too,

1974
01:05:30,520 --> 01:05:32,400
but it requires a different audit story.

1975
01:05:32,400 --> 01:05:34,320
Neither fails compliance.

1976
01:05:34,320 --> 01:05:37,080
But one might be easier to explain to your compliance function.

1977
01:05:37,080 --> 01:05:39,320
Licensing is becoming a strategic question,

1978
01:05:39,320 --> 01:05:40,680
not just a technical one.

1979
01:05:40,680 --> 01:05:43,160
If your organization has a policy against business source

1980
01:05:43,160 --> 01:05:46,480
licensed software, and increasingly EU organizations

1981
01:05:46,480 --> 01:05:48,880
and governments do, Terraform creates a problem.

1982
01:05:48,880 --> 01:05:51,120
Open tofu solves it, you get the multi-cloud reach

1983
01:05:51,120 --> 01:05:52,600
without the licensing risk.

1984
01:05:52,600 --> 01:05:54,720
If licensing doesn't matter to your governance,

1985
01:05:54,720 --> 01:05:57,280
Terraform's maturity and ecosystem might outweigh

1986
01:05:57,280 --> 01:05:58,360
Open tofu's newness.

1987
01:05:58,360 --> 01:06:01,320
If licensing is a constraint, Open tofu is the obvious path.

1988
01:06:01,320 --> 01:06:03,400
Feature velocity matters if you're in industries

1989
01:06:03,400 --> 01:06:06,160
where new Azure capabilities are competitive advantages.

1990
01:06:06,160 --> 01:06:08,000
If you operate in regulated industries,

1991
01:06:08,000 --> 01:06:10,040
Azure releases compliance features first.

1992
01:06:10,040 --> 01:06:12,120
New policy capabilities, new encryption options,

1993
01:06:12,120 --> 01:06:14,200
new audit features, bicep gets them immediately.

1994
01:06:14,200 --> 01:06:16,840
Terraform's Azure Improvider gets them in weeks or months.

1995
01:06:16,840 --> 01:06:19,360
That gap doesn't matter if you don't use early features.

1996
01:06:19,360 --> 01:06:20,960
It matters enormously if you do.

1997
01:06:20,960 --> 01:06:23,760
Your organizational maturity sets expectations too.

1998
01:06:23,760 --> 01:06:25,880
Younger organizations, smaller headcount,

1999
01:06:25,880 --> 01:06:27,960
less formalized processes often benefit

2000
01:06:27,960 --> 01:06:30,960
from biceps simplicity, less infrastructure to operate,

2001
01:06:30,960 --> 01:06:32,760
faster time to capability.

2002
01:06:32,760 --> 01:06:35,160
Mature organizations with established platform teams

2003
01:06:35,160 --> 01:06:37,720
can leverage Terraform's power and flexibility.

2004
01:06:37,720 --> 01:06:40,840
They have the engineering capacity to manage it well.

2005
01:06:40,840 --> 01:06:43,760
None of these signals point to one universal answer,

2006
01:06:43,760 --> 01:06:45,720
but together they point to what matters

2007
01:06:45,720 --> 01:06:47,320
for your specific context.

2008
01:06:47,320 --> 01:06:50,120
The choice isn't about which tool is objectively better.

2009
01:06:50,120 --> 01:06:52,440
It's about which model, which operational philosophy

2010
01:06:52,440 --> 01:06:54,760
which trade-offs aligns with your constraints,

2011
01:06:54,760 --> 01:06:56,880
your strategy and your team structure.

2012
01:06:56,880 --> 01:06:59,560
Choose the tool who's burdened your willing and able to carry.

2013
01:06:59,560 --> 01:07:01,920
That's how you avoid the trap.

2014
01:07:01,920 --> 01:07:03,560
The governance metrics that matter.

2015
01:07:03,560 --> 01:07:06,000
Here's what most organizations measure wrong.

2016
01:07:06,000 --> 01:07:07,680
They measure IAC adoption,

2017
01:07:07,680 --> 01:07:09,680
percentage of infrastructure deployed through code,

2018
01:07:09,680 --> 01:07:11,480
percentage of teams using the tool.

2019
01:07:11,480 --> 01:07:13,320
Adoption metrics are easy to calculate.

2020
01:07:13,320 --> 01:07:15,440
They make you feel like you're making progress,

2021
01:07:15,440 --> 01:07:17,760
but they're measuring the wrong thing entirely.

2022
01:07:17,760 --> 01:07:20,720
If 90% of your infrastructure is deployed through IAC,

2023
01:07:20,720 --> 01:07:23,760
but half of it violates your compliance policies you haven't won.

2024
01:07:23,760 --> 01:07:25,360
You've just automated the problems.

2025
01:07:25,360 --> 01:07:26,800
You've made them scale faster.

2026
01:07:26,800 --> 01:07:28,800
The metrics that actually matter are harder to track,

2027
01:07:28,800 --> 01:07:30,520
but they reveal where your tool choice is

2028
01:07:30,520 --> 01:07:32,080
genuinely impacting your business.

2029
01:07:32,080 --> 01:07:33,920
Control coverage is the real metric.

2030
01:07:33,920 --> 01:07:35,960
Of all your production resources, every VM,

2031
01:07:35,960 --> 01:07:38,480
every database, every network, everything running in production,

2032
01:07:38,480 --> 01:07:40,280
what percentage is actually under governance?

2033
01:07:40,280 --> 01:07:41,840
Not deployed through code.

2034
01:07:41,840 --> 01:07:44,880
Under governance, meaning it's being managed through approved patterns,

2035
01:07:44,880 --> 01:07:47,800
it's passing policy checks, it's being monitored for drift.

2036
01:07:47,800 --> 01:07:50,080
A team might deploy infrastructure through IAC,

2037
01:07:50,080 --> 01:07:52,000
but if they're not integrating with Azure policy,

2038
01:07:52,000 --> 01:07:53,840
if they're not running drift detection,

2039
01:07:53,840 --> 01:07:57,040
if they're not gating deployments through approval workflows,

2040
01:07:57,040 --> 01:07:58,920
then that infrastructure isn't really governed.

2041
01:07:58,920 --> 01:08:00,240
It's just automated.

2042
01:08:00,240 --> 01:08:03,120
The gap between deployment and governance is where risk hides,

2043
01:08:03,120 --> 01:08:06,800
drift metrics matter, because drift is where governance breaks down in practice.

2044
01:08:06,800 --> 01:08:07,840
You define a policy.

2045
01:08:07,840 --> 01:08:10,360
You enforce it at deployment time, everything passes.

2046
01:08:10,360 --> 01:08:12,800
Two weeks later, someone makes a quick fix in the console.

2047
01:08:12,800 --> 01:08:16,520
The policy is still active, but the fix didn't go through the approval process.

2048
01:08:16,520 --> 01:08:19,440
Now you have a resource in a state that violates your intention,

2049
01:08:19,440 --> 01:08:22,160
even though it technically complies with the policy.

2050
01:08:22,160 --> 01:08:26,120
The real metric is mean time to detect that drift and mean time to reconcile it.

2051
01:08:26,120 --> 01:08:28,640
If it takes three months to discover that a critical database

2052
01:08:28,640 --> 01:08:31,240
lost its encryption configuration, your governance isn't working.

2053
01:08:31,240 --> 01:08:34,080
If it takes a day, you're responding quickly to problems.

2054
01:08:34,080 --> 01:08:36,480
Compliance metrics get at whether your governance

2055
01:08:36,480 --> 01:08:38,480
is actually preventing bad things.

2056
01:08:38,480 --> 01:08:41,200
Percentage of resources passing automated policy checks,

2057
01:08:41,200 --> 01:08:43,200
not resources that you're hoping are compliant.

2058
01:08:43,200 --> 01:08:45,760
Resources that are actually passing validation.

2059
01:08:45,760 --> 01:08:47,680
This surfaces which policies are too strict

2060
01:08:47,680 --> 01:08:49,360
and which are catching real problems.

2061
01:08:49,360 --> 01:08:51,760
It also surfaces whether your teams are working around policies

2062
01:08:51,760 --> 01:08:53,280
instead of working within them.

2063
01:08:53,280 --> 01:08:55,720
If compliance is 75%, you have a problem.

2064
01:08:55,720 --> 01:08:57,320
Either your policies are too restrictive

2065
01:08:57,320 --> 01:08:58,600
or your teams don't understand them.

2066
01:08:58,600 --> 01:09:00,360
Either way, you're not actually governing.

2067
01:09:00,360 --> 01:09:03,320
Incident metrics reveal the impact of your governance choices,

2068
01:09:03,320 --> 01:09:06,400
number and severity of infrastructure-related production incidents.

2069
01:09:06,400 --> 01:09:08,760
Infrastructure-related means incidents that happened,

2070
01:09:08,760 --> 01:09:10,440
because infrastructure was misconfigured,

2071
01:09:10,440 --> 01:09:12,560
was deployed wrong or violated a policy.

2072
01:09:12,560 --> 01:09:16,240
The tool you choose and how rigorously you govern it directly impacts this number.

2073
01:09:16,240 --> 01:09:19,200
A team deploying manually through the console has one incident rate.

2074
01:09:19,200 --> 01:09:22,160
A team deploying through IAC with governance has a lower one.

2075
01:09:22,160 --> 01:09:26,040
A team deploying through IAC without governance has a different rate entirely.

2076
01:09:26,040 --> 01:09:27,640
The gap between incident rates tells you

2077
01:09:27,640 --> 01:09:29,680
whether your governance investment is paying off.

2078
01:09:29,680 --> 01:09:32,680
Cost metrics matter because the whole reason to have governance

2079
01:09:32,680 --> 01:09:34,480
is usually to control spend.

2080
01:09:34,480 --> 01:09:37,120
Infrastructure costs as a percentage of your cloud spend.

2081
01:09:37,120 --> 01:09:40,320
Chargeback accuracy if you're allocating costs back to teams.

2082
01:09:40,320 --> 01:09:44,360
If 40% of your infrastructure bill is going to resources nobody remembers creating,

2083
01:09:44,360 --> 01:09:45,560
you have a governance problem.

2084
01:09:45,560 --> 01:09:48,720
If teams can't be charged back accurately for what they're consuming,

2085
01:09:48,720 --> 01:09:50,840
your cost allocation system isn't working.

2086
01:09:50,840 --> 01:09:53,680
Audit readiness is the compliance metric that matters.

2087
01:09:53,680 --> 01:09:56,960
When an auditor shows up and asks who deployed that database and when,

2088
01:09:56,960 --> 01:09:58,440
how fast can you answer?

2089
01:09:58,440 --> 01:09:59,800
How complete is the information?

2090
01:09:59,800 --> 01:10:02,040
Can you trace the change from request through approval,

2091
01:10:02,040 --> 01:10:03,520
through deployment, through current state?

2092
01:10:03,520 --> 01:10:06,480
If that answer takes weeks, your audit trail isn't working.

2093
01:10:06,480 --> 01:10:09,120
If you can answer in hours with complete information,

2094
01:10:09,120 --> 01:10:11,040
your governance infrastructure is sound,

2095
01:10:11,040 --> 01:10:14,920
team velocity matters because governance can slow teams down if it's not designed right.

2096
01:10:14,920 --> 01:10:17,080
Deployment frequency, lead time for changes,

2097
01:10:17,080 --> 01:10:18,960
mean time to recovery from incidents.

2098
01:10:18,960 --> 01:10:23,560
If governance makes it so that a simple configuration change takes two weeks to deploy,

2099
01:10:23,560 --> 01:10:25,040
teams are going to find workarounds.

2100
01:10:25,040 --> 01:10:29,240
The goal is governance that enforces control without killing velocity.

2101
01:10:29,240 --> 01:10:33,440
The tools you choose and how you structure your governance determine whether you can achieve both.

2102
01:10:33,440 --> 01:10:37,360
These metrics reveal where your tool choice is actually hitting the bottom line.

2103
01:10:37,360 --> 01:10:41,960
Not whether you're using a tool, whether the tool is making you faster and safer simultaneously.

2104
01:10:41,960 --> 01:10:45,320
The 2026 landscape where the market is moving.

2105
01:10:45,320 --> 01:10:50,080
The IAC market in 2026 is far different from what it was three years ago.

2106
01:10:50,080 --> 01:10:52,040
And the trajectory tells you where things are going.

2107
01:10:52,040 --> 01:10:53,640
Terraform is still the incumbent.

2108
01:10:53,640 --> 01:10:55,560
It has the largest installed base.

2109
01:10:55,560 --> 01:10:59,400
Most organizations running infrastructure at scale are running Terraform.

2110
01:10:59,400 --> 01:11:03,240
But that incumbent C is being challenged in ways that matter strategically.

2111
01:11:03,240 --> 01:11:07,520
The licensing change to BSL created a fracture in the ecosystem that didn't heal.

2112
01:11:07,520 --> 01:11:08,600
It created open tofu.

2113
01:11:08,600 --> 01:11:10,800
It made organizations nervous about vendor control.

2114
01:11:10,800 --> 01:11:14,240
It forced conversations about what happens if hashie-corp changes course again.

2115
01:11:14,240 --> 01:11:17,640
Organizations with massive Terraform investments aren't going anywhere.

2116
01:11:17,640 --> 01:11:20,560
Migration is too expensive, but that doesn't mean they're comfortable.

2117
01:11:20,560 --> 01:11:23,840
Many are running open tofu for new projects specifically as a hedge.

2118
01:11:23,840 --> 01:11:25,520
They're keeping their options open.

2119
01:11:25,520 --> 01:11:27,080
They're saying, we'll maintain what we have,

2120
01:11:27,080 --> 01:11:30,640
but we're not expanding our dependence on a single vendor's licensing model.

2121
01:11:30,640 --> 01:11:33,040
Bicep adoption is accelerating in Azure environments,

2122
01:11:33,040 --> 01:11:35,440
but it's accelerating differently than Terraform matured.

2123
01:11:35,440 --> 01:11:37,440
Terraform grew through grassroots adoption.

2124
01:11:37,440 --> 01:11:39,920
Engineers choosing it because it solved their problem.

2125
01:11:39,920 --> 01:11:42,680
Bicep is growing through organizational endorsement.

2126
01:11:42,680 --> 01:11:45,560
Azure verified modules aren't a community project.

2127
01:11:45,560 --> 01:11:49,160
They're Microsoft backed enterprise grade tested standardization.

2128
01:11:49,160 --> 01:11:51,960
They're what you use when you want the platform vendors blessing.

2129
01:11:51,960 --> 01:11:54,160
This matters because it signals confidence.

2130
01:11:54,160 --> 01:11:56,720
Organizations are saying if Microsoft is backing these modules,

2131
01:11:56,720 --> 01:11:57,920
we can standardize on them.

2132
01:11:57,920 --> 01:11:59,600
We can build enterprise patterns on them.

2133
01:11:59,600 --> 01:12:03,440
We can delegate the module ecosystem to Microsoft instead of maintaining it ourselves.

2134
01:12:03,440 --> 01:12:05,320
The ecosystem itself is consolidating.

2135
01:12:05,320 --> 01:12:07,560
Cloud providers used to have proprietary tools.

2136
01:12:07,560 --> 01:12:09,440
AWS had cloud formation.

2137
01:12:09,440 --> 01:12:11,240
Google Cloud had deployment manager.

2138
01:12:11,240 --> 01:12:12,720
Azure had arm templates.

2139
01:12:12,720 --> 01:12:15,240
These were vendor specific limited to that cloud.

2140
01:12:15,240 --> 01:12:19,600
But the ecosystem realized that companies need consistent tools across their infrastructure.

2141
01:12:19,600 --> 01:12:22,720
So the major cloud provider started supporting multiple tools.

2142
01:12:22,720 --> 01:12:26,200
Terraform became a first-class citizen on all three major clouds.

2143
01:12:26,200 --> 01:12:28,120
Open Tofu is following the same path.

2144
01:12:28,120 --> 01:12:31,040
Even Bicep is now supported in enterprise orchestration platforms

2145
01:12:31,040 --> 01:12:32,680
that used to be Terraform only.

2146
01:12:32,680 --> 01:12:34,520
The tools themselves are converging too.

2147
01:12:34,520 --> 01:12:38,360
Terraform and Open Tofu are now functionally equivalent at the core.

2148
01:12:38,360 --> 01:12:39,480
They use the same language.

2149
01:12:39,480 --> 01:12:40,720
They have compatible state.

2150
01:12:40,720 --> 01:12:41,720
They're not diverging.

2151
01:12:41,720 --> 01:12:44,720
They're staying aligned because they started from the same code base.

2152
01:12:44,720 --> 01:12:47,600
Bicep is its own thing, but it's competing in the same space.

2153
01:12:47,600 --> 01:12:51,640
The feature gap that existed between Terraform and bicep five years ago is much smaller now.

2154
01:12:51,640 --> 01:12:54,000
Pulumi is emerging as a different approach entirely.

2155
01:12:54,000 --> 01:12:56,000
Instead of a domain-specific language,

2156
01:12:56,000 --> 01:13:01,360
Pulumi lets you write infrastructure in Python or Go or other general purpose languages.

2157
01:13:01,360 --> 01:13:05,720
If your team has Python developers, they can write infrastructure without learning HCl.

2158
01:13:05,720 --> 01:13:09,240
This appeals to organizations where infrastructure is written by application teams,

2159
01:13:09,240 --> 01:13:10,920
not specialist platform engineers.

2160
01:13:10,920 --> 01:13:14,840
It's gaining traction especially in companies where the skill set overlap is high.

2161
01:13:14,840 --> 01:13:19,240
What all of this points to is platform consolidation happening across enterprises.

2162
01:13:19,240 --> 01:13:22,720
Most mature organizations are moving toward multi-tool strategies,

2163
01:13:22,720 --> 01:13:24,600
not because they can't make one tool work,

2164
01:13:24,600 --> 01:13:27,200
but because different tools solve different problems.

2165
01:13:27,200 --> 01:13:29,200
Terraform for cross-cloud orchestration.

2166
01:13:29,200 --> 01:13:31,000
Bicep for Azure-specific patterns.

2167
01:13:31,000 --> 01:13:34,120
Pulumi for teams that want general purpose language infrastructure.

2168
01:13:34,120 --> 01:13:35,520
They're not choosing one winner.

2169
01:13:35,520 --> 01:13:38,320
They're choosing the right tool for each architectural layer.

2170
01:13:38,320 --> 01:13:40,880
The real convergence isn't in the tools competing.

2171
01:13:40,880 --> 01:13:44,920
It's in governance and policy as code becoming more important than the tool itself.

2172
01:13:44,920 --> 01:13:47,400
You could run Terraform today and migrate to OpenTofu tomorrow

2173
01:13:47,400 --> 01:13:49,280
and your governance layer would mostly stay the same.

2174
01:13:49,280 --> 01:13:52,480
You could layer Azure policy on top of either bicep or Terraform.

2175
01:13:52,480 --> 01:13:54,040
The policy engine is becoming what matters,

2176
01:13:54,040 --> 01:13:57,120
not whether you're using Terraform or OpenTofu or bicep.

2177
01:13:57,120 --> 01:13:58,480
This is where the market is settling.

2178
01:13:58,480 --> 01:14:02,880
Executives should pay attention because it means your tool choice matters less than your governance choice.

2179
01:14:02,880 --> 01:14:05,040
And your governance choice matters more than your tool choice.

2180
01:14:05,040 --> 01:14:06,200
The tools are good enough.

2181
01:14:06,200 --> 01:14:10,000
The differentiator now is whether you can enforce policy and maintain control

2182
01:14:10,000 --> 01:14:11,800
regardless of which tool runs underneath.

2183
01:14:11,800 --> 01:14:15,680
Organizations that understand this ahead of time gain a strategic advantage.

2184
01:14:15,680 --> 01:14:20,520
They're investing in governance infrastructure and treating tool choices as implementation details.

2185
01:14:20,520 --> 01:14:24,800
They're building to be tool agnostic where it matters and tool specific where it doesn't.

2186
01:14:24,800 --> 01:14:28,000
Understanding market movement helps you make decisions that age well

2187
01:14:28,000 --> 01:14:32,240
instead of decisions you'll regret in two years when the landscape shifts again.

2188
01:14:32,240 --> 01:14:34,440
The real trap and how to avoid it.

2189
01:14:34,440 --> 01:14:36,440
The trap isn't choosing the wrong tool.

2190
01:14:36,440 --> 01:14:40,040
That's what consumes every debate Terraform versus bicep, which one wins.

2191
01:14:40,040 --> 01:14:41,360
But the actual trap is different.

2192
01:14:41,360 --> 01:14:44,280
It's choosing a tool without understanding the model underneath it.

2193
01:14:44,280 --> 01:14:46,880
Both tools work, neither is objectively wrong.

2194
01:14:46,880 --> 01:14:49,840
But each embeds a philosophy about how you manage infrastructure.

2195
01:14:49,840 --> 01:14:52,960
That philosophy has consequences that compound over years.

2196
01:14:52,960 --> 01:14:56,480
Most organizations never explicitly choose which philosophy they're adopting.

2197
01:14:56,480 --> 01:14:59,560
They pick what's popular or what their platform team recommends.

2198
01:14:59,560 --> 01:15:01,280
Then they live with the consequences.

2199
01:15:01,280 --> 01:15:05,800
Terraform's trap is that the state file becomes a system you're managing instead of a means to an end.

2200
01:15:05,800 --> 01:15:07,800
You started wanting to deploy infrastructure.

2201
01:15:07,800 --> 01:15:11,040
Now you're managing state backends, worrying about concurrent runs,

2202
01:15:11,040 --> 01:15:14,360
troubleshooting lock failures, maintaining version history.

2203
01:15:14,360 --> 01:15:17,960
The tool you adopted to simplify deployment created operational work

2204
01:15:17,960 --> 01:15:20,320
that often exceeds the original problem you were solving.

2205
01:15:20,320 --> 01:15:24,560
The state file is powerful, but it's still an abstraction that requires operational care.

2206
01:15:24,560 --> 01:15:28,320
Most teams spend more time managing the manager than managing the infrastructure.

2207
01:15:28,320 --> 01:15:31,440
bicep's trap is different. It's not overhead, it's optionality.

2208
01:15:31,440 --> 01:15:33,280
You commit to Azure completely.

2209
01:15:33,280 --> 01:15:36,200
If your strategy shifts, if you need to operate on another cloud,

2210
01:15:36,200 --> 01:15:39,200
if you need multi-cloud consistency, bicep can't go with you.

2211
01:15:39,200 --> 01:15:43,000
You're locked in, not by license or contract, by architectural choice.

2212
01:15:43,000 --> 01:15:44,400
That lock-in might never matter.

2213
01:15:44,400 --> 01:15:46,040
But if it does, the cost is enormous.

2214
01:15:46,040 --> 01:15:47,440
These aren't tool failures.

2215
01:15:47,440 --> 01:15:49,960
They're natural consequences of the models underneath.

2216
01:15:49,960 --> 01:15:52,240
Both work well if they align with your actual situation.

2217
01:15:52,240 --> 01:15:53,600
Both fail hard if they don't.

2218
01:15:53,600 --> 01:15:55,560
The real question isn't which tool is better.

2219
01:15:55,560 --> 01:16:00,040
It's which operational model aligns with your team structure, your strategy and your risk tolerance.

2220
01:16:00,040 --> 01:16:04,920
If your strategy is Azure only for the foreseeable future, bicep's lock-in isn't a trap.

2221
01:16:04,920 --> 01:16:05,800
It's clarity.

2222
01:16:05,800 --> 01:16:07,840
You're not giving up optionality you need.

2223
01:16:07,840 --> 01:16:10,480
If your strategy demands flexibility across clouds,

2224
01:16:10,480 --> 01:16:12,600
terraforms state burden is acceptable.

2225
01:16:12,600 --> 01:16:16,920
The alternative, separate tools, separate processes, separate skill sets is worse.

2226
01:16:16,920 --> 01:16:19,520
Avoiding the trap means measuring what actually matters.

2227
01:16:19,520 --> 01:16:20,840
Don't measure adoption.

2228
01:16:20,840 --> 01:16:22,080
Measure outcomes.

2229
01:16:22,080 --> 01:16:23,200
Control coverage.

2230
01:16:23,200 --> 01:16:24,680
Compliance pass rates.

2231
01:16:24,680 --> 01:16:25,800
Incident reduction.

2232
01:16:25,800 --> 01:16:26,800
Audit readiness.

2233
01:16:26,800 --> 01:16:29,200
These metrics tell you whether your choice is working.

2234
01:16:29,200 --> 01:16:33,520
If you're deploying through code, but incidents aren't dropping, something is misaligned.

2235
01:16:33,520 --> 01:16:37,360
The hybrid reality is most mature organizations use both tools.

2236
01:16:37,360 --> 01:16:41,160
Not because they couldn't make one work, because different layers need different approaches.

2237
01:16:41,160 --> 01:16:44,720
Tools that look like competitors become complementary as infrastructure scales.

2238
01:16:44,720 --> 01:16:48,680
Future-proofing means selecting tools that let you evolve without complete rewrites.

2239
01:16:48,680 --> 01:16:53,440
If vendor lock-in prevents changing direction without years of migration, that's risk.

2240
01:16:53,440 --> 01:16:57,320
If your choice is flexible enough to shift without massive effort, that's resilience.

2241
01:16:57,320 --> 01:17:00,040
Invest in governance, regardless of which tool you pick.

2242
01:17:00,040 --> 01:17:05,720
Policy as code, automated compliance, infrastructure standards, these work with terraform or bicep or both.

2243
01:17:05,720 --> 01:17:07,120
They're what controls your risk.

2244
01:17:07,120 --> 01:17:09,040
The tool is secondary to governance quality.

2245
01:17:09,040 --> 01:17:10,840
That clarity changes everything.

2246
01:17:10,840 --> 01:17:12,720
The operational tolerance decision.

2247
01:17:12,720 --> 01:17:17,280
The choice between terraform and bicep is ultimately a choice about operational tolerance.

2248
01:17:17,280 --> 01:17:20,960
Terraform means you own orchestration, state management, complexity.

2249
01:17:20,960 --> 01:17:23,400
You get explicit control and multi-cloud reach.

2250
01:17:23,400 --> 01:17:26,640
You accept the burden of managing a system that manages infrastructure.

2251
01:17:26,640 --> 01:17:29,640
Bicep means you own code as your own state.

2252
01:17:29,640 --> 01:17:31,440
You inherit platform constraints.

2253
01:17:31,440 --> 01:17:33,600
You get simplicity and native integration.

2254
01:17:33,600 --> 01:17:35,440
You accept being locked to one cloud.

2255
01:17:35,440 --> 01:17:36,920
Neither is universally right.

2256
01:17:36,920 --> 01:17:37,920
Both require trade-offs.

2257
01:17:37,920 --> 01:17:42,880
The real decision is which trade-off aligns with your team, strategy and risk tolerance.

2258
01:17:42,880 --> 01:17:46,280
The market is moving toward hybrid approaches and governance first thinking.

2259
01:17:46,280 --> 01:17:49,120
Most organizations will eventually use multiple tools.

2260
01:17:49,120 --> 01:17:50,120
Your next step.

2261
01:17:50,120 --> 01:17:52,240
Ordered your current IAC state.

2262
01:17:52,240 --> 01:17:56,000
Measure real operational costs, incident rates, audit readiness, align your tool choice with

2263
01:17:56,000 --> 01:17:57,280
your actual strategy.

2264
01:17:57,280 --> 01:18:01,040
The best IAC tool is the one your team can operate reliably and evolve confidently.

2265
01:18:01,040 --> 01:18:02,720
That's not the same tool for everyone.