HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Well-Architected Framework

Create immutable infrastructure

Immutable infrastructure is infrastructure that, once deployed, is never modified—only replaced. When you need to update an application, change a configuration, or apply a security patch, you build a new infrastructure artifact with those changes and deploy it to replace the existing infrastructure. You never connect to running servers to make manual changes or run update commands.

Infrastructure as code (IaC) tools like Terraform manage immutable infrastructure by destroying and recreating resources when changes occur, ensuring your actual infrastructure always matches your code.

Why use immutable infrastructure

Immutable infrastructure addresses the following operational challenges:

  • Eliminate configuration drift: Manual updates and in-place modifications cause servers to diverge from their original configuration over time. Immutable infrastructure prevents drift by deploying identical artifacts, ensuring all infrastructure matches your IaC.

  • Prevent manual change errors: Connection to production servers to apply updates manually introduces human errors like typos, forgotten steps, or changes applied to wrong servers and can cause outages. Immutable infrastructure removes the need for manual server access, applying all changes through tested, version-controlled code.

  • Enable reliable rollbacks: Immutable infrastructure enables rollbacks by redeploying the previous artifact instead of fixing the current infrastructure.

  • Simplify security compliance: Auditors require proof that production infrastructure hasn't been modified outside approved processes, but manual changes leave incomplete audit trails. Immutable infrastructure creates audit trails through version control and CI/CD logs, showing exactly what changed, when, and who approved it.

Types of immutable infrastructure

You implement immutable infrastructure by building artifacts that contain your application and dependencies, then deploying those artifacts with infrastructure as code. Immutable infrastructure for running applications includes virtual machines and containers.

HashiCorp co-founder and CTO Armon Dadgar explains the differences and trade-offs between mutable and immutable infrastructure:

Virtual machines

Virtual machines provide immutable infrastructure by packaging your entire application stack, including the operating system, dependencies, and application code, into machine images like AWS AMIs, Azure images, or GCP images. You build these images with Packer, deploy them with Terraform, and replace them entirely when updates are needed. Virtual machines offer complete control over the operating system and work well for legacy applications, but they require more resources than containers and take longer to start.

Use virtual machines when you have the following requirements:

  • You need complete control over the operating system and kernel
  • Your application requires specific OS configurations or kernel modules
  • You're migrating legacy applications that expect full VM environments
  • You want the simplest deployment model without orchestrator complexity
  • Your organization lacks container orchestration expertise

Learn more in Create immutable virtual machines.

Containers

Containers provide immutable infrastructure at the application layer by packaging your application and its dependencies into container images that run on any platform with a compatible container runtime. You build these images with Dockerfiles or Packer, and container orchestrators like Kubernetes and Nomad deploy them as immutable containers. Containers are lightweight, start quickly, and enable efficient resource utilization, but they require an orchestrator to manage them.

Use containers when you have the following requirements:

  • You want fast startup times and efficient resource utilization
  • You're running microservices that scale independently
  • You want portability across cloud providers and on-premises infrastructure
  • Your team has Kubernetes or Nomad orchestration experience
  • You need to run many isolated applications on shared infrastructure

Learn more in Create immutable containers.

Secrets management for immutable infrastructure

Immutable infrastructure artifacts must never contain secrets like database passwords, API keys, or encryption keys. Secrets embedded in machine images or container images create security risks since anyone with access to the artifact can extract the secrets, and rotating credentials requires rebuilding and redeploying all artifacts.

Vault provides dynamic secrets for immutable infrastructure. Your infrastructure retrieves secrets from Vault at runtime. When a container or virtual machine starts, it authenticates to Vault and receives temporary credentials that expire after use. When you rotate secrets in Vault, all new infrastructure deployments automatically use the updated credentials without rebuilding artifacts.

You can learn more about secrets management in Use dynamic credentials.

HashiCorp resources:

Packer documentation:

Vault for secrets management:

Next steps

In this section of Define your processes, you learned what immutable infrastructure is, why it increases reliability and security, and the two primary approaches for implementing it. Create immutable infrastructure is part of the Define and automate processes pillar.

Edit this page on GitHub