GitOps with Terraform and ArgoCD — Git as the Single Source of Truth

GitOps is not just "we keep our config in Git." That is version control, which you should have been doing anyway. GitOps adds two critical properties: declarative desired state and automated reconciliation. Your Git repository declares what the system should look like. An agent continuously compares the live system to the declared state and corrects any drift automatically.

For infrastructure (VPCs, databases, load balancers), Terraform handles the declarative state and a CI/CD pipeline handles reconciliation. When a PR merges changes to your Terraform code, the pipeline applies those changes. Drift detection catches out-of-band modifications and alerts the team or auto-corrects depending on your policy.

For Kubernetes workloads, ArgoCD runs inside your cluster and watches a Git repository. When manifests change in Git, ArgoCD detects the diff and syncs the cluster to match. This eliminates kubectl apply from developer workflows and ensures what is running in the cluster is exactly what is committed in Git — no more, no less.

The combination of Terraform for infrastructure and ArgoCD for application delivery gives you a complete GitOps stack. Every change, from a new VPC subnet to a container image update, flows through Git with full audit trail, review process, and automated rollback capability.

We set up a repository structure that separates infrastructure code (Terraform) from application manifests (Kubernetes YAML or Helm charts). The infrastructure repo manages cloud resources via Terraform with a PR-based workflow: plan on PR, apply on merge. The application repo contains Kubernetes manifests that ArgoCD watches for changes.

ArgoCD is deployed in your Kubernetes cluster with SSO integration (GitHub, Google, Okta), RBAC policies per team, and the App of Apps pattern for managing multiple services. Each microservice gets its own ArgoCD Application resource that points to its directory in the Git repo. Sync policies are configured per application — some auto-sync on commit, others require manual sync for critical services.

Image update automation uses ArgoCD Image Updater or a CI pipeline that updates the image tag in the Git repo after a successful build. The pipeline builds the container, pushes it to the registry, updates the manifest in Git, and ArgoCD handles the rest. This keeps the Git repo as the source of truth even for image versions.

We configure health checks, sync windows (no production deploys on Fridays), notification integrations (Slack, PagerDuty), and progressive delivery via Argo Rollouts for canary and blue-green deployments. The entire setup is itself managed as code — ArgoCD's own configuration is in a bootstrap repository that ArgoCD watches, making the system fully self-managing.

A complete GitOps implementation spanning infrastructure and applications:

• Repository structure — infrastructure and application repos with clear separation of concerns
• Terraform GitOps — PR-based plan/apply workflow with drift detection and auto-correction
• ArgoCD deployment — installed, configured with SSO, RBAC, and App of Apps pattern
• Image automation — container builds trigger Git manifest updates, ArgoCD syncs to cluster
• Progressive delivery — canary and blue-green deployments via Argo Rollouts
• Sync policies — auto-sync for non-critical services, manual gates for production
• Notifications — Slack/PagerDuty alerts on sync status, drift, and failures
• Self-managing bootstrap — ArgoCD manages its own configuration via Git