I love GitOps

Why is GitOps so awesome? Let me count the ways.

Author

Matt Gowie
June 24, 2025

Hey folks,

I love GitOps. GitOps, if the term is new to you, is a methodology for managing resources (applications or infrastructure) through changes in Git.

Here is why I think it is so great:

  1. The entire engineering org already has access to and knows Git. It's already part of their workflow.

  2. With GitOps, you easily capture the history of WHO did WHAT and WHEN. This is huge for compliance, but even more importantly your organization now has a record of what is going on without a lot of effort or additional cost.

  3. Sometimes you even get a good WHY if people follow good commit/PR description etiquette. I wrote more about the PR process and the WHY here.

  4. If you use a Git tool which has something like Codeowners, you have the ability to say "Prod changes in project X need these folks approval", offering further auditability of decisions.

  5. With most TACOS, you drive your TF workflows with GitOps and it’s a huge win. Not sure what a TACOS is? Check out my thoughts here. And if you’re a GitOps purist, you can use TofuController or Terrakube to integrate TF with GitOps. We wrote more about TofuController here.

Plenty of platforms want to manage your state, but if you use them you lose the above benefits. When the state is in Git your org already knows how to use this technology and is already using it, which is a massive benefit.

One of the topics that commonly comes up when I bring up GitOps is “What do you do with Secrets?” People worry about storing secrets in Git. To do so, you need to encrypt them. That's the whole idea behind SOPS, which we use and highly recommend. The more complicated secrets management platforms like Infisical, Vault, or OpenBao also have their place when rotation and secret management across an entire organization is critical.

If you're storing your variable config and/or secrets in Azure Key Vault, AWS AppConfig or similar options, they are no longer tracked in Git. Your compliance and auditability suffers. To audit the full picture of the Who, What, When, and Why of a change, incident, or situation you now need to tie multiple tools together. You also have to ensure those tools are tracking the complete history, which is complex.

When everything is in Git, this is handled for you as part of your day-to-day operations.

May you always write great commit messages,

Matt @ Masterpoint

PS Did you know we have a referral program where you can make some extra cash? Know someone who needs some IaC expertise? Intro us and help out Masterpoint, one of your colleagues, and yourself at the same time. Or, if you want to chat through some tricky IaC issue that you or your org are running into, grab some time on my calendar here.