Everything was fine… until it wasn’t

Everything was working.

No alerts. No tickets. No angry Slack messages.

You ran your automation like you’ve done a hundred times before.

And then…

Something disappeared.
Something changed.
Something broke.

And the worst part?

Your automation said everything was successful.

Welcome to state.

What “State” Actually Is (In Human Terms)

When people talk about Infrastructure as Code, they usually focus on:

• Version control

• Repeatable deployments

• Automation

But behind all of that… there’s something quietly keeping score.

State is what your IaC tool believes exists.

Not what actually exists.
Not what was changed 10 minutes ago.
Not what someone “just quickly fixed” in the CLI.

Just… what it thinks is true.

Think of it like this:

State is a network diagram that updates automatically…
but sometimes lies to you with full confidence.

Why State Exists (And Why You Actually Need It)

Before we start blaming state for everything…

It’s doing something important.

Your IaC tool needs to answer three questions:

1. What exists right now?

2. What should exist?

3. What needs to change to get there?

Without state:

• Every run would be a blind push

• Or a full tear-down and rebuild

• Or worse… unpredictable results every time

State is what makes IaC efficient instead of chaotic.

Here’s Where Things Get Dangerous

State works perfectly…

👉 As long as nothing changes outside of it.

And if you’ve worked in networking for more than 5 minutes…

You already know that’s not reality.

Problem #1: Drift (AKA “Who Touched My Config?”)

Drift happens when:

• Someone makes a manual change

• A hotfix gets applied directly

• A controller updates something behind the scenes

Now your real environment ≠ your state file.

So what happens next?

You run your automation again.

👉 And it “fixes” the difference.

Meaning:

Congrats. Your firewall just undid a critical change from two hours ago.

Problem #2: Stale State (Yesterday’s Truth, Today’s Problem)

Sometimes nothing changed manually.

But your state is just… old.

Maybe:

• The last run failed halfway

• The state file didn’t update correctly

• Another process modified things

Now your tool is operating on outdated assumptions.

“I updated the VLAN.”
Cool… except that VLAN hasn’t existed since Tuesday.

Problem #3: Shared State (Team Chaos Mode)

Things get really fun when multiple people or pipelines are involved.

• Two engineers run automation at the same time

• One pipeline overwrites another

• State gets updated mid-run

Now you’ve got:

• Race conditions

• Conflicting changes

• “It worked on my run” arguments

Problem #4: Losing State (The Oh No Scenario)

If your state file disappears or gets corrupted…

You don’t just lose data.

You lose awareness.

Your IaC tool now has no idea:

• What exists

• What it created

• What it should manage

At that point, your options are:

• Rebuild everything

• Or manually figure it out

Neither one feels great.

Why Network Engineers Feel This Pain More Than Anyone

In theory, IaC assumes:

All changes go through code.

In reality, networking looks more like:

• Emergency CLI fixes

• Vendor GUIs making “helpful” changes

• Multiple systems touching the same config

• Partial automation

Which means:

👉 Drift isn’t rare.
👉 It’s constant.

The Real Problem

IaC doesn’t just manage your network.

It manages your understanding of your network.

And if that understanding is wrong…

Everything built on top of it will be wrong too.

What You’ll Learn in the Rest of This Issue

In the full version, I’ll walk you through how to:

• Prevent config drift from silently breaking your environment

• Safely manage state across multiple engineers and pipelines

• Avoid the “automation just wiped my change” nightmare

• Build a workflow that actually works in real-world networks

Because state isn’t the problem.

Ignoring it is.

🔒 Continue Reading (Extended Version)

Let’s Fix This Before It Fixes You