Why this exists

Existing Azure resources don't have to be a write-off.

Most teams know they should be using infrastructure-as-code, but the existing environment feels too tangled to touch. Rebuilding from scratch is a multi-month project nobody can justify. The Brownfield Migration takes the practical path: phased imports, careful validation, and a working Terraform repo at the end — with the live environment untouched throughout.

What's included

From portal-managed chaos to clean Terraform.

Discovery & inventory

Full mapping of what exists across subscriptions: compute, networking, identity, data, services. We catalog everything before importing anything.

Import strategy

What to import as-is, what to refactor, what to leave alone. Order of operations, risk callouts, and a clear go/no-go for each resource group.

Module structure

Codebase organised the way your team will actually use it — not a flat dump of imports. Reusable modules where it makes sense, imports kept lean.

Phased import & validation

Resources imported in waves. Each wave is plan-clean (no drift) before we move to the next. Live infrastructure stays unchanged.

State management setup

Remote state with locking, state separation by environment, secrets handling, and a clear pattern for going forward.

Team handover & training

Walkthrough of the codebase, how to make changes safely, and a starter set of changes done together. Your team owns it from day one.

Deliverables

What you get at the end.

→Terraform repositoryYour live environment, in code, with a clean plan. Modular, documented, and ready for your team to extend.
→Migration logWhat was imported, what was refactored, what was deliberately left out, and why. Future-you will need this.
→Operating modelHow changes get made now: branching, review, plan, apply. Short and specific, not a 50-page tome.
→Walkthrough & first changeLive session with your team. We walk the codebase, then make a real change together so you've done it once before we leave.

Timeline

Three phases. Two to four weeks.

Week 1

Discover & plan

Inventory, dependencies, risk assessment, import plan. Agreed before any code is written.

Weeks 1–3

Import & refactor

Phased imports, drift checks, module refactoring. Live environment unchanged. Plan-clean at every checkpoint.

Final week

Hand over

Walkthrough, training session, and a real change made together. Your team owns the codebase.

FAQ

Common questions.

Will the migration cause downtime?

No. Terraform import doesn't change the resource itself — it just brings it under management. We validate plan-clean at every step before moving on. If we ever need to recreate a resource, we'll flag it explicitly and agree the approach before it happens.

Should we audit first or migrate first?

An Azure Audit & Drift Control first is often the right call — it surfaces what you have, what's risky, and whether migration order should be informed by other priorities. For straightforward environments we can skip ahead.

What about resources we want to redesign?

We import them as-is during this engagement, then tag them for redesign in a follow-up. Migration first, refactor second — it keeps risk contained and progress visible.

Do you import everything?

Not always. Some resources (managed identities, ephemeral resources, third-party integrations) are better handled outside Terraform. We agree the boundary up front.

After this, what's next?

Two common paths: CI/CD & Release Engineering Setup to wire up safe pipelines, or Terraform Standardisation Framework if you have multiple teams about to touch the new codebase.

Brownfield Terraform Migration.