Infrastructure as Code (IaC)

Gui Alvarenga - March 29, 2023

What Is Infrastructure as Code (IaC)?

Infrastructure as Code (IaC) is the process of dynamically managing and provisioning infrastructure through code instead of a manual process to simplify app development, configuration, and runtime. IaC leverages code to:

  • Automate infrastructure provisioning, deployment, configuration, and management
  • Orchestrate the operation of all infrastructure components, such as hardware, software, networks, virtual machines, containers, databases and cloud infrastructure elements
  • Configure, monitor and manage all infrastructure components and systems

The vast adoption of workloads, containers and cloud computing has made IaC an important part of DevOps, enabling automation and continuously monitoring the entire application lifecycle, from integration and testing to delivery and deployment.  It is also an important aspect of application and container security, as well as overall workload protection.

6 Benefits of IaC

In the modern IT landscape, IaC should be considered an essential component within the IT strategy. Even relatively simple infrastructure requirements can be made more efficient and cost effective by leveraging IaC principles.

While IaC may add complexity within the IT environment, the advantages of doing so generally outweigh the cost of implementation and management.

1. Speed

IaC is a critical enabler of agile development, continuous integration/continuous delivery (CI/CD) and DevOps practices in that it eliminates most manual provisioning and configurations of cloud infrastructure components by allowing the team to provision infrastructure via a coded script for every environment, which is significantly faster.

2. Accuracy

By relying on code, IaC limits mistakes within the configuration process and also cuts down on inconsistencies that may occur when more than one person is responsible for configuration.

3. Accountability

You can enable version-controlled infrastructure and configuration changes on your IaC like any other code source file. This gives you full traceability of changes made in your configurations, which you can rely on to hold users accountable if needed.

4. Efficiency

IaC is a strategic enabler of DevOps in that cloud infrastructure components can be made available rapidly as they are needed. It is modular in nature, which means that different pieces of code can be divided and combined to meet the needs of various use cases. This helps streamline software development and optimize resources within the IT team.

5. Cost savings

Automation generally leads to cost savings and IaC is no exception. By allowing organizations to optimize limited resources, including hardware costs, staffing costs, storage costs and more, IaC drives down overall costs and enables teams to focus on the higher-value tasks that require human oversight and intervention. Overall capital and operating expenses stay low.

6. Scalability

Infrastructure as Code allows to easily scale up infrastructure management without the need of overspending because automation reduces misconfigurations and eliminates time-consuming interactions.

Mutable vs Immutable Infrastructure

One of the first decisions organizations have to make is how they’re going to automate infrastructure. They usually have two options: mutable and immutable infrastructure.

1. Mutable Infrastructure

Mutable infrastructure can be updated or modified after it has been provisioned. This type of infrastructure gives IT teams the flexibility to customize servers so more closely fit application requirements. Unfortunately, this comes with deployment inconsistencies and can make tracking more difficult.

2. Immutable Infrastructure

Immutable infrastructure, on the other hand, is that infrastructure that cannot be modified after it has been provisioned. Since no change can be made, completely new infrastructure is needed if there is a change that needs to happen. Although it sounds impractical, new infrastructure can be created in the cloud seamlessly, making it very feasible.

Expert Tip

Which type of infrastructure should you choose? 

While needs vary per organization, most choose to go the immutable infrastructure route. Immutable infrastructure makes it extremely simple to stay consistent within the deployment and test environments. Also, since it is capable of tracking previous infrastructure versions, you can easily change back to an older version if it is more efficient.

Declarative vs Imperative IaC

There are two main approaches for writing IaC code:

1. Declarative IaC

A declarative approach to IaC is one in which the user defines the future state and lists all resources and attributes within the infrastructure; however, the  tool or platform will determine how to best install and configure the system to achieve the future state.

2. Imperative IaC

An imperative approach requires far more input and specificity than a declarative approach. In this method, the developer or IT team will define the future state and also specify the process for doing so. The tool or system will not deviate from the steps within the process or change the order.

Expert Tip

Why is declarative IaC the preferred approach?

Most organizations tend to adopt a declarative approach because it offers far greater flexibility in enabling a variety of use cases. Specific benefits include:

  • Simplicity: Declarative IaC requires little input from the developer beyond specifying the desired future state.
  • Speed and flexibility: A declarative system automatically compiles an inventory of all objects within the environment. Having this record makes it easier and faster to alter or disassemble the infrastructure when needed in the future.
  • Automation: In a declarative approach, any changes made within the desired state are automatically applied by the IaC platform. In an imperative approach, it would be up to the developer to reflect the changes within the environment.
  • Optimization: In an IaC approach, organizations can limit deployment scripts and other imperative code, which helps contain and reduce technical debt over time.

IaC Platforms and Tools

Some of the most popular infrastructure as code platforms and tools include:

Platform/ToolDescription
TerraformTerraform is an open source IaC tool that allows developers to define and provide data center infrastructure across a variety of platforms, including Amazon Web Services (AWS), Microsoft Azure, Oracle Cloud, Google Cloud Platform and other public cloud platforms.
PulumiPulumi is an open source IaC software development kit (SDK) that allows developers to create, deploy, and manage infrastructure on any cloud, using a variety of languages, including Python, TypeScript, JavaScript, Go, C#, and F#.
AnsibleAnsible is an IaC tool that supports application development for IBM Power Systems clients. Like Terraform and Pulumi, Ansible is an open source resource that can automate provisioning, configuration management, and application deployment.
Chef InfraChef Infra, along with Puppet, is a pioneer in the DevOps space and one of the first infrastructure management tools for defining IaC.
PuppetPuppet, another infrastructure as code pioneer, is a software configuration management tool that uses its own declarative language and models to configure systems.
CFEngineCFEngine is another open source configuration management system. It is considered to be one of the most mature tools on the market and can support complex configuration needs.
AWS CloudFormationAWS CloudFormation is an IaC tool that enables users to model, provision, and manage AWS infrastructure as well as other external resources.
Azure Resource Templates (ART)Azure Resource Templates is an infrastructure as code service that uses JSON to configure infrastructure components within the Azure environment.
Google Cloud Deployment ManagerGoogle Cloud Deployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources.

IaC and automation simplifies application development, delivery and deployment. It enables DevOps and IT to build, configure and manage the infrastructure more efficiently.  Security is an extremely important aspect to build, deliver and deploy applications.  Think it, Build it, Secure it with CrowdStrike.

How CrowdStrike Can Help

Organizations that choose an infrastructure as code to manage their cloud are still exposed to threats and vulnerabilities potentially lurking in their cloud environment. CrowdStrike Falcon® Cloud Security provides unique insights into adversaries and deliver cloud native full-stack security that creates less work for security teams, defends against cloud breaches, and optimizes multi-cloud deployments.

GET TO KNOW THE AUTHOR

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.