Infrastructure as Code (IaC) is a method of writing and deploying machine-readable definition files that generate service components, thereby supporting the delivery of business systems and IT-enabled processes.
IaC helps IT operations teams manage and provision IT infrastructure automatically through code without relying on manual processes. That’s why IaC is often described as “programmable infrastructure”.
Infrastructure as Code can be applied to the entire IT landscape—but it is especially critical for:
- Cloud computing
- Infrastructure as a Services (IaaS)
In particularly, DevOps requires agile work processes and automated workflows which can only be achieved through the assurance of readily available IT Infrastructure, which is needed to run and test the developed code. This can only happen within an automated workflow.
Let’s take a look.
IaC for DevOps
Within the context of software development, a fundamental constraint is the need for the environment where recently developed software code is tested to exactly mirror the live environment where such code will be deployed to. This is the only way of assuring that the new code will not collide with existing code definitions: by generating errors or conflicts that may compromise the entire system.
- A System Administrator would setup up a physical server and install the operating system with all necessary service packs and tuning to mirror the status of the main operating live machine that supports the production environment.
- Then a Database Administrator would undergo the same process for the support database, and the machine would be handed off to a test team.
- The developer would deliver the code/program by copying it to the test machine, and the test team would run several operational and compliance tests.
- Once the new code has gone through the entire process, you can deploy it to the live, operational environment. In many cases, the new code won’t work correctly, so additional troubleshooting and rework are necessary.
(Understand the differences between deploying and releasing software.)
Manual recreation of a live environment leaves doors open to a multitude of most likely minor but potentially quite important human errors, regarding:
- OS version
- Patch level
- Time zone
A live environment clone, created using the exact same IaC as the live environment, has the absolute guarantee that that if it it works in the cloned environment it will work in live.
Imagine a software delivery process involving separate environments for:
There’s seemingly little value in having a DEV and UAT environment that isn’t an exact mirror of the prod environment given that those early environments are critical to measuring the quality and production readiness of a software build version.
The introduction of virtualization enabled this process to be expedited, especially regarding the phase of creating and updating a test server that would mirror the live environment. Yet the process was manual, meaning a human would have to create and update the machine accordingly and in a timely fashion.
With the introduction of DevOps, these process became even more “agile”. Adding automation to the server virtualization and testing phases replaces human intervention, improving productivity and efficiency.
To summarize: In the past, several man-hours and human resources were required to complete the software deployment cycle (Developers, Systems Administrators, Database Administrators, Operation testers). Now, it is possible to have the developer alone complete all tasks:
- The developer writes the application code and the configuration management-related instructions that will trigger actions from the virtualization environment, and other environments such as the database, appliances, testing tools, delivery tools, and more.
- Upon new code delivery, the configuration management instructions will automatically create a new virtual test environment with an application server plus database instance that exactly mirrors the live operational environment structure, both in terms of service packs and versioning as well as live data that is transferred to such virtual test environment. (This is the Infrastructure as Code part of the process.)
- Then a set of tools will perform necessary compliance tests and error identification and resolution. The new code is then ready for deployment to the live IT environment.
Benefits of Infrastructure as Code
Some of the major benefits of Infrastructure as Code are:
- Reducing shadow IT. Much of the shadow IT within organizations is due to the inability of IT departments to provide satisfactory and timely answers to operational areas, especially around IT infrastructure and systems enhancements. Shadow IT poses significant security risks as well as potential unforeseen costs for the organization. Enabling a fast response to new IT requirements through IaC assisted deployment assures higher security and compliance with corporate IT standards and helps with budgeting and cost allocation.
- Improving customer satisfaction. Being able to deliver a quality service component within a short period of time contributes to customer satisfaction and improved perception of IT within an organization (as measured by Net Promoter Score or other method).
- Lowering operational expenses (OpEx). If a company can configure and deploy a fully tested and compliant new IT Infrastructure asset within a matter of minutes, with minimal or no human intervention, this is a colossal saving in work time and security-related financial risk
- Lowering capital expenses (CapEx). Having a developer accomplish on her own the tasks of several team members, particularly in the context of DevOps, will significantly improve the project CapEx.
- Standardizing. Coding the creation of new infrastructure ensures a consistent set of instructions and standardization. Manual configurations are prone to errors and minor changes which can create ever so slight differences that, over time, result in major non-conformities with the standard (and technical debt).
- Managing change safely. Standardization assurance enables safer changes to take place, with lower deviation rates.
- Applying software delivery principles. Ability to promote and use software delivery principles, such as version control, peer programming, and code reviews, to Infrastructure results in fewer unplanned outages and better change history tracking.
- Harnessing scalable & immutable infrastructure. IaC provides the ability for additional resources to be provisioned during burst periods, allowing horizontal scaling and the ability to replace resources in the event of failure.
Risks involves with IaC
Of course, there are some risks to consider and account for in your IaC journey:
- Lacking proper planning. Once you decide to move towards an IaC-capable IT landscape, you must define infrastructure that will allow the implementation, configuration, and operation of IaC tools. A simple example: you can only create and operate virtual machines if you have in place a physical server infrastructure that can run a tool like VMware and is powerful and scalable enough (CPU, RAM, HDD) to support several heavy demanding simultaneous virtual machines running in parallel without any performance impact. You’ll also need redundancy that allows all to continue working within normal operational standards if problems occur.
- Needing new skills. Most existing IaC tools require expertise to be handled, and reaching such levels requires significant time in learning and training. Some companies are likely to start by resorting to outsourcing services until the tools become more user-friendly, staff is trained on the new tools, or new experts are brought on to the team.
- Replicating errors. Since the initial code is developed by humans, there is always the chance that it contains minor errors that will only produce impact after some time. The problem here is that meanwhile, several machines may have been automatically created where such errors exist. So there is the need for applying a solid auditing process to the creation of IaC generating code.
- Expecting configuration drift. Once a machine is created via an IaC workflow, it should not suffer intervention outside of an automated, aligned, and compliant maintenance workflow. Manual or external updates (even if just security patching) may result in configuration drifting which in time has the potential of producing massive non-compliance or even service failure.
- Handling accidental destruction. Some IaC tools that maintain state have the ability to automatically destroy resources should the code reflect that action. IaC in an automation pipeline can sometimes have undesired outcomes.
Infrastructure as Code tools
Today, a number of tools are available to adopt Infrastructure as Code. The right tool, of course, will differ for every Infrastructure or DevOps team. The available tools vary widely in usage and functionality.
Below is a high-level look at the most popular tools for building and managing your IaC. Remember, software forums and GitHub issue pages are packed with information, documentation, and people willing to assist—adopting IaC is much easier than it historically was.
Chef was developed under the perspective of enabling fast collaboration amongst team members and is, therefore, a DevOps context focused support asset.
Puppet has evolved targeting sheer processes automation, making it useful for the fast creation of new infrastructure per client requirements.
Although not specifically an IaC tool, Ansible is a popular open-source configuration management tool that does have the required modules to build infrastructure in a number of cloud and on premises providers. Whilst not cloud agnostic, Ansible does support multiple cloud providers.
Ansible is an agent less tool that operates over SSH (linux) or WinRM (windows). The Infrastructure configuration code is written in YAML. Ansible is not stateful and is therefore it’s main purpose is for creation of the infrastructure and not management of.
Generally, Ansible is great for configuration management, but not so great for building and managing cloud and on-premise infrastructure.
(Learn more about Ansible and how it differs from Control-M.)
Terraform is an open-source, stateful, multi-vendor IaC tool that codifies APIs into Terraform configuration files to allow teams to build and manage wide scale infrastructure estates with software delivery principles.
Though not cloud agnostic, Terraform is multi-cloud compatible. Additionally, it supports vendors who provide:
Terraform is widely supported by most common cloud and DevOps tooling. The Terraform Module Repository has a great deal of pre-written Terraform modules which you can simply populate with your input variables to build and manage your infrastructure. When building and maintaining infrastructure, Terraform requires approval before applying destructive changes, adding a safety net incase of “bad” IaC causing undesired outcomes.
When moving from a previously non IaC environment, it is possible to import your existing resources into Terraform for continue management. Beware: this is a very manual and time consuming task—but possible nonetheless.
CloudFormation is the AWS-specific Infrastructure as Code tool. Written in JSON and run via the AWS Console or AWS CLI, CloudFormation allows you to build and manage your infrastructure as code in AWS.
CloudFormation is not multi-cloud (obviously). However, it does offer the best AWS support whilst still being a stateful IaC tool. AWS provides a lot of templates that can be used to get started with CloudFormation so it’s pretty easy to get up and running.
Azure Resource Manager (ARM) templates are Microsoft’s implementation of IaC. ARM templates allow you to provision Microsoft Azure resources using a declarative template.
Importantly, ARM templates are neither stateful nor multi-cloud. They’re good simply for building infrastructure, not managing it moving forwards.
IaC supports agility
Thanks to benefits like automation and relying on code, Infrastructure as Code supports overall IT and business agility.