What is Infrastructure as Code?
In short, infrastructure as code (IaC) is all about defining cloud infrastructure in a programming language. This enables you to apply software development principles such as version control and continuous integration/continuous delivery (CI/CD) to the testing and deployment process. You declare the configuration you want the infrastructure in your cloud environment to have and then use IaC tools to deploy that configuration and create the corresponding infrastructure.
With the introduction of infrastructure as code (IaC), a server can now be defined like this:
By treating infrastructure like code, you introduce a number of benefits:
You can quickly launch pre-approved infrastructure instead of painstakingly creating it by hand every time. A single code template and command can create (and destroy!) thousands of cloud resources in minutes. This enables development teams to push out new features quickly.
- Security and Quality:
IaC templates can be evaluated by tests and reviewed by security teams. This means the end result is higher quality infrastructure with fewer functional and security issues.
- Consistency:You can consistently deploy infrastructure and know that you'll end up with exactly what the IaC defines -- every single time.
- Version Control:
You can keep IaC in version control, most commonly done with a tool like GitHub or GitLab, so you can track code changes, collaborate on code reviews, and roll back infrastructure to a previous state if needed.
- Test and Deploy Automation:
You can use CI/CD systems, such as Jenkins or CircleCI, to automatically run tests on your infrastructure at different stages of development, and also deploy to the cloud runtime environment. This enables fully automated security and compliance validation, so potential misconfigurations are caught before any cloud infrastructure is created.
IaC gotchas & things to be aware of
Infrastructure as code delivers enormous benefits, but organizations still need to pay close attention to other areas:
- Don’t focus only on IaC/what happens pre-deployment -- runtime operations matter. There are lots of nuances to cloud infrastructure that can only be assessed and managed at “runtime”:
- Cloud providers have a lot of default resources, configurations, and behaviors that aren't always managed with IaC. For instance, Amazon S3 “MFA delete” can only be configured with the cloud console/CLI.
- Cloud resources are often interconnected. For example, an IAM policy defined at the account level governs access to a subset of storage resources -- and these relationships often won’t be captured within IaC templates that typically focus on individual resources.
- Configuration drift happens. Inevitably, organizations still need to make changes to cloud infrastructure within the cloud management console or with individual CLI commands. This often happens during testing, or may be a case of human error. The result is that runtime infrastructure “drifts” from IaC definitions, and these need to be reviewed and reconciled.
- Cloud security starts with code: As organizations shift to using IaC, code security becomes all the more important. Resources that are misconfigured in code will become misconfigured runtime resources -- and with the speed and scale that IaC enables, this can quickly become an enormous security headache.
How Fugue Can Help
Fugue discovers resources in infrastructure as code (IaC) templates and in the cloud and checks these resources for security issues, compliance violations, and other misconfigurations. When teams use Fugue in their development workflows and CI/CD pipelines, they receive feedback about these security deficiencies and misconfigurations early in the development process. This automation and rapid, early feedback means engineers can iterate more quickly and be much more confident in the security of the infrastructure they build and operate.
Cloud engineering teams use a variety of tools and services to get their job done. Fugue easily integrates with the tools and workflows your team already has in place. This includes supporting a variety of code repositories, CI/CD services, and IaC template formats.