IaC tools harvest infrastructure as code rewards in the cloud

Getting your Trinity Audio player ready...

If you’re still using GUIs to manage cloud infrastructure, then it could be time to look at infrastructure as code (IaC) – an approach that builds on the ability to provision and request cloud resources through remote API calls. Advantages include automation and version control, and one of the most popular IaC tools is Terraform.

Getting started with IaC using Terraform follows a five-stage: scope, author, initialize, plan, and apply workflow. Users begin by identifying the infrastructure that’s needed for the task and then write a configuration file that defines those requirements. Rather than having to list all of the setup steps, infrastructure managers can instead declare the required end state and let Terraform figure out how to get there.

Once the requirements have been authored, the next stage in the IaC process is to install the plugins needed for Terraform to communicate with all of the services involved. Configuration files can work across multiple platforms, and there are thousands of different plugins (known as providers) available. And the huge number of providers highlights just how versatile this approach can be, its popularity, and the size of the ecosystem that’s been developed by the community.

Terraform caters to popular cloud environments such as AWS, Microsoft Azure, Google Cloud Platform, Oracle Cloud Infrastructure, and Alibaba Cloud – to list just a few examples. And Terraform providers define individual elements, which could be compute instances, private network spaces or other cloud services. In turn, these resources can be combined as modules that are self-contained packages of Terraform configurations, which can be managed as a group.

Desired state configuration

Once all of the providers have been installed and initialized, users can then preview the changes that Terraform’s IaC tool will make and compare those with the original plans to check that the final configuration matches up. And when everyone on the team is happy, it’s time to apply those instructions to provision the cloud infrastructure in the desired state.

IaC brings a number of benefits, and having those setup instructions stored as a configuration file makes it straightforward to go back to a known good state. And team members can collaborate on IaC updates via Terraform’s workspaces feature that provides both secure access and guards against race conditions when users make changes at the same time.

One of the best ways to get to grips with Terraform and see what can be achieved using IaC tools is to check out the many tutorials that are available on the web. HashiCorp, which offers Terraform Cloud to automate infrastructure provisioning at any scale, has a variety of documentation and interactive tutorials on its site. Incidentally, HashiCorp offers a number of similarly useful automation tools such as Packer, which can create identical machine images for multiple platforms from a single source configuration.

And Terraform isn’t the only IaC tool available. Organizations wanting to automate the provisioning of cloud infrastructure have a number of alternatives to consider too, such as Ansible, Chef, Puppet, and SaltStack, which was acquired by virtual computing giant VMware back in 2020. It’s also worth drawing the distinction between IaC and Platform as Code (PaC), which – as VMware points out – includes the operating system and development tools. Whereas IaC deals with provisioning compute, storage and networking at the infrastructure layer.

Managing software patches and updates

Besides configuration management, IaC tools can help with a number of other important tasks. For example, as well as enabling organizations to achieve and maintain infrastructure in a desired state – which can include deploying self-healing code – Puppet performs vulnerability management, automates compliance, and delivers software patches and updates.

Chef helps teams manage not just cloud services, but other IT assets too. The IoC tool provider lets users manage disparate systems as one – for example, enabling users to keep on top of Windows and Linux machines running on-premises, ARM systems in the cloud or Mac laptops connected at the edge using the same automation software.

Ansible has the ability to automate zero downtime rolling updates and manages machines in an agent-less manner. Decentralized, the IaC tool using existing credentials to facilitate access to remote machines. And, according to developers, it’s straightforward to link solutions to authentication management systems such as Kerberos and LDAP.

Reducing the attack surface

Credentials management goes hand-in-hand with IaC. Applications need secrets to communicate with cloud providers, databases, and consume other services. And while users may do a good job – for example, by storing those secrets in an encrypted password manager. Applications can undo those security efforts if usernames, passwords, and other secrets are dumped to disk whenever an issue occurs, and logs get updated.

Dynamic passwords get around that potential security risk by generating secrets on demand. And making those details time-limited means that if they do appear in a log file, an attacker can’t simply reuse them as the information will have become out of date. Terraform’s Vault module helps users to move away from relying on long-lived static secrets and instead service applications with time-bound details generated on demand to help mitigate security threats.

IaC tools offer a rich ecosystem of solutions for developers, starting with automating the provision of cloud services and going beyond into helping to make setups uniform across different platforms and raising cyber defenses.