Infrastructure-as-Code (IaC) is a fundamental DevOps practice that uses descriptive models and versioning to define and deploy infrastructure consistently. IaC has replaced manual processes, such as using GUI or console and a shell script to provision the infrastructure with configuration files. IaC tools like Terraform, Pulumi, AWS CloudFormation, Azure Resource Manager (ARM) templates, and Google Cloud Deployment Manager ensure that environments are reliably generated every time, similar to how the same source code produces identical binaries. This method allows for safe, trackable, and repeatable infrastructure management, enhancing consistency and reducing errors.
In this article, we will dive deep into the following topics:
- What is Infrastructure-as-Code (IaC)?
- The principles IaC is built on
- Why should IaC be a de facto for your DevOps team?
- The use cases where you can make use of IaC
- A quick overview and comparison of the various IaC tools like Terraform, AWS CloudFormation, Pulumi, and Ansible
- How does Firefly help you manage your IaC effectively?
What is Infrastructure-as-Code?
Consider a scenario where a DevOps team must set up a cloud web application environment. This environment includes virtual machines, a load balancer, and a database. Traditionally, setting this up would involve manually creating each component through a cloud provider's web interface, which is time-consuming and prone to human error.
Infrastructure as Code standardized way for them to provide and define infrastructure through code â all in pursuit of taming modern cloud chaos.
đč Watch: Here's an overview from a real cloud engineer, explaining why IaC matters for efficient DevOps teams.
With IaC, the team can define the entire infrastructure in a configuration file, automating infrastructure management.
It allows the developers to focus on building and improving applications instead of managing environments. By enabling rapid delivery of applications and their supporting infrastructure at scale, IaC supports a unified set of practices and tools, ensuring that infrastructure changes are safe, consistent, and reusable.
What are the Key Use Cases for IaC?
- Replication of Environment - If you need to spin up the testing environment quickly for your project, you can easily do so using the IaC code's replication ability.
- Disaster Recovery of Infrastructure - If your running infrastructure crashes, you must quickly do a disaster recovery. You can rebuild infrastructure from versioned templates of your IaC.
- Scalability - It is time-consuming to manage your resources' scalability, such as Elastic Kubernetes Service (EKS), from a console or GUI. Using IaC, you can easily scale infrastructure up or down based on demand.
- Cost Optimization - With an increasing infrastructure, monitoring resource usage and reducing costs becomes more challenging. To save costs, you can automate infrastructure teardown using IaC.
What are the Principles of IaC?
Infrastructure-as-Code (IaC) principles are the foundation for building an effectively managed infrastructure through code. These principles help maintain consistency, reliability, and efficiency in infrastructure provisioning and management. Let us take a look at the key principles:
- Idempotency - Running your IaC code multiple times should always produce the same result. For example, reapplying a Terraform code will only make changes if there are differences between the desired state and the actual state.
- Version Control - Store your infrastructure code in version control systems (like Git). For example, you can easily track changes, collaborate, and roll back to previous states if your recent changes break the infrastructure.
- Consistency and Repeatability - IaC ensures that the same configuration results in the environments created every time it is applied. For example, when you use the same Ansible playbook to set up multiple servers, they have the same configuration.
- Declarative Definition - IaC uses declarative syntax to define the desired state of infrastructure rather than detailing the steps to achieve that state. For example, your .tf files describe the desired state of your Terraform resource deployments.Â
- Modularity and Reusability - Create reusable pieces of code for common tasks. For example, you can use Terraform modules to set up VPCs, subnets, and EC2 instances that can be reused across different projects.
IaC as a De Facto for Infra Provisioning
Infrastructure-as-Code (IaC) became a standard practice through the evolution of cloud computing and DevOps from the mid-2000s to the 2010s. AWS's launch in 2006 necessitated scalable infrastructure management, leading to tools like Chef (2009), Puppet (2010), and Ansible (2012). The rise of Docker in 2013 and Terraform in 2014 further cemented IaC's importance. This shift was driven by the need for modern infrastructure management where adopting the IaC can bring significant benefits, such as:
- Consistency and Standardization - IaC ensures that environments are easy to replicate and consistent across different stages of development (like development and production). For example, you can use the same IaC configuration code to deploy and manage your instances in the development and production environment.
- Version Control - You can store the IaC files or folders using version control systems like Git. These systems allow you to track changes, revert to previous configurations, and collaborate more effectively with team members. For example, you have increased the size of your nodes in your EKS cluster but your instance type does not allow your node to use the increased node size, you can quickly revert this change and deploy the changes using IaC in different environments. Â
- Scalability - You can quickly replicate environments or adjust resources to meet changing demands without manually configuring each component. For example, you can increase the node group size for your EKS cluster for the production or testing stage in a short time duration.Â
- Replication - IaC allows you to easily replicate environments like development to testing and production. You do not need to write extra code to deploy resources in these environments which leads to faster deployments and more efficient operations.
- Consistency - You are more prone to errors if you use the console or UI to create or manage your infrastructure (what we call âClickOpsâ). You can easily update your infrastructure using IaC and maintain consistency across environments. If the changes break your infrastructure, you can revert to the older IaC version.
Exploring the IaC Tooling Landscape
To automate the infrastructure provisioning process, you can use a range of IaC tools available on the market. Some of these are mentioned below.
Terraform
HashiCorp's most widely used tool, Terraform, was acquired by IBM. It defines and provides infrastructure across various cloud providers using a declarative configuration language. It is popular due to its versatility and multi-cloud support, with over 53,700 companies globally using it.
AWS CloudFormationÂ
AWS provides a service for defining and managing AWS resources using JSON or YAML templates, enabling automated provisioning and management. It is dominant in AWS-centric environments.
Pulumi
An open source IaC tool that uses real programming languages (e.g., TypeScript, Python, Go) to define and manage cloud resources, offering flexibility and integration with existing codebases. It supports over 60 cloud providers and is increasingly popular among developers who prefer general-purpose languages.Â
Ansible
This configuration management and automation tool by Red Hat uses YAML playbooks to automate infrastructure provisioning, configuration, and management. It is trendy for its simplicity and agentless architecture and is widely used for automation and configuration management.
Puppet
It is an open source configuration management tool that uses declarative language to manage system configuration and deployment. It is extensively used in large enterprise environments and is known for its robustness and maturity.
Azure Resource Manager (ARM) templates
Microsoft Azure offers ARM templates, a service that allows users to define and deploy Azure infrastructure using JSON templates. Due to their deep integration with the Azure platform, ARM templates are widely used by organizations leveraging Azure services.
Google Cloud Deployment ManagerÂ
This tool allows users to define and manage Google Cloud resources using YAML, Python, or Jinja2 templates. It is favored by Google Cloud users for Google Cloud-specific deploymentsâ.
How to Deploy Your Infrastructure Using TerraformÂ
In this IaC tutorial, we will deploy our AWS resources using Terraform, the most popular IaC tool with a large market cap. It is easier to understand and code since it is declarative.Â
Let us begin by creating an aws_instance resource using Terraform configuration files and manage it using Terraform for a simple usage example.
First, we will create the input variable for instance_type in var.tf file with a default value.
Now, we will create the aws_instance resource in main.tf file and use AWS provider API to build the infrastructure.
Open your terminal in the current working directory and run these terraform commands:
to install and configure the providers and backend and:
to deploy your ec2 instance to the AWS cloud.
You will get this output on the terminal and can verify it on your AWS console, as shown below.
You can also destroy your resource by running:
in your terminal. You will get this output on the terminal and can verify it on your AWS console, as shown below.
As you can see in this example, the resource creation and management process has become efficient, consistent, and easy to maintain using the IaC tool (Terraform).
How to Integrate GCP to Firefly
Firefly is a Cloud Control Plane that helps DevOps and SRE teams streamline their cloud management using Infrastructure-as-Code (IaC), which reduces cloud complexity, enhances efficiency, and builds a reliable platform. By turning any cloud into IaC, Firefly ensures that every change to the cloud aligns with industry standards and best practices, empowering teams to maintain control and compliance effortlessly.
When you use Firefly for your infrastructure code, it requests a read-only permission set known as a security audit. This allows Firefly to scan the configuration of cloud resources without accessing or retrieving their actual data. For example, Firefly can identify the presence of a storage bucket but does not have the capability to read or obtain information about the objects contained within the bucket.
Let us integrate the most popular IaC tool, Terraform code, with Firefly to deploy GCP resources.
Pre-requisiteÂ
Install Terraform and the google cloud sdk.Â
To verify the successful installation, run:
To create a new configuration for setting up CLI from your terminal, run:
Before integrating GCP with Terraform, we will create a bucket named state-bucket to store the Terraform state as a remote backend. Firefly reads the state file to record the configuration changes and detects drifts in the infrastructure code.Â
Let us explore the Firefly features by following the steps given below.Â
- Launch a bucket with the name state-bucket in GCP via GUI.
- Set up the terraform remote backend in the main.tf file, which will store the state file in the state-bucket bucket
â
- Open your terminal in the current working directory and run:
â
to upload the state file to state-bucket. To verify, view the state bucket through the GCP Console.
- Open the Firefly console, to integrate GCP, select Google Cloud in Settings â Integrations â Add New â GCP.
- In the next step, select Terraform to integrate Firefly with Google Cloud Platform (GCP) to enhance efficiency and reliability in your cloud operations.
- Enter the project ID correlating to your GCP project name and go to the next.
- Copy the Firefly module details created by the wizard and paste it into your terraform configuration in the main.tf file.
Now that we have successfully integrated Firefly into your project, you will see your GCP project on the dashboard.
Once you go to the Google Cloud Projects here, you can see that there are 115 assets, which are the number of resources deployed on your cloud, and the stack represents the state file stored in the bucket.Â
When you go to the Inventory tab on the left side, it displays the owner of each resource. The resources created and managed by Terraform are labeled "codified," while those not created using Terraform are marked as "unmanaged."
Firefly can help us detect the status of our infrastructure. Look at the classification below.
- Drifted: Firefly scans your cloud infrastructure, comparing the desired state in the available IaC state file and the actual state in the integrated cloud provider and displays the drift caused by the differences in some properties and their values. Firefly can detect and manage drift from any IaC framework.
- Unmanaged: Unmanaged assets are assets that exist in an integrated provider but not in an available IaC state file.
- Ghost: Ghost assets are assets that exist in an available IaC state file but donât exist in any integrated provider (e.g., an AWS account)
- Codified: Codified assets are assets that exist both in an available IaC state file and in an integrated provider, with identical properties and values.
Apart from this in this IaC explorer tab, Firefly shows all the integrated IaC providers, the number of unique Terraform versions running, critical misconfigurations, the last Terraform application, and the number of assets.Â
How to Create Resources through Templates and AI
Firefly provides you with hundreds of prewritten, verified templates to choose from to create resources. Go to the compose tab on the left side where you can simply select a module from the given templates for the resource you want to create.
Let us take a Google storage bucket in this case.Â
Select the module and set up the Terraform variables according to your requirements. It will generate a generic module that you can modify according to the use case.
We can prompt Thinkerbell AI to generate pre-configured templates tailored to your specific needs, streamlining the setup process and allowing you to focus on deploying and managing the infrastructure efficiently.
Select from multiple languages to select and enter the prompt for the resource you want to generate. The Thinkerbell AI will give you a code you can use at your convenience.Â
Let us look at the prompt âgenerate terraform template for creating a gcp instanceâ.
It gives the following code.Â
Frequently Asked Questions: IaCÂ Edition
What are the drawbacks of using IaC?
Complex configurations are a common issue. Managing intricate infrastructure setups through code can become complex and difficult to maintain over time. Plus, implementing IaC can have a higher initial cost of ownership in infrastructure and personnel. However, these costs can be offset by the benefits of reduced errors and increased productivity over time.
How do you ensure the security of sensitive data when using IaC?
Security is of the utmost importance when working with sensitive data in IaC. Firstly, encrypt all sensitive data stored in the code repository, such as passwords, private keys, and certificates. This ensures that even if someone gets access to the repository, they cannot read the sensitive data.
How does Firefly help with cloud asset management?
One key metric that Firefly shows its customers is the IaC coverage status of their cloud and which cloud assets are codified, unmanaged, Drifted, or out-of-sync (Ghost). Firefly is the single cloud asset management solution that seamlessly scans the customerâs cloud accounts (and Kubernetes clusters) and the associated infrastructure-as-code files.
How does Firefly encrypt its data?
All data in transit is encrypted using SSL (TLS 1.2). The entire Firefly infrastructure is gated inside a private VPC. Connections to the Firefly (Inc. Infralight Ltd) network and databases are obtained through a secured bastion server, which is only accessible from within the office network. Encryption between Infralight Ltd customers and the Infralight application is enabled using an authenticated SSL/TLS tunnel. Internet traffic is encrypted using high-class level certificates based on the PKI infrastructure.