Infrastructure as Code: What You Need to Know
In this guide, learn how to start using IaC, explore the benefits of code management, and discover some of the best open-source tools.
Join the DZone community and get the full member experience.Join For Free
Cloud technology changes the way we reason about troubleshooting, maintaining, and deploying systems. We used to view hardware and software as separate entities. Different teams managed these entities with different priorities, using disparate methodologies. But that’s no longer the case; teams work together to improve resiliency and maximize agility. There’s no better example of this than Infrastructure as Code (IaC).
Let’s take a deep dive into IaC. We'll examine how it makes your systems more reliable, manageable, and reproducible.
What Is Infrastructure as Code (IaC)?
Infrastructure as Code (IaC) is maintaining and configuring hardware with the same methods as software. Instead of configuring computers and network hardware manually, you use automated tools and version control (VCS) to manage their code. For many teams, the final step is adding continuous integration and continuous delivery/deployment (CI/CD) pipelines. When you deploy your systems with this, you've adopted the entire IaC stack.
Benefits of Using IaC
Infrastructure as Code (IaC) is a practice that uses machine-readable scripts to automate the provisioning and management of computing infrastructure. It has several important benefits:
- IaC makes your infrastructure consistent and reproducible. When you define your systems in code and manage that code in VCS, it’s easy to recreate and deploy them. You can easily build the same infrastructure many times, reducing the risk of human error. It also makes it easier to fall back to an old version of your infrastructure when something goes wrong.
- When you run your IaC tools in your CI/CD, your infrastructure is scalable and agile. You can bundle new releases with their infrastructure changes and scale systems up and down with your pipelines.
- Your teams can share, review, and track IaC using the same tools you use for the rest of your software, like Git. This makes it easier for your teams to collaborate on software and infrastructure projects.
Declarative vs Imperative Programming
IaC supports both declarative and imperative coding constructs. Learning these approaches helps you pick the right tool for your infrastructure.
As the name implies, declarative coding declares the desired state of an object. So in IaC, you use a declarative tool to define the state of your systems and it handles the details. Two popular declarative IaC tools are Terraform and Puppet.
Imperative programming uses step-by-step instructions to complete a task. It’s the coding style used by languages like Python and Go. In imperative IaC, you define the actions required to bring a system to its desired state. Chef is an example of an imperative IaC tool, while Ansible combines imperative and declarative approaches in its Domain Specific Language (DSL).
When you create your infrastructure, you can choose between using immutable or mutable approaches.
Mutable vs Immutable Infrastructure
If something is immutable, that means you can't change it. So, if you need to update a setting or add something to it, you must create a new one and replace the outdated copy.
- Docker containers are immutable. If you want to preserve a container's state across sessions, you need to externalize it. This is often done by connecting it to a persistent filesystem. DZone’s previously covered how engineering teams can approach container security.
- Kubernetes, since it is based on immutable containers, treats its applications as immutable, too. Deployments entail creating new container sets. Learn how to setup a CI/CD pipeline with Kubernetes.
- Terraform treats most infrastructure as immutable. When you apply a configuration change it will create a new instance and destroy the outdated one.
Related Tutorial: How to build docker images using Jenkins pipelines.
At first glance, this approach seems slow and wasteful. But, like immutable programming, immutable infrastructure presents several important advantages.
- Consistency — Immutable infrastructure, by definition, stays the way you created it. It remains consistent. You can easily restore or rebuild infrastructure with your IaC tools, too.
- Auditability — With IaC and immutable infrastructure, your source files are an accurate audit trail for the state of your systems.
- Fewer errors — When you combine immutability with IaC, you only change infrastructure via code. So, policies like pull requests and audit trails reduce errors. Properly implemented IaC reduces mistakes.
But like any other methodology, there are disadvantages you need to weigh against the benefits.
- Deployment time — The time you need to deploy systems increases with their number and complexity.
- No small fixes — Deployments for immutable infrastructure are all or nothing; even a small fix requires a complete deployment.
- Higher resource utilization — Most deployments involve deploying a new instance, followed by a cutover from the old to the new. Depending on the system, this can require significant system resources.
Mutable is the exact opposite of immutable. If something is mutable, that means you can update it after you create it. For instance, if you need to change the amount of memory in a cloud instance, you can apply the change to your existing system.
- Cloud virtual machines like Amazon Elastic Compute systems are mutable by default. Unlike containers, you can reconfigure them without creating new ones.
- Updating operating systems via package managers like
dnfare examples of mutable infrastructure.
- Ansible and Chef are often used as mutable IaC tools, using their playbooks and cookbooks to update system configurations based on programmatic instructions.
Mutable infrastructure has several important advantages over an immutable approach.
- You can update your infrastructure quickly. For example, you can apply the latest security patches to your systems as a discrete operation.
- Mutable deployments are not all or nothing. You can tailor the scope and timing of updates to individual systems and applications. This lowers the risk of each deployment and simplifies scheduling.
- Deployment times are not linked to the size and complexity of your systems.
The flexibility offered by mutable infrastructure does come at a cost, though.
- Unlike with immutable tools, your mutable IaC code represents the changes it applied rather than the complete system state. This makes audits more difficult.
- Mutable systems are prone to configuration drift.
- Mutable deployments may be more complex than immutable and pose a greater risk of failure.
The choice between immutable and mutable IaC depends on your specific requirements and the nature of your infrastructure. Many organizations choose an integrated approach, making some systems mutable and others immutable.
Open Source IaC Tools
Open-source IAC tools are an important part of the IaC community. These tools harness the power of community-driven development, flexibility, and extensibility. They're excellent choices for automating your infrastructure provisioning and management.
- Terraform is a tool for describing cloud infrastructure in declarative code. It supports multiple cloud platforms and services. So, you can use it to provision and manage resources across different providers in a consistent and reproducible manner. In Terraform, infrastructure objects are immutable.
- OpenTofu is a fork of Terraform, created in response to HashiCorp’s decision to switch Terraform to the Business Source License (BUSL). It’s compatible with Terraform but, as a fork, will head in a different direction with a different feature set.
- Ansible is an automation tool with a declarative language for defining system configurations. Although, you can use procedural code for many operations, too. It treats infrastructure as mutable, managing it for its entire lifecycle. It’s useful for both configuration management and infrastructure provisioning. One of Ansible’s biggest advantages is it works with Secure Shell instead of an agent.
- Puppet is an agent-based tool for automating infrastructure configuration and management. It uses a declarative language. One advantage of Puppet’s agent is you can “push” changes to a system on demand, or the agent can “pull” updates on a schedule.
- Chef is another agent-based IaC tool. It operates similarly to Puppet but employs imperative “cookbooks” to describe infrastructure. They contain the steps required to build and configure your infrastructure. Its Ruby-based DSL is more complicated than Puppet’s, but some users prefer it for configuration management.
- SaltStack is like Puppet and Chef in that it works with an agent-based model. However, it uses an event-driven model for quickly distributing changes to managed systems. SaltStack uses a declarative DSL to describe system states.
IaC leverages code and coding practices for defining and managing infrastructure resources. It makes it easy to add scalability, consistency, and efficiency to your systems deployment. This means your team can deploy infrastructure configurations faster and with fewer errors. Terraform, Ansible, Puppet, Chef, and SaltStack are just a few examples of tools that can help streamline your infrastructure provisioning and management. Embrace the power of Infrastructure as Code and revolutionize the way you deploy and manage your systems.
Opinions expressed by DZone contributors are their own.