Infrastructure as code, or IaC, is a significant advance in how we manage infrastructure. IaC brings plenty of advantages to the table. You can declare specifications through code about what infrastructure should be created. You can also compare what is deployed against what should be deployed—perhaps gaining insight into your present and future infrastructure.
Taking a page from the software engineering playbook, IaC can be version controlled. Best of all, this kind of fine-grained control enables rapid, consistent deployment of your infrastructure. Sounds great, right? It is, but it’s only the tip of the iceberg. Let’s talk about why cloud automation is more than Infrastructure as Code alone.
Authentication and Authorization Controls
Just as an application runs as part of a complex software system, IaC operates in a broader context. IaC needs to function under the umbrellas of authentication and authorization controls.
Such rules typically dictate who’s allowed to create which pieces of infrastructure along with how users are granted access to needed cloud services. Applications often have secrets like encryption keys, passwords to other services, and API keys. These secrets are yet another critical management point. From a security standpoint, a key aspect of access control is where these credentials are kept. Infrastructure as Code both interacts with and must operate under these controls, and so become part of a complex ecosystem of automation and fine-grained control.
Keep in mind that cloud environments are dynamic. They often have multiple administrators on a single account. Cloud consoles and command lines make it easy to change infrastructure in a cloud. This can result in infrastructure that drifts away from the desired configuration. You then have to figure out how to detect infrastructure drift, and what to do when it happens.
This is where declarative methods of specifying infrastructure are especially helpful. Such a blueprint would let you compare the current state of the infrastructure with the desired state defined in an Infrastructure as Code specification. If there were differences, changes could be made automatically to bring the current state to the desired configuration.
Because IaC is so interactive within this ecosystem, coding and specification mistakes can have far-reaching consequences. You have to consider how you’ll detect possible errors and inconsistencies. Regardless of how such problems are found, you’ll need to have a version control system in place. Being able to roll back changed infrastructure to a previous working state will save you a lot of time and effort.
Here are some key considerations about authentication and authorization:
- What are the distinct jobs or responsibilities do IT professionals have with respect to cloud?
- Can you define a role or set of roles for each distinct job?
- What permissions are needed in each of those roles?
- Who approves changes to roles and assignment of roles?
- What secrets must be managed?
- Where will secrets be stored?
- Who will have responsibility for administering secrets?
Security and Compliance
Infrastructure as Code is also subject to non-technical requirements, especially around security and compliance. IaC specifications must be auditable to ensure both system security and regulatory compliance.
Keeping a history of infrastructure changes made through IaC can also help when troubleshooting problems down the line. Managers also benefit from the auditing potential of cloud automation. Managers are keenly aware of cloud costs and need reporting tools to keep up with expenses. Since IaC can entail so many potentially costly changes, it’s essential to consider how the way you shape the infrastructure can affect costs the managers have their eyes on.
Here are some key considerations about security compliance:
- What industry or government regulations apply to your organization?
- What controls are required, such as encryption, multi-factor authentication, etc?
- What are reporting requirements for compliance?
- What additional controls or reporting are needed by management?
It Is Only the Beginning
Cloud automation is a practice that encompasses multiple technologies and tools. Infrastructure as Code is a crucial part of this toolbox, but so are role-based access controls, drift detection, auditing tools, and supporting services, like secrets and cost management. At the end of the day, IaC is just one of the key components of a complete cloud automation solution. It’s a critical part of the ecosystem, but it is only the beginning.