State of AI in Cybersecurity Survey: Find out what security teams want in a GenAI solution Read now

What is infrastructure as code?

Infrastructure as code (IaC) is the process of dynamically managing and provisioning infrastructure through code instead of through a manual process to simplify app development, configuration, and runtime. IaC leverages code to:

  • Automate infrastructure provisioning, deployment, configuration, and management
  • Orchestrate the operation of all infrastructure components, such as hardware, software, networks, virtual machines, containers, databases, and cloud infrastructure elements
  • Configure, monitor, and manage all infrastructure components and systems

The vast adoption of workloads, containers, and cloud computing has made IaC an important part of DevOps, enabling automation and continuous monitoring of the entire application life cycle, from integration and testing to delivery and deployment. It is also an important aspect of application and container security as well as overall workload protection.

cnapp-guide-temp

The Complete Guide to CNAPPs

Download CrowdStrike's Complete Guide to CNAPPs to understand why Cloud-Native Application Protection Platforms are a critical component of modern cloud security strategies and how to best integrate them to development lifecycles.

Download Now

Five principles of infrastructure as code

The following principles are meant to help your teams overcome IaC-related challenges and maximize return on investment (ROI) from your IaC strategy.

  1. System disposability: When systems are built with a dynamic infrastructure in mind, it becomes easy to build, destroy, upgrade, resize, and transfer resources as the infrastructure changes over time. This allows the infrastructure to continue running when an unexpected failure happens and helps you avoid operational disruptions that might impact the business.
  2. System duplicability: It should be easy to recreate any part of the infrastructure efficiently, eliminating a lot of the danger and anxiety that comes when making changes to the infrastructure. The easy replication of infrastructure also allows you to deal with failures quickly and provision new environments seamlessly.
  3. Process reproducibility: Any infrastructure change or action taken should be reproducible. To aid this, your infrastructure team should script any process they can. Some processes are more challenging to script, but your teams should consider using tools to aid in the scripting of these processes.
  4. Dynamic design: Developers are aware that any change to a complex infrastructure will be expensive. Because of this, they should design infrastructures to support changes as they happen by meticulously predicting how the infrastructure is going to change in the future.
  5. System consistency: When processes are automated, there is always a chance something might go wrong. To overcome this challenge, infrastructure developers need to ensure all new users added or changes made are exactly the same as existing ones. Otherwise, inconsistencies might result in faulty automation.

Six benefits of IaC

In the modern IT landscape, IaC should be considered an essential component within the IT strategy. Even relatively simple infrastructure requirements can be made more efficient and cost-effective by leveraging IaC principles.

Though IaC may add complexity within the IT environment, the advantages of employing it generally outweigh the cost of implementation and management.

1. Speed

IaC is a critical enabler of agile development, continuous integration/continuous delivery (CI/CD), and DevOps practices. It eliminates most manual provisioning and configurations of cloud infrastructure components by allowing the team to provision infrastructure via a coded script for every environment, which is significantly faster.

2. Accuracy

By relying on code, IaC limits mistakes within the configuration process and cuts down on inconsistencies that can occur when more than one person is responsible for configuration.

3. Accountability

You can enable version-controlled infrastructure and configuration changes in your IaC like any other code source file. This gives you full traceability of changes made in your configurations, which you can use to hold users accountable if needed.

4. Efficiency

IaC is a strategic enabler of DevOps because cloud infrastructure components can be made available rapidly as they are needed. It is modular in nature, which means that different pieces of code can be divided and combined to meet the needs of various use cases. This helps streamline software development and optimize resources within the IT team.

5. Cost savings

Automation generally leads to cost savings, and IaC is no exception. By allowing organizations to optimize limited resources — including hardware costs, staffing costs, storage costs, and more — IaC drives down overall costs and enables teams to focus on the higher-value tasks that require human oversight and intervention. Overall capital and operating expenses stay low.

6. Scalability

Infrastructure as code allows you to easily scale up infrastructure management without overspending because automation reduces misconfigurations and eliminates time-consuming interactions.

Mutable vs. immutable infrastructure

One of the first decisions organizations have to make is how they’re going to automate infrastructure. They usually have two options: mutable and immutable infrastructure.

1. Mutable infrastructure

Mutable infrastructure can be updated or modified after it has been provisioned. This type of infrastructure gives IT teams the flexibility to customize servers so they more closely fit application requirements. Unfortunately, this comes with deployment inconsistencies and can make tracking more difficult.

2. Immutable infrastructure

Immutable infrastructure, on the other hand, cannot be modified after it has been provisioned. Since no changes can be made, completely new infrastructure is needed if a change is required. Although it sounds impractical, new infrastructure can be created in the cloud seamlessly.

Expert Tip

Which type of infrastructure should you choose? Though needs vary per organization, most choose to go the immutable infrastructure route. Immutable infrastructure makes it extremely simple to stay consistent within the deployment and test environments. Also, since this type of infrastructure enables you to track previous infrastructure versions, you can easily change back to an older version if it is more efficient.

Declarative vs Imperative IaC

There are two main approaches for writing IaC code:

1. Declarative IaC

A declarative approach to IaC is one in which the user defines the future state and lists all resources and attributes within the infrastructure; however, the  tool or platform will determine how to best install and configure the system to achieve the future state.

2. Imperative IaC

An imperative approach requires far more input and specificity than a declarative approach. In this method, the developer or IT team will define the future state and also specify the process for doing so. The tool or system will not deviate from the steps within the process or change the order.

Learn More

Why is declarative IaC the preferred approach?Most organizations tend to adopt a declarative approach because it offers far greater flexibility in enabling a variety of use cases. Specific benefits include:

  • Simplicity: Declarative IaC requires little input from the developer beyond specifying the desired future state.
  • Speed and flexibility: A declarative system automatically compiles an inventory of all objects within the environment. Having this record makes it easier and faster to alter or disassemble the infrastructure when needed in the future.
  • Automation: In a declarative approach, any changes made within the desired state are automatically applied by the IaC platform. In an imperative approach, it would be up to the developer to reflect the changes within the environment.
  • Optimization: In an IaC approach, organizations can limit deployment scripts and other imperative code, which helps contain and reduce technical debt over time.

Infrastructure as code best practices

Follow these best practices to ensure safe IaC in the long run:

  1. Codify everything in your IaC to deploy any changes seamlessly and securely. This involves auto-updating your running pipeline to detect these changes and avoid human intervention.
  2. Protect hard-coded secrets by not including credentials when deploying code to avoid a potential breach. Some ways to protect sensitive information include replacing hard-coded secrets with sensitive variable references and using a secrets management tool.
  3. Scan for misconfigurations using static application security testing (SAST) or software composition analysis (SCA) scanning tools on your IaC to uncover potential misconfigurations that might leave your infrastructure vulnerable to attackers.
  4. Modularize your infrastructure by following a microservices architecture approach when developing the infrastructure. This approach allows for multiple infrastructure components to be broken down into different modules that can be individually managed.
  5. Restrict access to environments so that users have “read-only” permissions. Only users with specific credentials should be granted privileged access to change infrastructure, and every change should be cryptographically signed.

IaC Platforms and Tools

Some of the most popular infrastructure as code platforms and tools include:

Platform/ToolDescription
TerraformTerraform is an open source IaC tool that allows developers to define and provide data center infrastructure across a variety of platforms, including Amazon Web Services (AWS), Microsoft Azure, Oracle Cloud, Google Cloud Platform and other public cloud platforms.
PulumiPulumi is an open source IaC software development kit (SDK) that allows developers to create, deploy, and manage infrastructure on any cloud, using a variety of languages, including Python, TypeScript, JavaScript, Go, C#, and F#.
AnsibleAnsible is an IaC tool that supports application development for IBM Power Systems clients. Like Terraform and Pulumi, Ansible is an open source resource that can automate provisioning, configuration management, and application deployment.
Chef InfraChef Infra, along with Puppet, is a pioneer in the DevOps space and one of the first infrastructure management tools for defining IaC.
PuppetPuppet, another infrastructure as code pioneer, is a software configuration management tool that uses its own declarative language and models to configure systems.
CFEngineCFEngine is another open source configuration management system. It is considered to be one of the most mature tools on the market and can support complex configuration needs.
AWS CloudFormationAWS CloudFormation is an IaC tool that enables users to model, provision, and manage AWS infrastructure as well as other external resources.
Azure Resource ManagerAzure Resource Manager is an infrastructure as code service that uses JSON to configure infrastructure components within the Azure environment.
Google Cloud Deployment ManagerGoogle Cloud Deployment Manager is an infrastructure deployment service that automates the creation and management of Google Cloud resources. IaC and automation simplifies application development, delivery and deployment. It enables DevOps and IT to build, configure and manage the infrastructure more efficiently.  Security is an extremely important aspect to build, deliver and deploy applications.  Think it, Build it, Secure it with CrowdStrike.

How CrowdStrike can help

Organizations that choose infrastructure as code to manage their cloud environments are still exposed to threats and vulnerabilities. CrowdStrike Falcon® Cloud Security provides unique insights into adversaries and delivers cloud-native, full-stack security that creates less work for security teams, defends against cloud breaches, and optimizes multi-cloud deployments.

Guilherme (Gui) Alvarenga, is a Sr. Product Marketing Manager for the Cloud Security portfolio at CrowdStrike. He has over 15 years experience driving Cloud, SaaS, Network and ML solutions for companies such as Check Point, NEC and Cisco Systems. He graduated in Advertising and Marketing at the Universidade Paulista in Brazil, and pursued his MBA at San Jose State University. He studied Applied Computing at Stanford University, and specialized in Cloud Security and Threat Hunting.