We're here to talk about integrating infrastructure as code into a continuous delivery pipeline. We'll start by defining infrastructure as code then explain some of the problems it solves.
What is infrastructure as code (IaC)?
Infrastructure as code (IaC) is the approach that takes proven coding techniques used by software systems and extends them to infrastructure. Instead of manual provisioning and ad-hoc configuration, IaC uses machine-readable configuration files to automate provisioning and manage IT infrastructure like servers, containers, and networks. Later in the post, we're going to cover IaC techniques in more detail.
Challenges without IaC
Before we get to what the actual techniques that comprise IaC are, it's important to cover some of the challenges and problems it's meant to solve.
-
Configuration drift: If you're provisioning servers manually it's pretty much a given that, at some point, they'll get out of sync.
-
Snowflake servers: That's the consequence of the last point. When configurations get out of sync, you end up having "snowflake" servers. That is, servers that are unique, hard to replicate, and no one knows how to manage them.
-
Human error: If you don't have things in version control people will make mistakes, and it's going to be hard to identify who made the mistake as well as rolling it back to a previous good point.
-
Time to complete: Manually provisioning servers is a slow process.
DevOps vs. infrastructure as code: What's the difference?
DevOps and infrastructure as code (IaC) are related but distinct. DevOps encourages collaboration between development and operations teams to streamline software delivery. It emphasizes culture, automation, and monitoring throughout the software lifecycle. IaC, in contrast, is a technical implementation within the DevOps framework. It involves using code to manage and automate provisioning, creating a continuous delivery pipeline for cloud-native applications.
DevSecOps builds on these principles by integrating security practices into the DevOps and IaC processes. It ensures that infrastructure and applications remain secure throughout the development and deployment lifecycle.
What is continuous delivery?
Let's now define "continuous delivery." But instead of coming up with a definition myself, let's use the definition by Jez Humble, author of Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation, released in 2010:
Continuous delivery is the ability to get changes of all types — including new features, configuration changes, bug fixes and experiments — into production, or into the hands of users, safely and quickly in a sustainable way.
With continuous delivery, we're able to achieve a Single Piece Flow: that means taking a single piece of functionality, or a bug fix, and taking it from the start to the production environment. That way, problems are caught earlier in the process.
Infrastructure as code: Considerations and best practices
We're now going to cover some of the considerations and best practices mentioned before.
Source control
Everything should be in source control system like Git. Not only the production code, but also the provisioning code, continuous integration job definitions, and IaC scripts.
Code accessibility
Comprehensive source control ensures that code and other assets are available to authorized users across the organization. Improved accessibility simplifies and accelerates code iteration and troubleshooting.
Modularize
Infrastructure code should be modularized to promote reusability and maintainability. Modules can be versioned independently and updated incrementally.
Collaboration
Version control, accessibility, and modularization foster collaboration within and between your development and operations teams. They can work together on shared repositories, review changes, and resolve conflicts. Improved collaboration leads to faster deployment and fewer errors.
Code and test as documentation
Your continuous delivery pipeline should use the code itself and its tests as documentation, instead of relying on offline documentation that easily gets out of sync.
Security Patterns
Now let's turn our focus to some of the main security patterns of IaC.
-
CIS benchmark automation: If you're writing Docker files or creating Docker containers, CIS has some benchmarks and scripts out of the box you can run to check for security issues.
-
Building hardening policies around your infrastructure code, so when you're provisioning them you know they are secure.
-
Static scanning: Adopt static scanning, both as part of your pipeline and also as part of your code.
-
Software composition analysis (SCA): Use SCA tools to scan and verify software dependencies.
Security considerations
Let's now look at some important security considerations.
-
Dynamic scanning: These are tests that are run dynamically against the production environment.
-
Secrets management: Everyone has secrets that they need to manage, such as AWS keys. There are tools available to help you manage those.
-
Artifact signing and verification: If you generate and consume docker images, it's important to get them signed, so you can later verify they're the true artifact.
Compliance
Compliance is a concern, especially in highly regulated industries, such as finance and healthcare. But even if you're not in these industries, you also have to comply with regulations such as GDPR. The recommendation here is to treat compliance as code, instead of having to rely on paperwork.
Tools you can use to help you include Chef InSpec, and HashiCorp Sentinel.
Summary
It's now time for a quick recap of what we've seen.
We started out by defining IaC, explaining that it means applying effective coding techniques to infrastructure. We've also explained the problems which IaC solves. After that, we've presented the definition of continuous delivery.
Then, we proceeded to cover considerations and best practices when it comes to IaC, covering concepts like version control, modularization, and code as documentation.
After that, we've turned our focus to security, covering patterns and considerations. At last, we've covered compliance, explaining why it's important and sharing some tool recommendations.
You can check out Adarsh Shah's talk "Integrating Infrastructure as Code into a Continuous Delivery Pipeline" below.
