Infrastructure as code is a process typically used by engineers to run infrastructure they have prepared, such as applications in the cloud, through code rather than manually.
DevOps teams use IaC to generate the same IT environment each time – giving the ability to automatically define how resources are configured, rather than configuring manually over and over again. This reduces time-to-market.
Adam Brown, managing security consultant at the Synopsys Software Integrity Group, explains: “IaC can be used to instantiate, prepare, and start any servers, networks, operating systems, and services that need to exist for the application to run in a robust, high performance and secure state.”
IaC’s repeatable manner of its configuration files and automation also allows necessary changes to be made easily and quickly. This shortens development lifecycles and provides continuous delivery of high-quality software. But it can only exist where virtual environments do, set up as specified in the code.
Brown adds: “IaC reduces risk by removing the single point of failure that can come with manual tasks and the specific people that know how to perform them.
“Human effort is limited to those required to produce and manage the IaC code base. By understanding the cost and risk reduction benefits, firms can make the move to IaC, taking small steps, project by project, allowing them to see incremental benefits from adopting IaC.”
Crystal Morin, cybersecurity strategist at Sysdig, points to IaC’s use of “standardized, machine-readable policy files” as its big strength. She says: “IaC is not just a nice-to-have methodology, but an absolutely essential component of how you provision and deliver modern IT environments.
“It is faster to implement standards and make changes, easier to scale consistent policies to any organization’s size, and is defensible and supportive in risk and regulatory audits.”
Alex McMullan, CTO international at Pure Storage, also sees IaC’s positives and says the market could be worth $3.5bn by 2030.
The benefits of IaC
Security
IaC mitigates misconfigurations due to human error, e.g. forgetting to apply security settings or provisioning the wrong user access. Increased control over change and ongoing maintenance also tackle exploitable vulnerabilities with instant updates from cloud providers.
Efficiency
Using IaC to automate tasks saves teams time and effort plus reduces costs by improving resource utilization. Eduardo Crespo, VP EMEA at PagerDuty, believes its ability to turn manual configurations into code is revolutionizing “how we manage businesses”.
Consistency
IaC helps migrate and deploy entire cloud environments in a flash. It can also be scaled as needed. Scripting infrastructure setups can be created in languages such as HCL or YAML to ensure consistency and version control, similar to software development.
The risks of IaC
One major red flag with IaC is how security problems can suddenly affect every resource configured using IaC files. Sysdig’s Morin warns “One mistake can become a huge organizational risk” and she suggests this could instantly impact hundreds or thousands of resources.
Sascha Giese, tech evangelist at SolarWinds, believes IaC has been dogged by its “hype” and suggests the implementation and conversion process can be “painful” with “mixed results” for businesses.
Others highlight how IaC has a “steep learning curve” with Giese raising the lack of an industry standard as an issue creating significant challenges. There is also the risk of IaC remaining useful over the long term.
To be in it for the long haul, experts suggest IaC must keep up with broader technology trends including edge computing, as well as the infrastructure needed to run AI workloads. It must also gain further traction in private cloud environments, they say.
The challenges of IaC adoption
As cloud spending increases, CIOs and CTOs must adopt policies that allow IaC’s benefits to be maximized. Pure Storage’s McMullan cites its “great promise” when more attention is paid to the code component.
He explains: “Today, many more developers consume infrastructure directly from either an automated system from their own internal IT. Developers want to be able to build their own infrastructures, test them and sometimes take them through to pre-production, without having to encounter delays in raising multiple help desk tickets or other processes.
“Facilitating this way of working enables organizations to harness the true power and potential of IaC, as modern applications are written to be cloud-native using containers and S3 as the building blocks.”
PagerDuty’s Eduardo Crespo adds EMEA is facing the challenge of huge pressure being put on rapid digitalization – hampered by many large European conglomerates being “fragmented across siloed infrastructure, which tends to slow down digital initiatives”.
Crespo’s suggestion is to use IaC to drive competitive advantage across diverse geographies and business lines. He says: “Back-end IT for a business can often appear like a tangled mess of networks and legacy systems. Working with historic tech bottlenecks can complicate the delivery of projects like spinning up and scaling a cloud environment.
“This is why, in the DevOps world, IaC is a game-changer. It has the capacity to integrate seamlessly with CI/CD pipelines, automating deployments and ensuring environments are identical across development, testing, and production. This consistency is vital for rapid, reliable releases.”
Synopsys Software Integrity Group’s Brown highlights how Netflix is seen as one of the “pioneers of IaC”. “It is able to deploy tens of thousands of times per day, fix and even test on live from minute to minute and deliver a slick experience to 100+ million users,” he explains.
Careers in IaC
Gaining a foothold in IaC is accessible to anyone with scripting knowledge and proficiency in languages such as Python and Bash. This will ensure they can quickly create and apply IaC templates.
Other tools and concepts needed include Git, Docker, Kubernetes, Terraform, and Ansible but these can also be learned on the job as well as through education. However, a strong knowledge of cloud providers, their infrastructure, and their services is critical.
Sysdig’s Morin adds: “The more you know about related tools and skills, the better off you’ll be in implementing and maintaining IaC for your organization. Knowledge of configuration management, CI/CD pipelines, networks, secrets management, monitoring and logging, and system administration will help you develop a more secure IaC program.”
Looking ahead, many experts believe IaC may deliver new byproducts. For example, when looking at engineers, it could reduce the time from onboarding to code development to zero days from joining. This would allow more room for them to focus on automation, prediction, and value-added strategic work instead of fixing incidents.
However, SolarWinds Giese warns of another hurdle – developers lacking deep infrastructure and security knowledge. “These skills were traditionally not their job, but some DevOps strategies have made it their job,” he adds.
“Conversely, infrastructure engineers understand the workings of IaC, but may not be familiar with formatting a declarative statement – or have time to learn.”
The Future of IaC
Sysdig’s Morin says “Everything as code will be commonplace” with IaC becoming easier to implement and maintain over time as open-source communities grow and share.
AI and machine learning (ML) models will also begin to predict the needs and requirements of organizations’ unique environments with Chris Astley, global head of engineering, data & AI solutions at KPMG UK, highlighting how in a cloud context, IaC is “the clear choice for automation”.
“IaC is ideal for incident response and disaster recovery,” he says, “allowing IT teams to rapidly generate a new, identical environment from the IaC scripts and previous backups. The impact of AI will also be interesting – how might it be leveraged to automate tasks, even maybe write some IaC modules?
“Generative AI’s ability to write documentation, test functions, and some of the code itself could be game-changing for productivity in this space.”
KMPG UK’s Astley suggests IT leaders will be critical to driving communication about IaC so its full benefits can be realized.
“From there it is often an iterative approach. Some greenfield projects start using the new processes and technology until it becomes the standard. Legacy workloads are then moved to this new way of working as part of a modernization initiative, typically including a migration to cloud,” Astley adds.