Our 2023 State of IaC Report is live, but for those less familiar with Infrastructure-as-Code, here’s a quick primer. Give us 5 minutes and we’ll give you everything you need to know about infrastructure as code (and yes, the first thing you need to know is not everyone capitalizes or hyphenates it!)
What is Infrastructure-as-Code?
With the surge of cloud-native applications, the burden of managing infrastructure has increased significantly. More companies are using multi-cloud providers and, according to a CNCF survey, 96% of those surveyed are using or consider using Kubernetes. To meet the challenge of governing complex infrastructure, organizations have been managing their cloud assets (such as Kubernetes clusters, AWS security groups, IAM, S3 storage, and more) as code using Infrastructure-as-code (IaC) tools like Terraform, Pulumi, and Helm.
IaC manages and provisions cloud infrastructure through code instead of through manual processes. It is an important innovation in digital transformation and application modernization because it enables changes to an application’s infrastructure to be tracked, managed and governed. Without IaC, operations teams manually set up an environment applying the unique resources, configurations, and constraints required by each project. This manual effort, sometimes referred to as “ClickOps,” is error-prone and inconsistent. It’s also nearly impossible to track changes and ensure policies are followed for access, resource utilization, etc.
Why is Infrastructure-as-Code important?
IaC is the go-to choice for teams wanting to corral cloud chaos or simply manage clouds at scale.
DevOps and cloud services together have empowered developers to set up the resources they need to create and deploy applications, making them more efficient and able to deliver innovation at a higher velocity. But that empowerment has come at a price: today’s clouds can be a little too accessible, creating a Wild West scenario where anyone and everyone can potentially change the infrastructure. These changes can be minor, or they can be disastrous in terms of cloud costs, security issues, and infrastructure reliability. And when multiple people are making changes, it can be time consuming and difficult to isolate a problem change, much less revert it. One high profile example shows what can happen when networks are misconfigured. Cloud misconfigurations can have similar results.
Choosing to manage your infrastructure through code gives you a template to follow for repeatable and consistent use of best practices and policies. And it’s possible to leverage DevOps processes like version control and CI/CD to govern all the changes.Managing cloud at scale using IaC
AppsFlyer, a global leader in marketing measurement, analytics, and engagement, is one such example. AppsFlyer uses Firefly to manage more than 250,000 cloud resources. “Firefly provides us with greater visibility into our entire cloud footprint,” says Eliran Bivas, Cloud Native leader with AppsFlyer. “With Firefly, we can see how the asset was created, who changed it, and its current state. We use GitLab to apply version control to our infrastructure code and to automate policies governing any changes.”
You can’t manage what you can’t see
We’ve found that, on average, our customers have 76% of cloud assets unmanaged and of course if they’re not managed, it’s impossible to know if they’re compliant, secure, or even up-to-date. For companies that are cloud-forward, with multiple cloud service providers and often hundreds or even thousands of cloud service accounts, achieving governance for their cloud infrastructure is very difficult.
This problem was very clear to AppsFlyer. Firefly enabled AppsFlyer to uncover unmanaged resources that were deployed manually or by automated systems like the Cloud Security Posture Manager. “Firefly quickly turned unmanaged cloud resources into codified assets, saving us over 200 hours of engineering time while improving our IaC coverage,” Bivan says.
IaC keeps a well-managed cloud well managed
It’s key to find and manage cloud assets, but that’s only part of the job. Organizations also must ensure existing cloud infrastructures match the most recent defined version - when they don’t, that process is called “drift” and it has the potential to be a very serious problem. Drift is important to find and fix, and like security patching, every day that drift is unchecked is a day that risks downtime, cost, and security weaknesses due to promiscuous permissions, over provisioning, and more. In fact, Trend Micro's report reveals that infrastructure misconfigurations or failures are responsible for up to 70 percent of security events.
Drift can happen for a variety of reasons - when resources are added or removed or when changes are made to existing resource definitions - and can occur either through manual or automated actions..