356 BROUGHT TO YOU IN PARTNERSHIP WITH

Getting Started CONTENTS

With IaC
•  Why Does IaC Matter?

•  Important Considerations

•  Getting Started With IaC

•  Getting Started With IaC: Checklist

•  Conclusion

SAMIR BEHARA
PLATFORM ARCHITECT, EBSCO

In its strictest sense, Infrastructure as code (IaC) means that you use
code to define and manage infrastructure rather than using manual
processes. More broadly, and perhaps more importantly, IaC is about
bringing software engineering principles and approaches to cloud
infrastructure.
IaC is the latest step in the evolving process of defining and managing
infrastructure. Before IaC, infrastructure was (and, in some cases,
still is) provisioned by methods such as pointing and clicking in a user
interface, batch scripts, and configuration management tools that
weren’t designed for the modern cloud.
It’s also true that much of what’s called IaC today is closer to
“infrastructure as text.” As infrastructure that is written as structured
text, it’s repeatable and can be versioned, but it does not support the
software engineering practices that are used with application code. For
example, there’s no support for standard development tools, testing
frameworks, or package management.
The second reason is a greater sophistication in how people use the
cloud. Companies are changing architectures, patterns, and ways of
working to optimize the benefits they can get. It's no longer simply
CapEx versus OpEx. It's about how to incorporate all the practices
that make up the engineering lifecycle, such as versioning and testing
to unlock all the value that the cloud can provide. It’s about using
engineering practices to take advantage of the cloud’s potential and
innovate faster to drive your business.
The third reason is that the burden of managing infrastructure in
the cloud is increasing. The number of cloud services available is
growing every year and more companies are adopting modern cloud
architectures (like containers or serverless), which often have many
loosely-coupled and interdependent components. The result is that
the number of cloud resources that people must manage is going up at
a tremendous pace.

Truly modern approaches to IaC use platforms that are designed for
infrastructure in the cloud. These platforms allow you to apply standard
software engineering practices and tools to your cloud infrastructure.

WHY DOES IAC MATTER?

IaC matters for three reasons. One is the transition to the cloud. More
and more workloads are being moved from on-premises data centers
to cloud environments. Nothing suggests that this trend is going to
stop. However, cloud computing alone isn’t a panacea for maintaining
scalable and reliable infrastructure. It’s just as possible to have an
inconsistent, poorly documented set of scripts for cloud infrastructure
as it is for a physical datacenter. IaC, because it enforces proven
engineering practices, is how you make order out of the chaos.

REFCARD | MAY 2022 1

 Security at the
speed of light
Get cloud clarity with the only
data-driven cloud security platform

We deliver end-to-end visibility and automated

insight into risk across multicloud environments.

Our Polygraph® Data Platform uses data, analytics,

and machine learning to automatically find the truth
of risks known, and unknown.

100:1 80% 2-5

reduction in faster threat security tools
critical alerts investigations consolidated

Book a demo today >


This is certainly a good thing, because it means companies are getting
more value from the cloud to drive their business forward, but the
consequence is an increase in complexity and scale.
For example, one way to get more value from the cloud is to take
advantage of the ever-growing number of services that cloud vendors
are providing. Those services can speed innovation and accelerate
velocity, but remember that with every new service comes new APIs.
Each new service adds complexity to the infrastructure.
Increased scale and complexity demand a modern approach to IaC
to help you build, deploy, and manage your infrastructure. If you’re
managing between 1 and 10 resources, point and click probably
works fine. When you're managing between 10 and 100 resources,
then “infrastructure as text” or legacy IaC tools might still suffice. But
what happens when you have hundreds or thousands of resources,
which is not at all uncommon today? On top of that, those thousands
of resources change not once a month but multiple times a day. A great
way to manage all of this is to put in place the same software engineering
practices and tools that you use for application code.
Ask yourself:
•  How can I make sure my infrastructure scales, changes, and
evolves rapidly enough to support the business and create
competitive advantage?
•  How can I maintain visibility into my cloud infrastructure and
any changes to it?
•  How can I put in place the policies, security, and guardrails that
will ensure safety and reliability?
•  How can I best empower my teams to build, deploy, and manage
infrastructure through better collaboration and processes?
A modern approach to IaC is needed to address these questions. It is
the critical tool needed to harness the modern cloud through tried-
and-true software engineering practices applied to infrastructure. IaC
is how we can harness the cloud’s potential.
IMPORTANT CONSIDERATIONS
The IaC platform you choose is critical. If your goal is to use standard
software engineering tools and practices that are already in place, then
look for the following qualities when you evaluate your choices.
STANDARD LANGUAGES
Support for standard languages means that your developers can define
and configure infrastructure using the same languages used to write
application code, for example, common languages like TypeScript, Go,
Python, and C#. Many older IaC tools have their own domain-specific
language (DSL), and these can be problematic. Developers often find
that common programming constructs are missing.
REFCARD | MAY 2022
REFCARD | GETTING STARTED WITH IAC
The platform you choose should allow engineers to easily create strongly
typed, structured configurations and to use features they’ve always
relied on such as loops, constants, and functions. Another advantage
to using standard languages is, of course, that the developers already
know it. They can begin coding right away. Learning the idiosyncrasies
and limitations of a DSL can be time-consuming and frustrating.
STANDARD DEVELOPMENT TOOLS
Using standard programming languages means that you can also use
standard development tools such as IDEs. One advantage is, again,
familiarity. Developers can work in an environment they already
understand. The other is that developers can work in environments
designed to help them easily author, debug, test, and deploy code.
TESTING FRAMEWORKS
It’s important that infrastructure is tested thoroughly, just as
applications are. A modern IaC platform should support standard
testing frameworks and it should also help your teams to expand the
types of tests they perform.
Standard ops testing focuses on acceptance tests. That means the
ops team spins up infrastructure in the cloud and they then test that
infrastructure to see if it’s correct. Of course, if it wasn’t spun up
correctly, the team needs to destroy and redeploy it. That’s not an
optimal approach because, potentially, something that shouldn’t have
happened already has, depending on how quickly the team reacts. A
modern IaC platform should help your teams “shift risk left” through
frequent testing before and during deployment. If they’re not already
performing them, here are the types of tests your teams should be able
to perform with a modern IaC platform.
UNIT TESTS
Unit tests evaluate the behavior of your infrastructure in isolation. External
dependencies, such as databases, are replaced by mocks to check your
resource configuration and responses. It’s possible to use mocks because
responses from cloud providers are well known and tested. You already
know how, given some parameters, the provider will respond.
Unit tests run in memory without any out-of-process calls, which makes
them very fast. Use them for fast feedback loops during development.
Unit tests really help you solve problems early in the lifecycle of your
infrastructure.
INTEGR ATION TESTS
Integration testing (also known as black-box testing) comes after unit
testing, and it takes a different approach. Integration tests deploy cloud
resources and validate their actual behavior — but in an ephemeral
environment. An ephemeral environment is a short-lived environment that
mimics a production environment. It’s often simpler and only includes the
first-level dependencies of the code you’re testing. Once the integration
tests are finished, you can destroy the ephemeral infrastructure.
3 BROUGHT TO YOU IN PARTNERSHIP WITH
 REFCARD | GETTING STARTED WITH IAC

SECURITY TESTS POLICY AS CODE

Too often, security tests are left until the last minute, or code that’s
considered “finished” gets thrown over the wall to a security team,
who’ve been left out of the entire development process. The phrase
“courting disaster” comes to mind when considering this approach.
First, a modern IaC platform should encrypt sensitive configuration
data. It should also make it easy to follow standard security practices
such as key rotation. Check to see if the platform you’re evaluating
encrypts state metadata and ensures that secret values are never
exposed in plain text. The platform should also integrate easily with
security services offered by the cloud providers.
Another too-often ignored facet of IaC is policy as code. A modern IaC
platform should allow you to apply software engineering principles
and approaches to your policies, just as it does with infrastructure.
The benefits for policy as code are much the same as they are for
infrastructure. Policies continuously enforce your organization's
cloud governance in terms of security, compliance, and cost controls.
Policies are unambiguous, they can be written with standard
languages and tools, they can be versioned, tested, and finally
integrated into the CI/CD pipeline so all infrastructure follows the
company’s best practices.

In addition, as with other types of tests, the IaC platform should help GETTING STARTED WITH IAC
you include security tests that you write yourself into your workflow. This section will review the various IaC tools that you can use to get
Just as you start testing your code early with unit tests, so should started with your infrastructure-as-code journey; we will explore the
you start testing early to find security problems. Those tests belong basics using Terraform, along with common commands, and then dive
in your CI/CD pipeline, so the infrastructure is thoroughly tested for into creating reusable modules.
vulnerabilities before it’s released.
INFRASTRUCTURE AS CODE TOOLS
CREATING REUSABLE COMPONENTS There are many open-source IaC tools that you can use to automate
Reusable components mean you build higher level resources out of your resource provisioning, deployment, and management. Choosing
individual ones. With them, you can create useful abstractions that the right infrastructure automation tool that fits your use case is the
can be reused in other places. These components can be written with key. Let us look at some of the popular IaC categories and tools:
your company’s best practices built in, tested, and shared within the
Table 1
company and with the community. Using reusable components helps
to create repeatable, reliable infrastructure. Look to see if the platform COMMON TYPES OF IAC TOOLS
you’re considering helps you create these components easily.
IAC TOOLS
DESCRIPTION IAC TOOLS
CATEGORIES
STANDARD PACKAGE MANAGERS
If you want to create reusable components, you’ll need a way to package Configuration Manage software on existing Chef,
management tools servers Puppet,
them so you can share them easily. Along with using standard tools,
Ansible
you’ll want support for standard package managers. For example, you
might want to put your component into a GitHub repo and publish it Server templating Provision infrastructure using an Docker,
through NPM. Your IaC platform should make that a simple task. tools image (VMs and containers) Vagrant

Container Orchestrate container workloads Kubernetes,

CREATING VISIBILITY
orchestration tools Docker
Central visibility across all infrastructure resources, with an historical view Swarm
of past changes, is important both for accountability and collaboration.
Provisioning tools Provision resources on any cloud Terraform
Your platform should give you visibility across your infrastructure by
supporting audit logs and the ability to see diffs when cloud resources
change (similarly to how teams use collaborative tools such as Git). INFRASTRUCTURE AS CODE WITH TERRAFORM

Additionally, the platform should allow you to set fine-grained controls Terraform is an open-source platform-agnostic tool that allows you to

so you can control who can access and change your infrastructure. codify your infrastructure as declarative configuration files. Terraform
supports many providers and enables you to provision resources in
SUPPORT FOR MULTIPLE CLOUD VENDORS major cloud platforms like AWS, Google Cloud, Azure, and Oracle.
Not every company wants to use multiple cloud vendors but it’s
something you should consider. Do you want to leave that option
SEE FIGURE 1 ON THE NEXT PAGE
open? If so, look for an IaC platform that won’t lock you into a single
provider.

REFCARD | MAY 2022 4 BROUGHT TO YOU IN PARTNERSHIP WITH

 REFCARD | GETTING STARTED WITH IAC

Figure 1: Infrastructure as Code in action

With Terraform, you can quickly scale the provisioning of infrastructure As a best practice, start thinking about infrastructure as reusable
resources. Building automation into your deployment process improves modules. Terraform modules promote the reuse of code, avoid
the productivity of the development teams in your organization, who duplication, and help share modules within your organization.
can now safely deploy infrastructure changes with confidence. It helps This allows you to invest more time in improving the quality of the
reduce the dependency on a centralized infrastructure team and centralized reusable modules.
empowers dev teams to move faster, reducing the cycle time of business
features. SAMPLE CODE
In this section, we will look at the steps required to create an AWS S3
To provision resources using Terraform, use the following commands: bucket in various environments using Terraform modules. Let's get
started by using AWS to interact with the required resources. The code
Table 2
below configures the AWS provider:
RESOURCE PROVISIONING COMMANDS IN TERRAFORM
terraform {
TERRAFORM required_providers {
FUNCTIONALITY
COMMANDS aws = {
terraform init Initialize the working directory containing source = "hashicorp/aws"
Terraform configuration files version = "~> 4.9"
}
terraform plan Terraform creates an execution plan showing }
the changes it is going to make to your
}
infrastructure

terraform apply Terraform applies the proposed changes to the provider "aws" {
infrastructure and updates the state file region = "us-east-1"
}
terraform destroy Destroy infrastructure resources created by
Terraform configuration files
Let us now create a Terraform module for provisioning an S3 bucket
resource:
CREATING REUSABLE INFRASTRUCTURE WITH
TERRAFORM MODULES resource "aws_s3_bucket" "s3-bucket" {

The concept of Terraform modules is straightforward — you can write bucket = var.bucket
policy = var.policy != null ? var.policy : null
your code inside a module and reuse it in multiple places throughout
tags = merge(var.tags, { Name = "${var.bucket}-
the codebase. With Terraform modules, you can build infrastructure
bucket" })
quickly with a few lines of code. As your infrastructure grows and you
need to deploy similar resources in different environments like dev and server_side_encryption_configuration {
staging, you don’t want to copy-paste the same code multiple times. rule {
apply_server_side_encryption_by_default {
Terraform modules are much easier to read. They enforce best practices
sse_algorithm = "AES256"
wherein you are not hardcoding values in the Terraform file. To make
}
the module reusable by different teams and cater to various use cases, }
you need to make it configurable. You should be able to pass additional }
parameters to multiple resources for environments. Terraform is
highly reliable due to its rigorously tested and documented centralized dynamic "lifecycle_rule" {

modules. for_each = var.expire-days > 0 ? [var.expire-

days] : []

CODE CONTINUES ON NEXT PAGE

REFCARD | MAY 2022 5 BROUGHT TO YOU IN PARTNERSHIP WITH
 REFCARD | GETTING STARTED WITH IAC

content { policy = null

id = "expire" expire-days = 14
enabled = true tags = local.tags
expiration { }
days = var.expire-days
} The file layout in the Terraform project can look something like Figure
}
2 below, with separate folders for development and production
}
environments that contain AWS resources under “terraform-modules.”
}
Figure 2: File layout in Terraform
The module supports various arguments like bucket, policy, expire-
days, and tags:

variable "bucket" {
description = "S3 Bucket Name"
type = string
}

variable "policy" {
description = "Optional S3 bucket policy to apply.
Should be a valid JSON string"
type = string
default = null
}

variable "expire-days" {
description = "If set to positive number,
lifecycle policy for expiring the objects after
specified number of days will be attached to the
bucket"
type = number
default = 0
GETTING STARTED WITH IAC:
}
CHECKLIST
Bringing a modern IaC platform into a startup or a company with many
variable "tags" {
description = "Common tags to be applied to all
greenfield applications may not be difficult. For most companies,

resources" however, it’s not so straightforward. Many companies, both large

type = map(any) and small, have a lot of infrastructure that was created by pointing
} and clicking in the console of a cloud provider. That’s how many new
projects get started. Then, one day, an ops engineer wakes up and
Since the reusable S3 module is already created, we can now call the realizes that the new project is now production infrastructure. To make
module from various environments like dev or live and pass in the it more “official,” the team writes a run book or a wiki that describes
required variables. what buttons to click when someone wants to perform a common task.
Another common situation is that there are Bash or PowerShell scripts
module "dev-dzone-bucket" {
floating around that only one or two people know about. What do you
source = "../modules/s3-bucket"
bucket = "dev-dzone-iac-bucket"
do if that’s your situation?

policy = null
STAY CALM
expire-days = 7
tags = local.tags Remember that change can be scary. Many people feel paralyzed when
} they think about touching their infrastructure. It's too complicated and
they don't understand how it works. Take the time to build up your
module "live-dzone-bucket" { confidence.
source = "../modules/s3-bucket"
bucket = "live-dzone-iac-bucket"

CODE CONTINUES IN NEXT COLUMN

REFCARD | MAY 2022 6 BROUGHT TO YOU IN PARTNERSHIP WITH

DEFINE WHAT IS GOOD
The first step, perhaps even before you begin to evaluate tools and
approaches, is to define what “good” looks like to your company.
Achieving that ideal depends on understanding what assumptions will
remain true regardless of which tools you use. A team made up of all
the stakeholders is one way to define what your company wants to
achieve with its cloud infrastructure.
PICK A FEW TOOLS TO EVALUATE
After thinking about the critical points listed above, narrow your search
for the perfect platform down to a few candidates to evaluate. You
might want to design a small project whose only purpose is to test the
platform and see how well it helps you reach your goals.
IMPORT EXISTING INFRASTRUCTURE
Once you’ve selected a tool, try importing some existing infrastructure.
If you’re working with the right platform, this should be straightforward.
INTEGRATE WITH EXISTING ENGINEERING
PRACTICES
Assuming your infrastructure code is integrated with your continuous
delivery pipeline, you can start instituting the same best practices you
use with your application code.
START SMALL
Start with a new service or non-critical service — something that won’t
disrupt your business if it fails. Pick a project where you’ll start seeing
value early and then iterate.
CONCLUSION
A modern approach to IaC is a great way to reduce cloud complexity,
unlock the potential of the modern cloud, and achieve faster innovation.
With a modern IaC approach, you apply standard software engineering
practices and tools to infrastructure, usually with an IaC platform that
supports these practices. Briefly, here is a summary of the high-level
benefits that you can expect.
INCREASE INNOVATION, VELOCITY, AND AGILITY
With a modern IaC approach, teams can apply the same practices,
testing rigor, and automation of modern software development
REFCARD | MAY 2022
REFCARD | GETTING STARTED WITH IAC
to cloud infrastructure. This increases the rate and reliability of
releases so that companies can react to customer feedback and
iterate quickly.
DECREASE INFRASTRUCTURE RISKS
Because developers can use standard testing frameworks, IaC “shifts
risk left”. Early, frequent, and thorough testing can be a part of the
authoring process and CI/CD pipeline. Since policy and security
requirements are also written as code, compliance and safety are
automatically tested with every deployment.
FOSTER CLOSER COLLABORATION
Modern IaC platforms use standard tools and languages, which can
break down silos between infrastructure, application development,
and security teams. Using shared practices and tools increases
collaboration between different teams.
WRITTEN BY SAMIR BEHARA,
PLATFORM ARCHITECT, EBSCO
Samir is a Platform Architect with EBSCO and
builds software solutions using cutting edge cloud-
native technologies. He is a Microsoft Data Platform
MVP with over 16 years of IT experience. Samir
is a frequent speaker at technical conferences and is the Organizer of
the Steel City SQL Server user group, Birmingham. He is the author
of samirbehara.com.
600 Park Offices Drive, Suite 300
Research Triangle Park, NC 27709
888.678.0399 | 919.678.0300
At DZone, we foster a collaborative environment that empowers developers and
tech professionals to share knowledge, build skills, and solve problems through
content, code, and community. We thoughtfully — and with intention — challenge
the status quo and value diverse perspectives so that, as one, we can inspire
positive change through technology.
Copyright © 2022 DZone, Inc. All rights reserved. No part of this publication
may be reproduced, stored in a retrieval system, or transmitted, in any form or
by means of electronic, mechanical, photocopying, or otherwise, without prior
written permission of the publisher.
7 BROUGHT TO YOU IN PARTNERSHIP WITH