Infrastructure as code. Best practices
The Infrastructure as Code (IaC) approach that underpins any cloud service is used even by small web development companies and on e-commerce business projects because it’s convenient! The use of IaC can speed up the infrastructure deployment process to a few minutes, prevent configuration errors, and significantly increase the security and stability of the created environment. But to get those benefits, you should get rid of some bad habits and develop new, useful ones. Here, we’ve compiled 5 key practices that automate and simplify infrastructure maintenance and improve the development process.
1) Immutable configurations
IaC tools can recreate the infrastructure according to the specifications based on a manifest file that describes everything you need. After rendering, the infrastructure elements should not be modified and updated manually, otherwise, the IaC manifest will quickly become obsolete. This key point allows you to avoid “drift” of the configuration when the system's current state does not correspond to the one created. When you need to update the configuration, you should make infrastructure changes in the manifest file, then make a new deployment.
Immutable configurations are easier to control, they guarantee the stable operation of infrastructure and services because they maintain the compliance of the environment with the working code.
2) Version control in IaC
Since infrastructure configuration is now a standard code, it makes sense to control changes in a version control system. In our opinion, most convenient to do it with the help of Git using GitHub, and GitLab. It allows you to track any configuration changes, restore early states in case of failures, and quickly find out the causes. Version control systems also allow you to trigger actions when changes are detected. Also, you can implement a full-fledged process of continuous integration and deployment and constantly updating the infrastructure code.
3) Microservice architecture
The advantage of using IaC is the practice of dividing the functionality of a large application into many simple and independent modules. It is easier to track the state of microservices, find errors in small areas of code, and update and manage them even if there are quite numerous. Every microservice contains code with almost all necessary dependencies, changing which, if necessary, will not affect other microservices. Also you provide excellent horizontal scalability to the entire application. This reduces the system requirements and guarantees the elasticity of the infrastructure under high loads.
4) Continuous testing, integration, and deployment
Now when the infrastructure configuration is represented in code, another convenient software development practice can be adopted to manage it: continuous testing, integration, and continuous delivery pipelines. This is logical, because the testing process usually shows the ways to optimize and improve the code quality, even if it is a configuration manifest. Now you can have configuration templates for different environments e.g. Dev, Test, and QA, or run unit, integration, regression tests when configuration changes are made, and so on.
5) No secrets and their transmission through version control systems
Good practice in an IaC implementation is to move secrets out of the version control system into secure secret stores. We recently described the general steps to strengthen infrastructure security in a post “Important steps to improve your infrastructure security” Here we only remind you: it’s better to create a script for vulnerability scanning of images at the testing stage in Continuous Integration and not to neglect to scan for the encrypted secrets in the main development branch and version history. Many methods can be used to identify them, e.g. detection of specific regular expressions, keywords, and entropy-based scanning (unusual expressions to the language in use), so that encrypted secrets do not accidentally enter the master branch unnoticed.
So, the use of IaC tools, although it’s associated with initial efforts and rethinking the approach to building infrastructure and the development process, provides teams with new convenient functionality, facilitates control over the infrastructure and application code, provides the flexibility of configuration, accelerates the possibility of updating, improves security, and eliminates many problems in the case of using or transferring services or the entire application to the cloud.
