The Computer Weekly Developer Network (CWDN) continues its Infrastructure-as-Code (IaC) series of technical analysis discussions to uncover what this layer of the global IT fabric really means, how it integrates with the current push to orchestrate increasingly cloud-native systems more efficiently and what it means for software application development professionals now looking to take advantage of its core technology proposition.
This piece is written by Rob Zuber in his capacity as CTO at CircleCI – the company is a developer-centric automation software company known for its specialist skills in Continuous Integration & Continuous Deployment (CI/CDD).
Zuber writes as follows…
In recent years, the developer community has witnessed several new abstractions come to the fore. Think of Kubernetes and microservices, as examples.
Yet as popularised and well-used as these technologies are, these abstractions aren’t always the cleanest. Developers are still required to understand them in depth to deliver fast action. Plus, as complexities grow within the software development cycle, it can sometimes be difficult to see the wood for the trees.
Infrastructure-as-Code (IaC) is increasing the speed and agility with which IT can respond to changing business needs. However, it’s still yet to reach full maturity. It’s within this context, to successfully manage this setup, developer and software engineering teams better understand both the benefits and challenges associated with this process.
The shoulders of DevOps giants
A side effect of the entire DevOps movement, IaC encourages developers and operators to break down walls, talk to each other, and most importantly — learn from one another. This has created a ‘you build it, you run it’ ethos within the software development cycle. Previously, those operating the software simply scanned for issues such as bugs in code. Today, they treat their portion of the platform more like developers do — using the same tools to deliver version control and change validation.
Put simply, IaC empowers software development teams to stand on the shoulders of giants.
Think of the cloud; an application delivery paradigm/platform that many use, but really don’t fully understand.
In today’s world, we use tools built by others, which offers greater agility, allowing us to work faster and more efficiently. The caveat? It’s easier to lose sight of what’s happening.
A diagnosis for Terraform prescriptions
We use Terraform heavily when deploying IaC, enabling us to make the DevOps process more legible by recording manual processes in a clear and precise way. Unlike before, we can leverage the tools built from a software delivery perspective, thereby encouraging better optimisation and infrastructure management.
This means that, within both our Site Reliability Engineering (SRE) and Infrastructure Engineering teams, we not only put our Terraform prescriptions into source control. Instead, we also run the changes through our CI/CD pipelines, meaning we don’t just store it and think about it as code. Quite the opposite; the entire process starts to look like code.
With this greater traceability, developers can write, test and measure improvements using a CI/CD platform, resulting in shorter lead times for developing features and bug fixes, as well as greater agility concerning changes in development priorities.
Reinforcing security components
When it comes to instilling the best security practices into an IaC setup, it’s important to consider that it is unrealistic to believe all security issues are preventable. In reality, your posture is defined by your ability to respond.
To alleviate security challenges and reduce friction between DevOps and DevSecOps, it’s critical to pivot from a reactive to a proactive approach. Translating security governance into a common language arms developers and security professionals with timely and actionable solutions.
Implementing security at the code layer ensures that security is consistently enforced, enabling it to scale the digital landscape over time.
This saves time and resources in the long-term, as it costs much more fixing software challenges in production than in code. It’s also true, however, that the earlier in the development lifecycle developers are, the less information is available to them around what the infrastructure will look like and, therefore, what misconfigurations may be present.
This is why it’s pivotal developers address infrastructure security at each stage of the software development lifecycle. Your team is your most valuable set of security researchers because they know your applications best and constantly work on them.