Describe your infrastructure as code
József Pálfi

Describe your infrastructure as code

József Pálfi

As we promised before, our article series inspired by V-day is continuing.

Those who are provisioning servers day by day, certainly have some doubts about their process: being time-consuming, non-repeatable, hard to test or simply just something is going wrong in the existing infrastructure during the provisioning. There are opportunities to test failover or rollback processes, but…

Through the years, a lot of providers have elaborated their own processes and solutions in order to accelerate deployment cycles. So-called provisioning scripts are everywhere, and helped with the well-known configuration management tools may have done a good service a few years ago. Things have changed since then, disadvantages of that approach came to light, it's necessary to keep some principles in mind in order to avoid a lot of other issues still coming into our every-day work.


Given a set of operations that make changes on the target infrastructure. As this well-known concept from maths says, if operations remain the same, target infrastructure have to be transformed to the same state regardless the starting state.


Infrastructure as code is like software development in many aspects. In software development, reusable code is a key. Keep components of your infrastructure definition simple, consistent, modular, small and parametrizable. Choose your configurable data and abstraction level wisely. Scripts with thousands of lines are often more brittle. Lay the basics of a consequent naming convention.

IaC is declarative

To develop something in a declarative way means that you want to describe what you want to achieve, not algorithms on how you want it. IaC does not have to contain conditional statements. In this article, Yevgeniy Brikman from Gruntwork provides you a real use case about the downsides of imperative approach (under section Procedural vs Declarative).

Orchestration instead of configuration management

When defining network topology - how many servers and other resources you need, in which locations  - an IaC tool like Terraform (or Cloudformation for AWS specific infrastructure) fits better to your goals than Ansible and friends. However, with some configuration management tools you can also create resources, but essentially they are for installing, configuring, maybe fine-tuning something in the provisioned resources, not for the idempotent operations. Use both approaches, but in the proper role.


At the time of writing, Terraform seems to be widely adopted despite of its version number (0.11.1 at the time of writing). Needless to say, looking at the changelog and issue list on GitHub is very important. At Virtualization & DevOps Day 2017 I’ve heard a horror story about a perished Aurora Cluster destroyed by a Terraform bug.

In case of AWS-specific infrastructure, Cloudformation can be an alternative. It’s maybe simpler than Terraform, but as I stated, it supports only AWS services. In case of interacting with a lot of non-AWS providers e.g. with Cloudflare, Terraform, may be a better choice.


As I mentioned earlier, describe your infrastructure as you would develop a software. The guide above helps only if your team accepts them. KitchenCI with the supported testing frameworks may do a good job in infrastructure testing and makes the infrastructure provisioning lifecycle complete.

Share your ideas with us about this article

Previous posts

Fun way to read a book
What do you think about SPAMs? Most of us think they are useless and heavily annoying, but not for everybody. There are some geeks, who totally understand the background and find it rubbish, but sometimes they read them to “entertain themselves” and learn more about the recent patterns hacker tactics. Have you ever found a hidden gem among spams, worth showing to your friend? ‘Cus we have! We captured a spam attack causing some funny moments and now we’ll show it. Contact form spams - nightmare for a sysadmin Yesterday, while one of our talented administrators anal...
Bugs discovered in ModSecurity and MongoDB PHP extension
Bugs are always hunting us.  Recently we found some bugs during our work, but keep calm, they're not in the BitNinja agent. ;) Let’s see what we explored: ModSecurity bug: empty comment line In our WAF2.0 (beta will come soon) we implemented ModSecurity as well as the OWASP’s core ruleset. Recently, our developers found a strange bug in them. The crs’ 913100 rule has always caught the Chinese search engine, because of suspicious user agent:spider/4.0(+; After checking the code , we didn’t understand why it has been trigger...