Session 4 - IAC
Why Infrastructure as Code (IaC) Came Along
Before IaC, managing infrastructure was manual, error-prone, and inconsistent. Engineers had to manually configure servers, networks, and cloud resources, leading to:
- Configuration drift: Environments deviating from the intended state.
- Slow provisioning: Setting up infrastructure took days or weeks.
- Scalability issues: Manually adding/removing resources wasn’t efficient.
IaC emerged to solve these problems by automating infrastructure provisioning through code. This made environments reproducible, scalable, and secure by design when best practices are followed.
Different Implementations of IaC
IaC can be implemented in different ways depending on the level of abstraction and the approach used:
a) Declarative vs. Imperative IaC
| Approach | How It Works | Examples |
|---|---|---|
| Declarative (What) | Defines the desired state of infrastructure, and the system figures out how to achieve it. | Terraform, CloudFormation, Kubernetes Manifests |
| Imperative (How) | Defines step-by-step instructions to achieve the desired state. | Ansible, AWS CDK, Pulumi |
Declarative IaC is preferred for infrastructure because it ensures consistency, while imperative IaC is useful for configuration management.
b) Push vs. Pull Model
| Model | How It Works | Examples |
|---|---|---|
| Push Model | IaC scripts are executed from a central system, pushing configurations to resources. | Terraform, Ansible |
| Pull Model | Agents on infrastructure nodes fetch the latest configurations and apply them. | Kubernetes GitOps (ArgoCD, FluxCD) |
Popular IaC Tools
Each IaC tool has its strengths depending on use cases:
| Tool | Purpose | Key Features |
|---|---|---|
| Terraform | Multi-cloud IaC provisioning | Declarative, state management, modular |
| AWS CloudFormation | AWS-native IaC | Infrastructure as JSON/YAML templates |
| Kubernetes Manifests (YAML) | Container orchestration | Defines deployments, services, ingress, etc. |
| Ansible | Configuration management & IaC | Agentless, task-based execution |
| Pulumi | Code-driven IaC | Uses Python, TypeScript, Go for infra |
Infrastructure as Code (IaC) Scanning
Since IaC defines infrastructure, security misconfigurations in code can lead to vulnerabilities in deployed environments. IaC scanning helps catch security risks early before deployment.
What IaC Scans Involve
IaC security scans evaluate:
- Misconfigurations (e.g., open S3 buckets, exposed SSH ports)
- Non-compliance with security standards (CIS, NIST, SOC 2, ISO 27001)
- Hardcoded secrets (API keys, credentials in config files)
- Least privilege enforcement (IAM roles & permissions misconfigurations)
- Container security (Kubernetes RBAC, network policies)
Popular IaC Security Scanners
| Tool | Use Case | Key Features |
|---|---|---|
| Checkov | Multi-cloud IaC security | Supports Terraform, Kubernetes, CloudFormation, and Docker |
| TFSec | Terraform security scanner | Fast, lightweight, integrates with CI/CD |
| KICS | Broad IaC scanning | Supports multiple IaC formats, open-source |
| Terrascan | Terraform security & policy enforcement | Built-in compliance checks for NIST, PCI DSS |
Enforcing Compliance & Policy Checks
Many organizations need to align with security frameworks like:
- CIS Benchmarks: Security best practices for cloud platforms (AWS, GCP, Azure)
- NIST 800-53: Federal security and risk management guidelines
- SOC 2: Security standards for service providers
- PCI DSS: Compliance for handling credit card transactions
Best Practices for Secure IaC
- Use version control (Git) to track changes and enforce code reviews.
- Implement scanning in CI/CD pipelines to prevent misconfigurations from reaching production.
- Follow least privilege principles for IAM roles, service accounts, and permissions.
- Keep secrets out of IaC files, using Vault, AWS Secrets Manager, or Kubernetes Secrets.
- Use GitOps for Kubernetes to ensure security policies are consistently applied.