Infrastructure as Code Pitfalls and How to Avoid Them - Part 1
April 05, 2021

Tim Davis
env0

Infrastructure as Code. It's not a totally new concept, but it isn't something that everyone is doing at this point. Some have been doing it for a long time. Some have just started the journey. And some have no clue what it even is.

We're going to break it down a bit today, and talk about what it is and some of the common issues, or pitfalls, that come along with it.

What kind of pitfalls can come up?

I have great news for you... The answer is "a lot."

It's not very good news, I guess. But as long as you take the time to consider all your options, and plan accordingly, you can mitigate just about any issues that come up.

So, why is there a lot that can go wrong? It's because of the nature of Infrastructure as Code (IaC). It's infrastructure and it's code. That means you take all the pitfalls that can come along with infrastructure and add them to all the pitfalls that can come along with code.

Infrastructure as Code creation, and management, seems to be the most successful when it is a joint effort between the development team and the infrastructure ops team. DevOps … get it? When this isn't a collaborative effort, infrastructure configuration issues can come up.

Dev and Ops each have their own areas of expertise. That's not to say that people in one don't understand the other. It just means they are experienced in their area. So why not benefit from the knowledge and experience of both?

Infrastructure Pitfalls

The first big pitfall is choosing the wrong framework for your IaC needs. Most major cloud providers have their own specialized framework.

For example, Cloud Formation on AWS, and ARM templates on Azure. These are great if you are 100% dedicated to that cloud. But if you ever decide to migrate or go multi-cloud, your existing IaC configurations can't be used on the new cloud. There are some tools to convert, but this problem can be easily solved by choosing a cloud-agnostic framework from the beginning. Some frameworks have the ability to deploy to pretty much any cloud provider, and even control other pieces of the infrastructure and SaaS tools.

Infrastructure teams usually don't just spin up resources and delete them at will. Generally, lots of variables come into play. Capacity planning or cost analysis, for example. This is to control over or under-provisioning the needed resources, or even overrunning the cloud budget. This pitfall can be mitigated by the Ops team being involved in the creation of the IaC configuration files, or by helping to manage and govern the self-service of the IaC deployments done by the development team.

Another infrastructure pitfall is going to be security. In the past, lots of development teams had the luxury of secure development sandboxes. No real need to involve security until the time when their project is being turned over from development to production, at which point then security was involved as an afterthought.

By shifting security left with IaC in your deployment process, you can work to mitigate security risks and misconfigurations before they happen. Utilizing tools like Open Policy Agent for Policy as Code can help you ensure that no deployment of IaC resources ever happens when the code files contain infrastructure security misconfigurations. Open Policy Agent will parse your IaC configuration files and check them against Policy as Code files that you create to set up the guardrails of your deployments.

Go to: Infrastructure as Code Pitfalls and How to Avoid Them - Part 2, covering the pitfalls of code.

Tim Davis is a DevOps Advocate at env0
Share this

Industry News

December 06, 2022

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the graduation of Argo, which will join other graduated projects such as Kubernetes, Prometheus, and Envoy.

December 06, 2022

Wib announced API PenTesting-as-a-Service (PTaaS) designed to help organizations proactively cover the latest PCI-DSS 4.0 mandates for testing application security, APIs, and vulnerabilities in Business Logic.

December 05, 2022

Harness announced Harness Cluster Orchestrator to allow customers to optimize their Kubernetes cloud workload costs and realize up to 90% cloud cost savings with Amazon Elastic Compute Cloud (Amazon EC2) Spot instances from Amazon Web Services (AWS).

December 01, 2022

Salesforce introduced a new Automation Everywhere Bundle to accelerate end-to-end workflow orchestration, automate across any system, and embed data and AI-driven workflows anywhere.

December 01, 2022

Weaveworks announced that Flux, the original GitOps project, has graduated in the Cloud Native Computing Foundation (CNCF®).

December 01, 2022

Tigera announced enhancements to its cluster mesh capabilities for managing multi-cluster environments with Calico.

December 01, 2022

CloudBees achieved the Amazon Web Service (AWS) Service Ready Program for Amazon Elastic Compute Cloud (Amazon EC2) Spot Instances.

November 30, 2022

GitLab announced the limited availability of GitLab Dedicated, a new way to use GitLab - as a single-tenant software as a service (SaaS) solution.

November 30, 2022

Red Hat announced an expansion of its open solutions publicly available in AWS Marketplace.

November 30, 2022

Sisense announced the availability of the Sisense CI/CD Git integration module.

November 29, 2022

Codenotary announced TrueSBOM for Serverless, a self-updating Software Bill of Materials (SBOM) for applications running on AWS Lamda, Google Cloud Functions and Microsoft Azure Functions that is made possible by simply adding one line to the application source code.

November 29, 2022

Code Intelligence announced its open-source Command-Line Interface (CLI) tool, CI Fuzz CLI, now allows Java developers to easily incorporate fuzz testing into their existing JUnit setup in order to find functional bugs and security vulnerabilities at scale.

November 29, 2022

Parasoft announced the 2022.2 release of Parasoft C/C++test with support for MISRA C:2012 Amendment 3 and a draft version of MISRA C++ 202x.

November 28, 2022

Kasm Technologies announced the release of Kasm Workspaces v1.12, providing major enhancements to its portfolio of digital workspaces delivering Desktop as a Service (DaaS), Virtualized Desktop Infrastructure (VDI), Remote Browser Isolation (RBI), Open-Source Intelligence Collection (OSINT), Training/Sandboxes, and Containerized Application Streaming (CAS).

November 28, 2022

Cloud4C has achieved Amazon Web Services (AWS) DevOps Competency status.