基础设施即代码(IaC)是指利用代码(以预构建模板的形式)来提供支持基于云的应用程序所需的基础设施资源的实践. Developers can leverage this highly reproducible practice to write, test, and release code that will create the infrastructure on which applications run. 整个过程可以作为持续集成/持续部署(CI/CD) software pipeline.
IaC非常有益,因为它避免了每次将新代码推送到生产环境时手动配置资源. Repeatable tasks can be automated and teams can deploy product faster.
While implementing IaC can help developers move faster and more efficiently, there is often a trade-off to do so. 这种速度的提高通常会导致平台和DevOps团队的控制和监督减少, which can in some cases result in resources being improperly provisioned, or worse, created in an insecure manner. Perhaps to combat this, a recent Forrester report 注意到58%的全球高级安全决策者计划在2022年增加其应用程序安全预算.
However, 将安全性集成到开发周期中可能会导致开发人员和安全人员之间的摩擦, 因为SecOps试图跟上DevOps的步伐,并尽可能快地确保工作负载的安全.
Each environment and its purpose is unique. Some tools will be better fits than others, so it’s necessary to research what will work best for your specific needs. 值得注意的是,许多云提供商为其平台提供原生工具和服务. 尝试在研究过程中考虑到这一点,以避免在采用特定平台时可能已经可用的功能冗余.
Learn more about our approach: Integrating Cloud Security With DevOps and CI/CD Tools
Terraform helps users define resources and infrastructure in human-readable, declarative configuration files. It can manage an infrastructure's lifecycle on multiple cloud platforms, as well as track resource changes throughout deployments.
Chef Infra允许用户通过定义可重复的策略来自动化配置管理, consistent, and reusable. It can define configurations and policies as code that are testable, enforceable and can be delivered at scale as part of automated pipelines. Chef can also detect configuration drift and correct it, if needed.
Puppet是一个使用声明性代码来帮助管理和自动化服务器配置的工具. It enables scaling of infrastructure automation with an organization's IT needs. 用户可以描述所需的系统状态,而不是到达那里所需的步骤.
AWS CloudFormation helps users to manage infrastructure with DevOps. 它支持自动化、测试和具有CI/CD自动化的基础设施部署模板. 它还可以扩展和管理基础设施,以包括在CloudFormation Registry中发布的云资源, the developer community, and a user’s library.
Ansible is an open-source, command-line IT automation software application. It can configure systems, deploy software, and orchestrate advanced workflows to support application deployment, system updates, and more. Ansible features minimal “moving parts,” and uses OpenSSH for transport. It also employs a human-readable language so users can get started quickly.
SaltStack is a Python-based, open-source software for remote task execution and configuration management, enabling users to deploy and configure complex IT systems. It combines human-readable YAML with event-driven automation to benefit ITOps, DevOps, NetOps, or SecOps functions.
在云环境中,基础设施即代码的主要好处是——如上所述——速度. 再深入一点,就会发现以下更切实、更具体的商业利益:
The macro benefit most modern businesses are looking to achieve is the big “shift left.” That is, the integration of DevOps and SecOps into a true DevSecOps culture that moves security into the CI/CD pipeline, shifting security and compliance from a reactive stance to a preventative one.
Again, what is IaC? What becomes clear is that there are many ways to answer the question. Drilling down a bit further, there are two general ways it can be done: declarative IaC and imperative IaC. 简单地说,这两种方法是开发人员告诉IaC自动化平台要做什么的方法.
In stating a desired outcome, 用户让系统依赖于预构建的模板和规则来获得该结果. Therefore, 用户对配置过程的技术知识要求更少,并且通过委托获得效率. A user is essentially saying, “I want this outcome to happen after the process is complete, and I don’t care how you do it.“另一个好处是,用户可以采取更具战略性的方法来塑造和部署整个应用程序.
As a quick refresher, IaC的本质是编写定义代码运行的云基础设施的语句. Declarative IaC is simply a faster and easier way to get to a desired outcome, and is the methodology employed the overwhelming majority of the time.
负责定义每个步骤以获得最终结果可能听起来像是一个很大的缺点, and it can be. 用户必须熟悉编程语言,并且必须完美地执行整个操作的每一步. The advantage is that a user has more control over the automation process and code, and can customize the configuration process to a situation’s specific needs.
It involves telling the controller how to do exact things. “Iterate through this loop, check this boundary condition, perform this action if the condition is met, but this other action if the condition is not met.” Imperative programming is essentially micromanagement and is generally human-led.
团队必须确保通过IaC将速度和效率添加到开发生命周期中不会产生安全问题——在过程中尽可能早地实现安全控制和检查是至关重要的. 这样做可以通过在创建模板之前捕获问题来帮助避免创建不遵循组织标准的资源. Let’s take a look at some of the challenges of IaC (don’t worry, they’re most certainly outweighed by the benefits):
Learn How Rapid7's Cloud Security Platform Provides IAC Security
Latest Cloud Infrastructure Topics on the Rapid7 Blog
2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends