Questions to Ask about the IaC in Your CI/CD Pipeline
Many engineering teams follow a similar approach for delivering infrastructure in support of the software development life cycle.
To close the gap between how infrastructure is configured and how application environments are deployed, many DevOps teams connect their Infrastructure as Code (IaC) modules directly to their CI/CD platform.
The aim is to create a continuous infrastructure pipeline that is directly woven into the software development and delivery process, similar to the CI/CD pipeline for continuous delivery of applications.
It’s easy to understand why. Development teams need to deploy infrastructure fast, and they don’t have the time to understand the nuances of its configuration. Many simply aren’t familiar enough with IaC tools to do so in the first place.
In theory, plugging IaC modules into a CI/CD tool should eliminate the need for developers to have to understand the syntax and logic used in IaC configurations. As developers and testers execute their work across the pipeline, the infrastructure is deployed to support each step.
Before taking this approach, however, make sure to ask a few important questions.
How Do You Track Resource Utilization?
While deploying IaC in your CI/CD pipeline can help your teams move faster, it makes your operations team blind to resource consumption, usage and cost accruals.
This is especially relevant for ephemeral environments used for testing, debugging and staging. If your CI/CD pipelines are deploying cloud resources at scale, who is responsible for terminating them when those stages are complete? If you wanted to know which environments were running right now, who launched them and what they are costing you in real time, where would you start?
In the rush to accelerate operations, visibility is often sacrificed. This makes end-to-end management and cost containment of your infrastructure assets difficult.
Are Your Teams Sharing Cloud Account Credentials and Keys to Get Access?
Facing pressure to meet deadlines, some teams may cut corners and hard-code cloud account credentials, certificates and other keys into IaC modules to give their teammates the access they need.
Relying on IaC alone to deliver infrastructure throughout the CI/CD pipeline rapidly accelerates the creation of IaC modules, and it does not make it easier to distribute secure access to cloud infrastructure. This is a serious risk to avoid.
How Do You Ensure IaC Modules Are up to Date?
Maintaining consistent configurations across life-cycle stages can be challenging at scale, resulting in outdated testing environments that throw off results and create rework.
IaC tools only identify when configuration changes are made to the source file, which can be difficult to track down. If changes occur to a live environment, developers will lose a lot of time trying to understand why their deployment failed.
How Much Time Does Your DevOps Team Spend Provisioning Infrastructure?
Provisioning is a double-edged sword for DevOps productivity. On one hand, frequent environment deployments are a positive sign for cloud cost efficiency because it indicates that your teams are decommissioning ephemeral environments when they are no longer needed.
On the other hand, high demand for deployments likely means your DevOps team is underwater with infrastructure provisioning tickets, and this slows development velocity.
Even when using Infrastructure as Code, the orchestration required to deliver the environments supporting your CI/CD pipelines can be considerable. Make sure to consider what goes into the environments supporting your pipelines and the work required to deliver them.
How Will You Standardize Cloud Operations?
Scaling IaC via the CI/CD pipeline can lead to what can be described as configuration chaos.
Infrastructure managed across git repositories lacks a central point to enforce standards, making it difficult to know whether your teams are deploying approved cloud configurations.
The same goes for operations. If you want to require a maximum runtime for ephemeral environments, how would you enforce it across multiple pipelines supported by tens or even hundreds of IaC configurations?
As our customers embraced cloud native development more and more, we have seen complexity challenges become more ubiquitous. For years, we’ve helped DevOps and platform teams automate and orchestrate infrastructure components to tackle complexity and improve delivery velocity.
That led us to work with our customers on a cloud control plane approach that balances cloud velocity with visibility and governance. When it comes down to it, your development teams should be able to move faster without sacrificing control over how cloud resources are used.
