Infrastructure-as-Code (IaC) refers to the practice of leveraging code – in the form of pre-built templates – to provision the infrastructure resources necessary to support cloud-based applications. 开发人员可以利用这种高度可重复的实践来编写, test, 并发布将创建应用程序运行的基础结构的代码. The entire process can be automated as part of the continuous integration/continuous deployment (CI/CD)软件管道.
IaC can be highly beneficial as it negates having to manually provision resources each time you push new code to production. 可重复的任务可以自动化,团队可以更快地部署产品.
而实现IaC可以帮助开发人员更快、更有效地进行开发, 这样做往往需要权衡. This increased speed often results in less control and oversight from platform and DevOps teams, 在某些情况下,这可能导致资源配置不当, or worse, 以不安全的方式创建. 也许是为了解决这个问题,a 最近的Forrester报告 noted that 58% of global senior security decision-makers planned to increase their application security budget in 2022.
However, integrating security into the development cycle can cause friction between developers and security personnel, as SecOps attempts to keep pace with DevOps and competently secure workloads as quickly as possible.
每个环境及其目的都是独一无二的. 有些工具比其他工具更适合, 所以有必要研究一下什么最适合你的具体需求. With noting is that many cloud providers supply tools and services native to their platforms. Try and take this into account during the research process to avoid redundancy of functions that may already be available to you upon adoption of a specific platform.
了解更多关于我们的方法: 将云安全与DevOps和CI/CD工具集成
Terraform帮助用户以人类可读的方式定义资源和基础设施, 声明性配置文件. 它可以在多个云平台上管理基础设施的生命周期, 以及在整个部署过程中跟踪资源更改.
Chef Infra enables users to automate configuration management by defining policies that are repeatable, 一致的, 和可重用. 它可以将配置和策略定义为可测试的代码, 可强制执行,并且可以作为自动化管道的一部分大规模交付. Chef还可以检测配置漂移并在需要时进行纠正.
Puppet is a tool that uses declarative code to help manage and automate server configuration. 它支持根据组织的It需求扩展基础设施自动化. Users can describe the desired system state, as opposed to the steps needed to get there.
AWS CloudFormation帮助用户通过DevOps管理基础设施. It enables automation, testing, and infrastructure deployment templates with CI/CD automations. It can also extend and manage infrastructure to include cloud resources published in the CloudFormation Registry, 开发者社区, 以及用户的图书馆.
Ansible是一个开源的命令行IT自动化软件应用程序. 它可以配置系统, 部署软件, 并编排高级工作流以支持应用程序部署, 系统更新, and more. Ansible具有最小的“移动部件”,并使用OpenSSH进行传输. 它还采用了一种人类可读的语言,因此用户可以快速入门.
SaltStack是基于python的, 用于远程任务执行和配置管理的开源软件, 使用户能够部署和配置复杂的IT系统. 它将人类可读的YAML与事件驱动的自动化相结合,从而使ITOps受益, DevOps, NetOps, 或SecOps函数.
The primary benefit of Infrastructure-as-Code in cloud environments is – 如上所述 – speed. Drilling a little deeper uncovers the following more tangible and specific business benefits:
大多数现代企业希望实现的宏观效益是巨大的。”左移位.也就是说,将DevOps和SecOps整合成一个真正的 DevSecOps 将安全性移入CI/CD管道的文化, 将安全性和遵从性从被动的立场转变为预防性立场.
再一次,什么是IaC? 很明显,有很多方法可以回答这个问题. 再深入一点, 一般有两种方式:声明式IaC和命令式IaC. Simply put, these two methodologies are how a developer tells the IaC automation platform what to do.
陈述期望的结果, a user is letting the system rely on pre-built templates and rules to get to that outcome. Therefore, less technical knowledge of the configuration process is required of the user and efficiencies are gained via delegation. 用户实际上是在说, “我希望这个结果能在整个过程结束后出现, 我不管你怎么做.” Another benefit is that users can take a more strategic approach to how the overall application is shaped and deployed.
作为快速复习, the nature of IaC is writing statements that define cloud infrastructure on which code runs. 声明性IaC只是一种更快、更容易获得预期结果的方法, 是绝大多数时候使用的方法.
Being responsible for defining each step to get to a final outcome might sound like a big drawback, 它可以是. A user must have intimate knowledge of the programming language and must execute each step flawlessly for the entire operation to work. 这样做的好处是用户可以更好地控制自动化过程和代码, 并且可以根据具体情况定制配置过程.
它包括告诉控制器如何做确切的事情. 重复这个循环, 检查这个边界条件, 如果满足条件,执行此操作, 但如果条件不满足,这另一个动作.命令式编程本质上是微观管理,通常由人主导.
Teams must ensure that adding speed and efficiency into the development lifecycle via IaC doesn't create security concerns – it’s critical to implement security controls and checks as early in the process as possible. Doing so can help avoid creating resources that don't adhere to organizational standards by catching issues within the template before they're ever created. 让我们来看看IaC面临的一些挑战(别担心, 好处肯定超过了它们):