Infrastructure as Code: Keeping developers productive, keeping organizations safe

Developers have always had a need for infrastructure. But with the need to update applications or websites quickly to take advantage of changing market conditions, the idea of asking IT to spin up an environment and having to wait sometimes days for it no longer works for organizations trying to keep pace. In short, developer productivity was suffering.

Enter infrastructure as code (IaC), touched off by the launch of public cloud services, which allowed developers to easily consume them just when they needed them. But if you had to submit a request to engage with those services, and wait for a reply, public cloud services never would have succeeded, according to Naveen Chhabra, analyst at Forrester.

So, why infrastructure as code? Why not infrastructure as infrastructure? Chhabra said, “The primary persona using those called cloud services were the application developers, and the application developers know how to code.” So, he said, this became the go-to mechanism to get storage, unit computing, a new database or containers, whereby these services could be consumed in a codified manner.

But this is not confined to the public cloud. VMware, for instance, offers a provider, which Chhabra said is an abstraction layer of an infrastructure component. “Call an API, or call that provider, and I will give you the resources,” he explained.

Growing infrastructure complexity

When cloud services first emerged, developers were able to easily set up testing and staging environments before an application was deployed. Today, organizations are dealing with hybrid and multi-cloud environments, as well as Kubernetes architectures, service meshes and serverless applications, to name but a few. According to Aaron Kao, vice president of marketing at universal IaC platform provider Pulumi, a typical application today has something like 400 different services in it. Yet many of the current IaC tools are either markup languages or DSLs (domain specific languages).

“What’s happening with these older IaC tools that are based on DSLs, they start having to add a lot of features into that DSL, and someone recently told me, it’s like DSLs are just like poor facsimiles of … real programming languages, because there’s leaky abstractions, and there’s increasing complexities that you’re trying to address that you keep having to shoehorn things into it,” Kao said.

Because of this complexity, organizations find themselves in a struggle with their competitors to hire full-stack developers, knowledgeable in application development and what’s needed on the back end to deploy those applications. But because the price tag for these developers is high, organizations might not want them struggling to create infrastructure, or letting them create IaC without guard rails. Ronak Rahman, developer relations manager at infrastructure provider Quali, said, “Who creates those guard rails? And they need things that are watching for security. Is it my developer’s problem that the Docker file or the container that I’m building … has a security flaw in it? You see companies trying to [add guardrails] with their TerraForm scripts so that developers don’t have to care about that; they can just provision their software.”

Keep productivity high

To keep developers productive, Kao said, “It’s really about streamlining. Instead of having multiple tool sets to do infrastructure and do application development, you can use one.. And instead of, let’s say you have a separate IaC system, you know, like, well, there’s a lot of tooling that needs to go get built with that.” So, IaC providers such as Pulumi are seeing the need to integrate with the tools and programming languages where developers live.

One thing related to developer productivity is infrastructure and application drift, according to Roxana Ciobanu, CTO and co-founder at Bunnyshell, an environment-as-a-service platform. “It is inevitable for issues to appear in development when engineers work in environments with out-of-sync infrastructures and old application versions,” she said. “Drift detection is one half of the solution, and automatic remediation is the other half, and that’s where we see a lot of challenges.” To properly solve code drift, she said, any change should automatically be detected, corrected or merged into all existing development, stage or production environments.”

Has DevOps marginalized IT?

There always has been territorial behavior when it comes to IT. Developers write code, operations engineers set up policies and governance that make sure infrastructure is used in a way that doesn’t hurt the organization. 

According to Forrester’s Chhabra, the infrastructure owners’ involvement arises out of the governance needs. “We have seen examples of again, these are not the only reasons, but we’ve seen examples of excessive cloud spend. So can I bring in a governance layer, which says, ‘Hey, you get the infrastructure, type of infrastructure, size of infrastructure, duration of infrastructure, what you actually need, and you don’t leave it overnight unattended, running, you know, without us.’ So can I put that time bound? A time foundation to how long? What, where, and when can you actually use the resources? So that’s the foundation of where these governance requirements are coming from.”

Rahman sees it less as developers taking something from IT and more as operations engineers not keeping their skills up to date. 

That phenomenon, though, is not limited to the technology industry. In journalism, for example, older print editors can be resentful of the shift in newspapers toward multimedia presentations and younger reporters coming in with video and social media skills. In technology, another good example is mainframe programmers who were facile with COBOL but didn’t keep up as client/server and new languages emerged for more modern software development. 

“I think the marginalization is a symptom of, you know, this whole lack of trust and … I think the solution there is just update your skills for the digitization,” Rahman said. “You know, you’re not racking and stacking servers anymore, and hopefully, you’re not going in a cold room and you know, organizing your wires. So, you know, we need new skills to get us to live our art and live our best life.”

Part of the problem, Rahman noted, is that historically, developers and IT have had different goals. Developers want to innovate on new products and features; IT wants to ensure systems stay up and running, comply with regulations such as HIPAA and Sarbanes-Oxley, and keep costs under control.

“I see developers more as creative artists deep in their art,” Rahman said.  “And IT and centralized DevOps represent the business interests, you know, they’re in a whole different org structure, and they’re in charge with making sure guardrails exist, governance exists. I’m not answering to the product team on products coming out of the pipeline faster. So there are two different concerns. There’s the business concerns with absolutely legitimate governance, costs and security. And then there’s the developer’s interest, which is a minus of interest. ‘I don’t want to care about infrastructure. You know, that’s cool that you gave me tools, but I’m just gonna learn how good enough to do what I want to do, which is bang out awesome features.'”

Governance is critical

Traditional IT involvement in infrastructure arises out of the need for governance. One area that’s particularly important to the business is security. Forrester’s Chhabra explained: “Because of security concerns, I don’t want to be running across all public cloud providers or all infrastructure vendors, and find that now as an organization, I’m responsible for patching and managing vulnerabilities. What if I can reduce my attack surface? And that can happen with standardization. Another reason is geolocation. Whether it’s because of the data sovereignty requirements, or because of geopolitical reasons, for a specific project, let’s say, a major oil and gas company wants to run a project in Australia. What is mandated by Australia, that you must be running all those applications and IT resources within Australia. So what do I do? I cannot, as a business leader, allow my application owners to even by mistake, run that in AWS East. So there are different forces that are putting this demand on how the resources where, when and what resources are being consumed, whether it is because of cost reason, geopolitical, or educational and, you know, sovereignty requirements.”

Developers are creating the infrastructure provisioning they need with code, but IT still needs to be the gateway for them to access that infrastructure. Chhabra said, “Developers can’t be expected to understand all the latest happenings in governance. So you still need to have that kind of intermediary IT person, you know, giving them the keys, only at a certain time and at a certain place, and only for a length of time.”

IaC gives you speed; governance gives you the window and the control mechanism. This, Chhabra said, “ensures that there are no speed bumps in how quickly can you go from where you are to where you want to be.”