Infrastructure as Code (IaC): The Complete Guide

Everything you need to know about Infrastructure as Code (IaC) - why you need it, approaches, top 5 tools, best practices, and how to secure your IaC deployments.

What Is Infrastructure as Code?

Infrastructure as code, also known as IaC, is an IT strategy that manages and codifies IT infrastructure as software. IaC enables operations teams and developers to automatically provision, monitor, and manage resources, instead of manually installing and configuring software.

Infrastructure as code is somewhat similar to the idea of scripts used to automate IT processes. However, scripts automate a sequence of static steps that repeat several times over different servers. Infrastructure as code uses descriptive or declarative language to describe “what” should be deployed—the IaC platform takes care of the “how”, deploys all components automatically.

For instance, an infrastructure as code tool can read a single text file and perform a large number of coordinated actions: install a database server, check it is running correctly, create a new user account, establish a new database connection, and clean up old database instances.   

Code-based infrastructure deployment is very similar to software development practices, where development teams carefully test a product over multiple iterations, using version control to keep track of code changes, and only deploying the software when it is ready for production. Similarly, IT teams can now develop an IaC template, carefully test it, and evolve it in multiple iterations, managing changes using source control. 

Apart from its operational efficiencies, IaC can also be used to automate security processes and integrate them with the development lifecycle, as part of the transition to DevSecOps.

In this article:

Infrastructure as Code Benefits

Benefits of IaC include:

  • Faster development lifecycle—IaC lets you quickly establish your entire infrastructure by operating a script. You may do this for all environments, from development through to production, going through QA, staging, and the like. IaC could help streamline the whole software development lifecycle. 
  • Accuracy and consistency—manual processes often lead to mistakes due to human error and poor communication. Manual infrastructure management will, in most cases, lead to discrepancies. IaC deals with this issue by ensuring the configuration files are the single source of truth. This makes sure that the same configurations will be carried out without inconsistencies.      
  • Visibility and accountability—IaC configuration files can be versioned like any source code file, so you can achieve full visibility into the modifications that each configuration has undergone.   
  • Version control—when infrastructure is expressed as code, it may be checked into, source controlled, code-reviewed and versioned using current software engineering operations. Modifications to infrastructure can be carried out using available CI/CD tools.  
  • Support for DevOps—with the setup of the infrastructure written as code, you can apply the same CI/CD pipeline steps that IT professionals use for application code, such as version control and automated testing. An organization could decide to use IaC alongside containers that remove the application from the infrastructure at the level of the operating system. Because the hardware and operating system infrastructure are provisioned automatically, and the application is enclosed on top of it, such technologies are relevant for various deployment goals, including staging, testing and production.    

Infrastructure as Code Approaches

Here are some comparisons of IaC approaches.

Mutable vs Immutable Infrastructure

Mutable infrastructure is the undertaking where infrastructure parts are modified in production, while the overall application or service continues to function as normal. Immutable infrastructure sets up and puts together resources and components to establish an entire application or service. 

If any component needs modification, it is not reconfigured or modified—rather, it is updated and deployed in an instance. The new iteration is tested, assembled, validated and promoted, and the outdated iteration is stopped and its resources are made available for reuse. 

Immutable infrastructure has grown in popularity specifically for microservices and cloud environments, as they are highly scalable and make use of many interdependent services and components. Any one-time updates to deal with a particular issue may result in configuration drift, which cascades as updates are quickly moved to production. Reissuing collections of immutable components and services is more efficient than reconfiguring and patching infrastructure components individually.  

Declarative vs Imperative IaC Approaches 

A declarative method outlines the suitable state of the system, such as which resources you require and any attributes they should possess, and an IaC will do the configuration for you.

A declarative method also maintains a record of the present state of the object of your system, which makes removing the infrastructure easier to control.

Conversely, an imperative approach specifies the particular commands required to obtain the desired configuration, and the commands must then be carried out in the right order. 

IaC tools are often declarative and will automatically provision the required infrastructure. If you carry out modifications to the desired state, a declarative IaC tool will make the modifications for you. With an imperative tool, you will need to work out how those modifications need to be made. 

IaC tools are generally capable of operating with both approaches, but they often favor the first approach over the second.

Top 5 Infrastructure as Code Tools

While there are a lot of open-source IaC tools on the market, the most readily-adopted tools are Terraform and Ansible. 

IaC on Ansible

Ansible is an open-source community undertaking backed by Red Hat. It was created to assist organizations with their configuration management, automated provisioning, and application deployment. Ansible is a declarative automation tool. 

You can use this tool to develop playbooks (in the YAML configuration language) to define the desired conditions for your infrastructure. It then carries out the provisioning for you. Ansible is a common choice for automating the provisioning of Kubernetes deployments and Docker containers. 

IaC on Terraform

Terraform works together with leading cloud providers. You can use this tool to automate the build-out of resources over various providers at the same time, irrespective of where DNS servers, databases, or physical servers reside. It can also provision applications executed in any language.  

Terraform doesn’t have any configuration management features, though it works together with configuration management tools (such as CloudFormation). When used alongside configuration management tools, Terraform can automatically provision infrastructure according to the state specified by configuration files and can automatically modify update provisioning when needed, in keeping with configuration modifications.   

cloud formation logo

IaC on AWS: CloudFormation

CloudFormation is a tool, from Amazon, that lets teams specify templates representing software stacks and move them to cloud environments automatically. Templates use a straightforward format that can be read by humans—these are basic text files that can be used to manage versions. With CloudFormation, you can automatically spin up everything, including a single EC2 machine or a complex application, via multiple AWS tools.

Identify Security Risks in AWS CloudFormation Templates with Trivy ›


arm logo

IaC on Azure: ARM

Azure Resource Manager (ARM) is Azure’s main mechanism for automating cloud resources. Azure offers a straightforward declarative template syntax that offers access to this automation engine, making sure systems are launched in the same manner as if they were launched using the CLI or Azure Console.  


Pulumi is a tool that is used to provision existing infrastructure. It supports a number of programming languages and is built on Terraform. Pulumi supports secret management, a feature that Terraform is lacking. Pulumi also lets you define the authorization policy in the code.

Nevertheless, Pulumi has certain disadvantages. To use Pulumi, you must be proficient in functional programming languages. Generally, only software developers possess such skills. Infrastructure engineers, on the other hand, have skills in the area of security, networking concepts and operating systems.

Certain infrastructure engineers do have programming expertise, though this is often a more difficult requirement to obtain. 

Infrastructure as Code Best Practices

To make the most of IaC, consider using the following practices:

  1. If you are a startup organization and an application or platform has not yet been created, don’t attempt to automate all processes from the start (this is because of the fast rate of change). When the platform is more stable, you will be ready to automate its maintenance and provisioning.
  2. Use peer reviews with PULL requests and version control in the same manner as you would when detailing with developers. This will let you fully experience the advantages of infrastructure code being used by many team members and you will always have an additional set of eyes monitoring your infrastructure. 
  3. Use quality control and CI/CD for repository alongside your IaC—this will enable you to ensure a high level of code and get quick feedback loops from your DevOps developers or teammates (once changes have been applied). Fortunately, test frameworks exist that can help you write the tests—the earlier you attempt to cover everything, the greater benefit you will gain from it and you will experience fewer unexpected issues with infrastructure. You can’t deal with the application mistakes here, but you can be more assured of your infrastructure.
  4. Apply the idempotency design principle. IaC code should generally be maintained in a manner that allows it to generate consistent results when you apply something and run it repeatedly. This typically requires eliminating certain bash scripts created by your system admins and replacing them with more dependable components of your IaC ecosystem. 
  5. Modularize the code. Most IaC tools let you write roles, modules, or any other abstraction that collects blocks of code into a single logical unit. By using modules, you can gain the same advantages as you would from creating a mature program in any language.   

IaC Security Scanning?

IaC scanning tools can parse common cloud-native template formats. They can then apply rules based on security best practices, providing users with an understanding of where additional hardening may be required to enhance the security of their environments. 

These tools can isolate issues such as a Kubernetes manifest that requests privileged access to the file system of a node, a Docker image created to run as the root user, or a Terraform script that configures an S3 bucket, which is accessible worldwide.

You can use IaC scanning tools at various stages in the development process, by IT professionals as a component of a CI/CD pipeline in a test suite, or as an element of the initial authoring. 

Related content: Read our guide to application security

IaC Security Scanning Rules

The most important part of an IaC scanning tool is the ruleset behind it. Rulesets define what is acceptable and what is considered suspicious or malicious. There is a major advantage to using standardized rulesets. This makes it possible for IaC scanners to share the same policies and rules with other tools in your security stack.

For example, AppShield is an open-source project supported by Aqua, which provides a policy database with rules written in Rego, a commonly used query language. These rules can be used by IaC scanners, but also by other vulnerability scanners and admission controllers, letting you apply the same rules across the application lifecycle. 

Using a standardized ruleset lets you use a set of rules for security configuration, and then reuse those rules when scanning for misconfigurations. This reduces the chance of security checks failing and the complexity of troubleshooting and remediation.

Two Open-Source IaC Scanners to Get You Started

The following are two open-source scanners you can start using today to improve security for Infrastructure as Code. One of them, Trivy, was developed and open-sourced by Aqua, while the other, TFSec, was recently acquired by Aqua.

Aqua Trivy


Trivy is a comprehensive and easy-to-use open-source vulnerability scanner for container images. The project has gained a broad following among open-source community members who have tagged it with more than 3,300 GitHub stars. Unlike other open-source scanners, Trivy covers both OS packages and language-specific dependencies and is extremely easy to integrate into organizations’ software development pipelines.

Trivy is available under the Apache 2 license, allowing royalty-free use, modification, and distribution of the software. Trivy will be included as the default scanner in Harbor, a popular open-source container image registry project under the Cloud Native Computing Foundation, and in addition, the widely used container platform Mirantis Docker Enterprise will make Trivy available as an integrated scanning option for their deployments.

Visit the Trivy Github repo ›


TFSec addresses the need to scan for security misconfigurations in Terraform templates. TFSec was designed to scan the new Hashicorp Configuration Language version 2, which is not covered by existing scanning tools. 

A unique aspect of TFsec is that it examines Terraform code and simulates how resources will be deployed in the cloud, using the Hashicorp HCL engine. This allows it to discover vulnerabilities that other tools miss, because they only scan the code, without looking at the actual final deployment.

The TFSec project has grown to include over 150 checks, supporting AWS, Azure, Google Cloud Platform, Digital Ocean, OpenStack, and Cloud Stack. It is growing in popularity with hundreds of thousands of downloads and a large team of contributors. 

Visit the TFsec Github repo ›