What is Infrastructure-as-Code (IaC)?

Infrastructure-as-Code (IaC) refers to the practice of leveraging code – in the form of pre-built templates – to provision the infrastructure resources necessary to support cloud-based applications. Developers can leverage this highly reproducible practice to write, test, and release code that will create the infrastructure on which applications run. The entire process can be automated as part of the continuous integration/continuous deployment (CI/CD) software pipeline.

IaC can be highly beneficial as it negates having to manually provision resources each time you push new code to production. Repeatable tasks can be automated and teams can deploy product faster.

While implementing IaC can help developers move faster and more efficiently, there is often a trade-off to do so. This increased speed often results in less control and oversight from platform and DevOps teams, which can in some cases result in resources being improperly provisioned, or worse, created in an insecure manner. Perhaps to combat this, a recent Forrester report noted that 58% of global senior security decision-makers planned to increase their application security budget in 2022.

However, integrating security into the development cycle can cause friction between developers and security personnel, as SecOps attempts to keep pace with DevOps and competently secure workloads as quickly as possible.

Infrastructure-as-Code Tools

Each environment and its purpose is unique. Some tools will be better fits than others, so it’s necessary to research what will work best for your specific needs. With noting is that many cloud providers supply tools and services native to their platforms. Try and take this into account during the research process to avoid redundancy of functions that may already be available to you upon adoption of a specific platform.

Learn more about our approach: Integrating Cloud Security With DevOps and CI/CD Tools


Terraform helps users define resources and infrastructure in human-readable, declarative configuration files. It can manage an infrastructure's lifecycle on multiple cloud platforms, as well as track resource changes throughout deployments.

Chef Infra

Chef Infra enables users to automate configuration management by defining policies that are repeatable, consistent, and reusable. It can define configurations and policies as code that are testable, enforceable and can be delivered at scale as part of automated pipelines. Chef can also detect configuration drift and correct it, if needed.


Puppet is a tool that uses declarative code to help manage and automate server configuration. It enables scaling of infrastructure automation with an organization's IT needs. Users can describe the desired system state, as opposed to the steps needed to get there.

AWS CloudFormation

AWS CloudFormation helps users to manage infrastructure with DevOps. It enables automation, testing, and infrastructure deployment templates with CI/CD automations. It can also extend and manage infrastructure to include cloud resources published in the CloudFormation Registry, the developer community, and a user’s library.


Ansible is an open-source, command-line IT automation software application. It can configure systems, deploy software, and orchestrate advanced workflows to support application deployment, system updates, and more. Ansible features minimal “moving parts,” and uses OpenSSH for transport. It also employs a human-readable language so users can get started quickly.


SaltStack is a Python-based, open-source software for remote task execution and configuration management, enabling users to deploy and configure complex IT systems. It combines human-readable YAML with event-driven automation to benefit ITOps, DevOps, NetOps, or SecOps functions.

What are the Benefits of IaC?

The primary benefit of Infrastructure-as-Code in cloud environments is – as mentioned above – speed. Drilling a little deeper uncovers the following more tangible and specific business benefits:

  • Templatizing manual configurations: Previously, developers had to manually provision infrastructure each and every time an application was being readied for deployment. IaC automates this process with templates. Repeatable code can be leveraged quickly and efficiently, with SecOps building security controls and establishing guardrails with those templates.
  • Reducing risk: Risk can never be fully eliminated. However, by building repeatable templates that are aligned to organizational security standards and best practices, risk of human error and vulnerabilities will decrease.
  • Reduce wasted spend: Along with the potential to provision misconfigured resources, human error often results in the over-provisioning of infrastructure resources. By applying guardrails to resource volumes, you can avoid wasted spend associated with over-provisioned resources.
  • Creating a stronger team: IaC can enable cost savings as well as more technical and operational efficiency. Perhaps the greatest benefit is a friction reduction in the relationship between DevOps and SecOps. There is less of a sense of the security organization “checking developers’ work” prior to runtime – if security is integrated naturally into the process. This can create a more positive work environment and team camaraderie.

The macro benefit most modern businesses are looking to achieve is the big “shift left.” That is, the integration of DevOps and SecOps into a true DevSecOps culture that moves security into the CI/CD pipeline, shifting security and compliance from a reactive stance to a preventative one.

Declarative vs Imperative IaC

Again, what is IaC? What becomes clear is that there are many ways to answer the question. Drilling down a bit further, there are two general ways it can be done: declarative IaC and imperative IaC. Simply put, these two methodologies are how a developer tells the IaC automation platform what to do.

Declarative IaC

In stating a desired outcome, a user is letting the system rely on pre-built templates and rules to get to that outcome. Therefore, less technical knowledge of the configuration process is required of the user and efficiencies are gained via delegation. A user is essentially saying, “I want this outcome to happen after the process is complete, and I don’t care how you do it.” Another benefit is that users can take a more strategic approach to how the overall application is shaped and deployed.

As a quick refresher, the nature of IaC is writing statements that define cloud infrastructure on which code runs. Declarative IaC is simply a faster and easier way to get to a desired outcome, and is the methodology employed the overwhelming majority of the time.

Imperative IaC

Being responsible for defining each step to get to a final outcome might sound like a big drawback, and it can be. A user must have intimate knowledge of the programming language and must execute each step flawlessly for the entire operation to work. The advantage is that a user has more control over the automation process and code, and can customize the configuration process to a situation’s specific needs.

It involves telling the controller how to do exact things. “Iterate through this loop, check this boundary condition, perform this action if the condition is met, but this other action if the condition is not met.” Imperative programming is essentially micromanagement and is generally human-led.

What are Some Challenges of IaC?

Teams must ensure that adding speed and efficiency into the development lifecycle via IaC doesn't create security concerns – it’s critical to implement security controls and checks as early in the process as possible. Doing so can help avoid creating resources that don't adhere to organizational standards by catching issues within the template before they're ever created. Let’s take a look at some of the challenges of IaC (don’t worry, they’re most certainly outweighed by the benefits):

  • Templates that contain security risks: Once a template is built, that does not mean it is free of errors. It’s a good idea to check the template prior to use to avoid the risky resource being created in the first place.
  • Built-in analysis: Once IaC has been put into practice, scanning tools must also be integrated to, as mentioned above, catch errors before they become real vulnerabilities. The good news is that both static IaC analysis and dynamic IaC analysis can help analyze code, identify misconfigurations, and evaluate cloud environments in which an IaC template will run.
  • Ramping up with IaC: Implementing and using IaC comes with a learning curve at a given time that can drain developer resources and can create a fundamentally different workflow than teams may be used to. Additionally, it requires that the repository of IaC templates is comprehensive enough to ensure it fits the needs of the entire development team. Therefore, it’s critical that stakeholder teams stay in sync on a plan to keep templates updated.
  • Human friction: When implementing IaC, it can be difficult for developers to deal with the sense of disruption or slowdown that comes with needing to continuously use security tooling to ensure infrastructure is protected from misconfigurations and vulnerabilities. It’s on security to make it as seamless as possible for developers to scan IaC templates quickly and move on.

Read More About IAC Security

Learn How Rapid7's Cloud Security Platform Provides IAC Security

Latest Cloud Infrastructure Topics on the Rapid7 Blog

2022 Cloud Misconfigurations Report: Latest Cloud Security Breaches and Attack Trends