Panfactum LogoPanfactum
Infrastructure-as-Code

Infrastructure-as-Code

Infrastructure-as-Code (IaC) is the practice of configuring your infrastructure programmatically instead of interactively.

This came to prominence in the mid 2000s as many infrastructure providers and systems began offering well-documented configuration APIs that could be used by third-party tooling such as terraform.

The advantages of the IaC approach include:

  • Speed: Thousands of discrete infrastructure components can be deployed in a single command

  • Reproducibility: Ensures the exact same infrastructure can be deployed repeatedly

  • Community: Best-practice patterns are easily shared and jointly maintained

  • Change management: Infrastructure changes are reviewed using the same processes as application code, often improving an organization to meet compliance standards such as SOC 2

  • Documentation: All the settings for a particular system are easily searchable, often within a single file

Due to these enormous benefits, IaC has become the de-facto methodology for managing infrastructure in professional settings. This is especially critical in settings where multiple, similar, complex environments must be provisioned and managed. 1

Terraform

While many IaC tools exist, none has achieved as much popularity as Hashicorp's terraform.

Terraform provides a few key benefits over the alternatives which has allowed it to become the standard way to work with infrastructure:

  • Declarative: When using terraform, you only need to declare your desired infrastructure state in the simple Hashicorp configuration language. This unlocks key capabilities:

    • Removal of complex imperative logic for reconciling the current state and the desired state

    • Easily readable source-code files that can quickly be understood by developers of all skill levels

    • Infrastructure deltas that alert you to potential changes before they are applied

    • A robust ecosystem of tooling that can easily parse source code files to ensure organizational compliance standards are met

  • API-oriented: Rather than develop its own infrastructure management logic, terraform simply wraps your infrastructure providers' public APIs. This allows for a simple, concise programming interface and a straightforward mechanism for debugging if something goes awry.

  • Plugin-oriented: Terraform provides a standard, stable interface for adding new infrastructure providers, allowing the wider developer community to produce integrations with nearly every system that provides a public API. This allows organizations to define all infrastructure using a single toolchain, greatly simplifying infrastructure management.

OpenTofu

In late 2023, Hashicorp announced a major update to it's license for terraform and its other previously open-source tools. This eliminated the ability for organizations to provide alternatives to Hashicorp's paid, hosted offerings when using terraform. 2

As a result, many concerned parties came together to fork the last open-source terraform release and create the first release of OpenTofu at the end of 2023. 3 OpenTofu is a drop-in replacement for terraform v1.6 (tofu vs terraform). However, as new releases emerge, the feature sets will begin to slowly diverge.

Notably, OpenTofu already receives more contributions and bugfixes than the original terraform project. Moreover, it has a significantly wider base of support as dozens of companies have come together to sponsor the salaries of many full-time engineers to work on its development. As a result, OpenTofu will likely become the new industry-standard as organizations grapple with the license change in their next upgrade cycle.

Panfactum uses OpenTofu and NOT Hashicorp's terraform. Any time we reference "terraform" in this documentation, you should know that we are referring to the open-source terraform fork, OpenTofu.

Alternatives

While most organizations will be well-served by using terraform / tofu as their only IaC tool, there are other popular IaC tools that cater to specific niches:

  • Helm: A tool that uses the Go templating syntax for managing Kubernetes manifests.

    Helm is the de-facto tool for distributing IaC modules in the Kubernetes ecosystem (via Helm charts). As terraform can wrap Helm using the Helm provider, we do not use it directly in the Panfactum stack even though we do use several third-party Helm charts.

    As all the capabilities of Helm can be provided using the terraform Kubernetes provider, we recommend against using Helm for first-party IaC as it introduces an unnecessary level of indirection.

  • CloudFormation: An AWS-specific IaC format. While Cloudformation does have a handful of niceties directly built-in such as a nice GUI in the AWS web console, there are no capabilities in CloudFormation that cannot be provided in terraform. This greatly reduces its usefulness unless you are only using AWS APIs which very few organizations do in practice.

  • Pulumi: Pulumi sees the declarative nature of terraform as a limitation rather than a strength. As a result, it offers users the ability to define infrastructure in one of many popular imperative languages such as Typescript or Python.

    In practice, removing the declarative model results in more problems than benefits, not only making your system significantly harder to maintain but also greatly increasing the opportunity to introduce bugs that can have catastrophic consequences (e.g., accidentally replacing your primary database).

    Moreover, despite some attempts at cross-compatibility, Pulumi suffers from a more limited set of infrastructure integrations than terraform which would result in you having to use multiple IaC tools for full coverage.

  • Ansible: Useful when needing to run scripts on already-provisioned infrastructure. Ansible has become less relevant as the industry has moved towards immutable, rapidly-replaced VM and container images rather than long-lived servers.

Configuration-as-Code

Infrastructure-as-Code is typically packaged as reusable modules that can be parameterized during deployment by providing different inputs. This pattern allows for significant flexibility and code reuse which are critical when deploying the same infrastructure modules across various systems and environments.

Inputs can be as simple as resource tags but can also completely change the behavior of the module. It is up for the module author to define what inputs their module allows.

Most IaC tools allow users to provide inputs interactively, but inputs can also be defined directly in code. When the configuration for a deployed module is provided via code, we call that configuration-as-code (CaC). 4

While OpenTofu allows defining inputs via simple .tfvars files, a more powerful approach would be to use a purpose-built configuration manager such as terragrunt. Terragrunt in particular provides several advantages:

  • Packaged in a single, free, open-source binary that runs completely locally (as opposed to Terraform Cloud or Spacelift)

  • Allows you to share intra-module configuration blocks such as the state backend and providers

  • Can deploy specific versions of both local and remote infrastructure modules

  • Integrates with sops to define secrets directly in your configuration-as-code

  • Can define inter-module dependencies to control deployment order and chain module outputs to other modules' inputs

  • Adds retry logic to deal with common intermittent provider and network failures

  • Adds many built-in functions that can be used in your configuration files

In the Panfactum stack, we deploy all infrastructure modules using terragrunt.

Learning Resources

While we provide very robust guides for working with infrastructure-as-code in the Panfactum stack, we do assume basic familiarity with working with IaC tooling. If you have never worked with IaC before, we'd recommend the following resources to gain the necessary background knowledge and skills:

  • Terraform: Up & Running: The first resource we recommend to all new platform engineers. A comprehensive overview to the what, why, and how of terraform (and IaC in general). Additionally, covers the various practices for effectively managing configuration-as-code. Written by the founder of Gruntwork, the creator of terragrunt.

  • Terraform Basics Training Course by KodeKloud: For those looking for a more interactive learning experience, KodeKloud produces great courses for most foundational infrastructure management tools. This course can serve as a great introduction to using terraform / OpenTofu.

Footnotes

  1. For example, in the software development lifecycle, one might have a development, staging, and production environment with nearly identical infrastructure.

  2. This was due to their definition and banning of "competitive offerings" and the breadth of what they consider a "paid support arrangement".

  3. See this document for a deeper analysis of why such a drastic move was necessary.

  4. Configuration can also extend beyond module inputs. In general, anything that programmatically configures the behavior of an IaC module during deployment would fall in the category of configuration-as-code.