Infrastructure as code (IaC) as key to truly secure infrastructure #143
Description
Problem to solve
Cloud Guardrails makes no mention of Infrastructure as code (IaC). Infrastructure as code is key to a truly secure infrastructure. Teams following the guardrails are left to apply policies using ClickOps with no or little focus put on reproducibility and change management.
Infrastructure as code (IaC) is the process of managing and provisioning resources in the cloud, usually with declarative approaches (Bicep, Terraform) combined with version control.
Benefits: reduce cost, increase speed, and reduce risk
- cost: by removing the manual component, people are able to refocus their efforts on other tasks
- speed: Infrastructure automation enables speed through faster execution when configuring infrastructure
- risk: automation reduces the risk associated with human error
Intended users
- Developers: facilitate deployment of development environments that mirror production infrastructure
- DevOps: facilitate developing new services and promotes reuse
- SRE: traceability in changes
- Management: facilitate transition of infrastructure management
- Security: declarative approaches to infrastructure facilitate reviews (and makes possible automated review)
Further details
Version controlled declarative IaC languages enabling cross-cloud deployments to lessen dependency on a single supplier should be strongly recommended.
Proposal
Requirement for IaC should be front and center in the cloud guardrails.
Permissions and Security
Basic infrastructure should allow proper permissions relative to the environment in which it operates:
- dev: developers can deploy infrastructure resources IaC with unclassified or test data
- staging or UAT: team devops can deploy infrastructure IaC
- production: organization-level administration deploy on production data
What does success look like, and how can we measure that?
Widespread adoption of IaC across all our cloud subscriptions.
Links / references
- Example of cloud guardrails for Salesforce as Terraform Azure policies scripts: https://github.com/salesforce/cloud-guardrails/