Rethinking Infrastructure as Code from Scratch

I&#x27;ve been side-stepping this whole conversation by using as little infrastructure as possible. I&#x27;d absolutely be digging into IAC abstractions if I had a circus on my hands <i>and no say over why it had to be a circus</i>.<p>Going into a &quot;cloud native&quot; stance and continuing to micromanage containers, VMs, databases, message buses, reverse proxies, etc. seems absolutely ridiculous to me. We&#x27;re now using exactly 2 major cloud components per region: A Hyperscale SQL database, and a FaaS runner. Both on serverless &amp; consumption-based plans. There are zero VMs or containers in our new architecture. We certainly use things like DNS, AAD, VNets, etc., but it is mostly incidentally created by way of the primary offerings, and we only ever have to create it 3 times and its done forever and ever - Dev cloud, Prod cloud, DR cloud. And yes - we are &quot;mono cloud&quot;, because any notion of all of Azure&#x2F;AWS&#x2F;GCP going down globally and <i>not also dragging the rest of the internet with it</i> is fantasy to me (and our customers).<p>When you literally have <i>one</i> database to worry about for the entire universe, you stop thinking in terms of automation and start thinking in terms of strategic nuclear exchange. Granted, one big thing to screw up is a big liability, but only if you don&#x27;t take extra precautions around process&#x2F;procedure&#x2F;backup&#x2F;communication&#x2F;etc.<p>The benefit of doing more with less also makes conversations around disaster recovery and compliance so much easier. Our DR strategy is async log replication of our 1 database. I really like the abstraction of putting 100% of the business into one place it magically showing up on the other side of the flood event.<p>How about this for a litmus test: If your proposed solution architecture is so complicated that you would be driven to IAC abstractions to manage it, perhaps we need to re-evaluate the expectations of the business relative to the technology.

My thoughts have been going into another direction entirely:<p>- We need to get rid of YAML. Not only because it&#x27;s a horrible file format but also because it lacks proper variables, proper type safety, proper imports, proper <i>anything</i>. To this day, usage &amp; declaration search in YAML-defined infrastructure still often amounts to a repo-wide string search. Why are we putting up with this?<p>- The purely declarative approach to infrastructure feels <i>wrong</i>. For instance, if you&#x27;ve ever had to work on Gitlab pipelines, chances are that already on day 1 you started banging your head against the wall because you realized that what you wanted to implement is not possible currently – at least not without jumping through a ton of hoops –, and there&#x27;s already an open ticket from 2020 in Gitlab&#x27;s issue tracker. I used to think, how could the Gitlab devs possibly forget to think of that <i>one really obvious use case</i>?! But I&#x27;ve come to realize that it&#x27;s not really their fault: If you create <i>any</i> declarative language, you as the language creator will have to define what all those declarations are supposed to mean and what the machine is supposed to do when it encounters them. Behind every declaration lies a piece of imperative code. Unfortunately, this means you&#x27;ll need to think of <i>all</i> potential use cases of your language and your declarations, including combinations and permutations thereof. (There&#x27;s a reason why it&#x27;s taken so long for CSS to solve even the most basic use cases.) Meanwhile, imperative languages simply let the user decide what they want. They are much more flexible and powerful. I realize I&#x27;m not saying anything new here but it often feels like as if DevOps people have forgotten about the benefits of high-level programming languages. Now this is not to say we should start defining all our infrastructure in Java but let&#x27;s at least allow for a little bit of imperativeness and expressiveness!

Did that guy just suggest that to make infrastructure-as-code easier to understand we should make it <i>more like CSS</i>?

What the author appears to miss is that many existing IAC tools permit exactly this.<p>CDK, CDKTF and Pulumi all use general purpose programming languages, so reusing parameter objects in the way that is described is trivial - indeed it is so close to second nature that I would not even think to write it down. Indeed, it&#x27;s not uncommon to share functions that make such parameter objects via libraries in the package ecosystem of your choice.<p>I agree that IaC needs a rethink, but that is more to do with the fact that declarative systems simply cannot model the facts on the ground without being substantially more complex.

&gt; I believe that infrastructure as code languages and tool assisted generators that we currently use are good, and they are taking steps in the right direction, but most of them are trying to patch over underlying complexity in a way that is fundamentally unscalable.<p>Sure, I can get behind this. Yesterday I was trying to figure out how to give a name to EC2 instances generated by AWS-managed autoscaler group that’s created by a node group resource. Simple, right? should just be able to add a Name = $tag field to the node group somewhere to apply to the generated ec2’s?<p>well, not quite. What you actually need is a separate autoscaling_group_tag resource.<p>Well, that resource needs a reference to an autoscaling group arn. but I dont manage an autoscaling group, my node group does, so in the end I have to figure out how to reference it like:<p>aws_node_group.node_group.resources.0.autoscaling_groups.0.arn<p>well, not quite, you may need a try block around that, and maybe some lifecycle rules to get around weird race conditions.<p>so yea. I’m not complaining about HCL or terraform. I find it much better than the alternatives. but lots of times my reaction to stuff like this is “there’s no way it has to be like this.”

I don&#x27;t think the author has tried Pulumi, which can do exactly this kind of thing.

this is great, but I would argue the biggest issue with infrastructure as code is this:<p>the structure and syntax for AWS is entirely different from Azure is entirely different from GCP.<p>Instead of abstracting to CSS, I would argue modeling what Bytecode did in java for multi-operating system, we should do for infrastructure of code.<p>That way, you could easily replicate in different environments, free yourself from vendor lock, and have readability&#x2F;re-usability all in one.<p>This is what I want from infrastructure as code and I have yet to see it.

Some of the ideas here remind me of OAM: <a href="https:&#x2F;&#x2F;oam.dev&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;oam.dev&#x2F;</a><p>OAM has a model of components (things like containerized workloads, databases, queues), traits (scaling behavior, ingress) and in the latest draft, policies that apply across the entire application (high availability, security policy).<p>It&#x27;s all a little disjointed and seems to have lost steam. KubeVela is powering along, but it&#x27;s the only implementation, and IMO it&#x27;s highly opinionated about how you do deploys and works well for Alibaba and perhaps not for others. But it has some interesting ideas.

The author seems to considers that the only infrastructure available these days is “the cloud”

The split between parameterized classes and logic sounds a bit like the split between Puppet and Hiera. The idea was probably a good one, but something about the implementation made people go overboard with it.<p>I feel IaC really peaked around Puppet 3 and Chef 1. IaC should be simple enough that people use it, and trivial to write providers for. People tend to glue much too large libraries to their IaC platforms and end up with a maintenance mess which is what kills it in the long run. However both the above projects went corporate and grew legs and arms and a billion other features that everybody won&#x27;t use more than a subset of. Most people migrated to Ansible which kept more of the open source project culture and was simpler in design.<p>Now people seems to use a little of this, a little of that. Some Ansible, some Terraform, some other stuff. They don&#x27;t know what they&#x27;re missing when the entire stack is built ground up from templated components defined in a common declarative language. Some people seem to really like Nix, which I haven&#x27;t used professionally, but from what I&#x27;ve seen it seems to inherit the same type of design. There was an experimental project called cfg which worked in real time using hooks such as inotify which was promising, if there was a Kubernetes distribution made like that it would be really easy to manage components that didn&#x27;t belong to a host.

My problem with the current IAS systems is the state storage. It should not be needed! Instead, the IAS tool should introspect the systems it&#x27;s managing and build the necessary state on the fly.

Is this a trick to make infrastructure&#x2F;devops engineers learn TypeScript?<p>But, hey, when looking at the origins of OOP and its main uses (back then: Simulations and UI): Maybe this is exactly what one needs to describe and setup infrastructure and there have been various projects going in that direction.<p>Make message passing truly async, throw in Garbage Collection, make it dynamic (i.e. creating a new instance of an object leads to some sort of deployment) and voila: Your traversable, introspect-able object graph is now a representation of your infrastructure.

I use Azure.<p>When I need to provision anything I have a powershell script that interacts with Azure CLI.<p>My script sets up a new resource group for every service we create, logging, key vault, webapp&#x2F;functions, and if needed some kind of data storage or queuing.<p>In my powershell script I can via a variable indicate which environment I want to spin up: dev, staging, prod.<p>I have one yaml file which is for my build and a build trigger which points to the above powershell script with the given environment.<p>All environments: dev, staging or prod are setup manually with manual user assignments for deployment access etc.<p>It&#x27;s really lightweight but I also believe it&#x27;s lightweight because we run a small services setup where each service takes care of its own provisioning.<p>Terraform and Yaml are so verbose but that&#x27;s not the most problematic. You can&#x27;t execute those files from your local machine.

The CSS like IaC language idea was not what I was expecting. It seems ok, but I was hoping for something deeper. What I mean is that I have always felt like there is tension or a mismatch between IaC and the underlying services in a more general sense. I’ve used CDK, Pulumi, Terraform, and CloudFormation and you can argue the merits of each. But they all kind of suck in the sense that you are programming a machine that was not really designed to be programmed. Sure AWS and all the rest have APIs to call and IaC is a decent abstraction over those APIs, but imagine if instead they exposed some lower level interface designed to execute IaC programs natively. I feel like that is the ultimate path to IaC that feels like actual programming.

TypeScript will continue to dominate IaC since it has structural typing and set theoretic types and impeccable IDE&#x2F;LSP support.<p>I use Terraform HCL 40 hours a week, but it is severely lacking in lang design and type system and IDE&#x2F;LSP experience.

I was with it right up until this statement:<p>&gt; Centrally updatable: Sometimes best practice or corporate policy changes over time. You can update what LowCost or SecurityPolicy means later on, in one place, and that change will reapply to all resources that used it.<p>It sounds great but it&#x27;s not. This is essentially the Fragile Base Class problem. You may _think_ that updating one of these traits in a single place will be safe and do what you want, but it may be disastrous for whoever is using it. And you&#x27;re not going to find out until you deploy it.

I kind of see this as just another yaml abstraction on top of configuration templates. This is not new or different in any way from what we have now.

There&#x27;s only so much you can do by building on the current towering abstractions offered by GCP, AWS, etc. One of the main problems is just the slowness of it all.<p>Dark is a good example of something that sidesteps this stuff by more fine grained integration of infrastructure and app code.

A CSS-like language for IaC is literally the last thing I would have expected someone to suggest.<p>It’s an interesting idea. My initial reaction was “you can take my HCL from my cold dead hands” but I can’t seriously argue that Terraform is perfect and that I enjoy writing so much boilerplate.

The author proposes to split structure from parametrisation similarly to how HTML and CSS work.

Interesting comparison with the webbrowser stack! In that sense CDK (generate cloudformation) is more like PHP (generate HTML). I wonder when &quot;Virtual DOM&quot;s, AJAX and CSS preprocessors get introduced to IaC.

Any similar solution for self-hosting focus, my own comprehensive data center infrastructure management + cloud? router&#x2F;switches, load balancer, firewall, CGN, bare metal server, VM, Containers, Application and etc.

@cyberax said, &quot;My problem with the current IAS systems is state storage. It should not be needed! Instead, the IAS tool should introspect the systems it&#x27;s managing and build the necessary state on the fly.<p>@firesteelrain said, &quot;you can do that through abstraction. You &quot;include&quot; your Terraform Azure Provider or Terraform AWS Provider. At the end of the day, your module needs to know what it’s interacting with but not the higher level of abstraction. We have done it at my work to make it cloud agnostic just in case we need to go to another CSP&quot;<p>Single ops eng in a 3 person startup here. Ops eng is only one of my hats right now :) I found crossplane to be a solid tool for managing cloud inf. My assertion is that &quot;the only multi-cloud is k8s&quot; and crossplane&#x27;s solution is &quot;everything is a CRD&quot;. They have an extensive abstraction hierarchy over the base providers (GCP, TF, Azure, AWS, etc) so it&#x27;s feasible to do what firesteelrain did. My client requirements span from- you must deploy into our tenant (could be any provider) to host this for us.<p>I can setup my particular pile of yaml and say - &quot;deploy a k8s cluster, loadbalancers, ingress, deployments, service accounts (both provider and k8s), managed certs, backend configs, workload identity mgmt, IAP&quot; in one shot. I use kustomize to stitch any new, isolated environment together. So far, it&#x27;s been a help to have a single API style (k8s, yaml) to interact with and declaratively define everything. ArgoCD manages my deployments and provides great visibility to active yaml state and event logs.<p>I have not fully tested this across providers yet, but that&#x27;s what crossplane promises with composite resource definitions, claims and compositions. I&#x27;m curious if any other crossplane users have feedback on what to expect when I go to abstract the next cloud provider.<p>cyberax&#x27;s note on state management is what led me away from TF. You still have to manage state somewhere, and crossplane&#x27;s idea was- k8s is already really good at knowing what exists and what should exist. Let k8s do it. I thought that was clever enough to go with it and I haven&#x27;t been dissapointed so far.<p>The model extends the k8s ecosystem, and allows you to keep going even into things like db schema mgmt. Check out Atlas k8s operator for schema migrations- testing that next...<p>I also like that I can start very simple, everything about my app defined in one repo- then as systems scale I can easily pull out things like &quot;networking&quot; or &quot;data pipeline&quot; and have them operating in their own deployment repo. Everything has a common pattern for IAC. Witchcraft.

What do you guys think of combining IaC with regular code? One language that does it all?

did anyone adopt in production <a href="https:&#x2F;&#x2F;crossplane.io" rel="nofollow noreferrer">https:&#x2F;&#x2F;crossplane.io</a> ?

The thing that I think this could run up against is that in HTML+CSS it is fairly common to take an element and apply a whole bunch of properties in coordination with each other. That is, I&#x27;m going to set similar margins and paddings and fonts and many other properties on each element, and there are a lot of broad similarities. This is where CSS variables come in; even if I&#x27;m applying a color to a lot of elements I&#x27;m probably pulling from a much smaller palette and if I change one of them I want to change all.<p>Cloud template definitions also have a lot of settings, but from what I can see, they are all different, all the time, for lots of good reasons. If I&#x27;m deploying a lot of different kinds of EC2 instances, I&#x27;ve got a whole bunch of settings that are going to be different for each type. Abstracting is a much different problem as a result. And it isn&#x27;t just this moment in time, it&#x27;s the evolution of the system over time, too. In code, overabstracting happens sometimes. In cloud architecture it is an all-the-time thing. It is amazingly easy to over-abstract into &quot;hey this is our all-in-one EC2 template&quot; and then whoops, one day I want to change the instance size for only one of my types of nodes, and now I either need to un-abstract that or add yet another parameter to my all-in-one EC2 template.<p>The inner platform effect is very easy to stumble into in the infrastructure code as a result, where you have your &quot;all-in-one&quot; template for resource X that, in the end, just ends up offering every single setting the original resource did anyhow.<p>By contrast, I&#x27;ve pondered the &quot;focus on the links rather than the nodes&quot; idea a few times, and there may be something there. However the big problem I see is that I <i>like</i> rolling up to a resource and having one place where either all the configuration is, or where there is a clear path for me to get to that point. Sticking with an instance just to keep things relatable, if I try to define an instance in terms of its relationship to the network, to the disk system, to the queues that it uses and the lambda it talks to and the autoscaling group it is a part of, now its configuration is distributed everywhere.<p>One possible solution I&#x27;ve often pondered is modifying the underlying configuration management system to keep track of <i>where</i> things come from, e.g., if you have a string that represents the name of the system you&#x27;re creating, but it is travelling through 5 distinct modules on its way to the final destination, it would be great if there was a way of looking at the final resource and saying &quot;where exactly did that name come from?&quot; and it would tell you the file name and line number, or the set of such things that went into it. Then at least you could query the state of a resource, and rather than just getting a pile of values, you&#x27;d be able to see where they are coming from, dig into all the things that went into all the decisions, that might free you to do link-based configuration rather than node-based configuration. But you&#x27;d probably need an interactive explorer; if for instance the various links can configure the size of the underlying disk and you take the max() of the various sizes (or the sum or whatever), you&#x27;d need to be able to look at everything that went into the max and all the sources of <i>those</i> values; it&#x27;s more complicated than just tracking atomic values through the system.<p>I&#x27;ve often wished for this even in just my small little configs I manage compared to some of you, and it is <i>possible</i> that this would be enough of an advantage to stand out in the crowd right now.<p>(I think the &quot;track where values came from and how they were used in computation&quot; could be retrofitted onto existing systems. &quot;Focus on links rather than nodes&quot; will require something new; perhaps something that could leverage an existing system but would require a new language at a minimum.)

you lost me at css and typescript