DEV Community

Cover image for Mastering Managed IaC Self-Service: The Complete Guide
env0 Team for env0

Posted on • Originally published at env0.com

Mastering Managed IaC Self-Service: The Complete Guide

The Case for IaC Self-Service

As enterprises migrate to the cloud, move to microservices, and adopt Infrastructure as Code (IaC), deployment management becomes increasingly challenging. Developers continue to rely on DevOps teams for deployments, which results in bottlenecks, reduced efficiency, and overloaded teams, ultimately limiting innovation.

Enabling developers to deploy infrastructure independently addresses these challenges by reducing the burden on DevOps teams, accelerating deployments, and fostering innovation. It also minimizes delays, streamlines workflows, and enhances value delivery.

According to Gartner's Emerging Tech Impact Radar: Cloud-Native Platforms, January 2024: “Empowering application developers with self-service capabilities and enabling them to collaborate more efficiently are becoming key requirements of cloud-native platforms."

Shifting Left, the Right Way

Shifting left for IaC offers a promising solution but must be approached cautiously. It doesn't mean assigning the responsibility entirely to developers as unsupervised deployments can cause unintended consequences such as : 

  • Security and compliance risks
  • Code reliability issues
  • Unexpected cloud expenses

Therefore, the goal is to provide developers with IaC autonomy, creating a golden path to IaC adoption that doesn't require extensive IaC knowledge or negatively impact their experience. This approach ensures that DevOps teams retain responsibility, governance, and control.

In an ideal scenario, developers seamlessly integrate IaC into their regular workflows without compromising their experience. At the same time, DevOps teams enforce compliance policies, implement automation, and monitor infrastructure changes to maintain efficiency and ensure robust end-to-end operations.

Developers vs. DevOps Needs

Let us clearly understand what each of the teams wants to make self-service possible in IaC environments.

Developers vs. DevOps Needs

The env0 Approach

Before diving into the tools and capabilities, it’s important to understand how env0 delivers a comprehensive IaC managed self-service model. This approach empowers developers to deploy infrastructure independently, while administrators maintain control over governance, security, and consistency.

Admins set guardrails through pre-set templates, enabling developers to choose from approved configurations. This ensures security policies, cost controls, and resource limits are automatically enforced. Developers can deploy on their own without requiring access to sensitive credentials or worrying about breaking anything, thereby simplifying their workflow and letting them focus on getting work done quickly.

env0’s automation and governance make self-service both fast and secure. For instance, PR plans provide a preview of changes and catch potential issues early, while automated approval policies ensure that sensitive changes get proper review without slowing down lower-risk deployments.

On top of that, customers often describe env0 as the “easiest IaC tool for developers,” enabling them to deploy infrastructure independently without needing deep IaC expertise. 

With env0’s self-service capabilities, teams experience 2.5x faster deployments and significantly lower cloud costs, thanks to automation and governance that let developers move quickly while ensuring policies and cost controls are automatically enforced.

Now, let’s dive into some relevant features and capabilities using AWS examples.

Move Fast: Automation and Standardization

Developers are more productive when they can easily focus on innovating, avoid complex tasks unrelated to their main work, and reduce dependency on others. Therefore, features that incorporate automation and standardization can significantly ease their workflow.

Let's go over some key features that automate lengthy IaC manual tasks and standardize processes across teams and individuals.

This feature seamlessly integrates into developers' existing GitOps-driven workflows, allowing them to automate Terraform plans directly within their VCS simply by opening a pull request for IaC changes. Upon submitting the pull request, env0 auto-runs a deployment of the Terraform plan and shares the results via a comment on their pull request. 

Note: To run PR Plans, ensure your environment has pull request options enabled under Environment settings > Continuous Deployment.

For instance, to change an S3 bucket's ACL from private to public-read, you can commit the changes and create a new PR. env0 will automatically run a Terraform plan and share the results in the PR.

Furthermore, you can also run additional commands from PR comments by commenting env0 help based on your IaC requirements.

Reusable Templates

env0 Templates allow you to store your IaC configuration for future use, enabling error-free deployment of the same infrastructure environment repeatedly. This eliminates the need to rewrite IaC configurations each time, making the process repeatable and significantly automating infrastructure provisioning.

By simplifying access to pre-configured templates, developers can independently deploy and manage environments, leveraging self-service capabilities and speeding up development cycles.

Templates refer to the VCS repository where the IaC is stored, also allowing us to save environment variables and sensitive credentials needed by the IaC. 

Variables

By using Variables in env0, you can set up the values required for your IaC configuration, avoiding the need to hard code values in plain text locally.

You can define variables in a template for reusable infrastructure configurations, saving time and fostering efficient deployments.

Here, Terraform variables act as input parameters for your infrastructure and there are multiple ways to set these variables. For example, you can define tags for an EKS cluster using a dropdown list, and set the cluster version to a fixed value as your two input variables.

Furthermore, sensitive variables (also known as secrets) such as cloud credentials, API keys, or database passwords can be marked as sensitive, ensuring they remain hidden from external exposure. Secrets are often set as environment variables are accessible throughout the scope of an IaC environment.

Custom flows

You can add additional task steps to IaC deployments using Custom Flows. These tasks can be executed before or after any IaC framework (like Terraform, Pulumi, etc.) workflow stage (init, plan, and apply), providing flexibility for running short, specific actions as needed.

Automating such short manual tasks reduces the workload for DevOps teams, thereby enabling customizable CI/CD pipelines and promoting the automation aspect of self-service.

For instance, the DevOps team can automate a Tfsec scan to identify security vulnerabilities in an IaC before running terraform apply, utilizing custom flows.

For this, a custom flow yaml (env0.yaml) is defined to specify the tasks that should be executed before or after a Terraform workflow.

# env0.yaml
version: 2
deploy:
steps:
terraformInit:
after:
- terraform validate
terraformApply:
before:
- run: |
/bin/bash -c "curl -sL 'https://github.com/aquasecurity/tfsec/releases/latest/download/tfsec-linux-amd64' -o tfsec"
/bin/bash -c "chmod 755 ./tfsec"
/bin/bash -c "./tfsec ."
Enter fullscreen mode Exit fullscreen mode




The Crucial Role of IaC Governance

Without proper governance, the responsibility for every aspect of IaC falls entirely on developers, leading to security risks, compliance issues, unexpected cloud costs, and reliability problems. 

To mitigate these challenges, DevOps teams implement robust guardrails to prevent common pitfalls and distribute the responsibilities. This strategy allows developers to maintain high velocity without compromising security, compliance, reliability, or cost management.

Let's discuss key capabilities that env0 offers to establish control.

Security and Compliance

Role-Based Access Control

RBAC is a method that enables the delegation of specific permissions to users based on their assigned roles, ensuring that only authorized users can perform certain tasks.

env0 provides a clear and straightforward list of permissions for RBAC with different scope levels, enabling granular access control for teams and users across Projects, Environments, or at the Organization level. 

env0 RBAC seamlessly enhances self-service as everything is managed, eliminating the need for developers to learn complex languages like Rego for setting permissions. 

With RBAC, you can assign specific roles to users or teams and manage access based on these roles, thereby enhancing security by preventing anyone from having excessive control over your infrastructure.

Policy-as-Code (PaC)

During each infrastructure deployment, you can apply custom OPA (Open Policy Agent)-based policies to enhance the governance of your IaC resources. With env0's OPA integration, you can define your own set of rules and conditions to assess and safeguard your infrastructure against security loopholes or compliance breaches, establishing stringent guardrails.

Through the env0 Approval Policies feature, you can integrate OPA with each IaC deployment that is run during the deployment stage.

For example, DevOps teams can maintain fine-grained guardrails by implementing an OPA policy that denies destroy operations on environments provisioned from a VPC template, as illustrated below:

package env0

description: Deny a destroy operation of the VPC template environment

deny[format(rego.metadata.rule())]{
input.deploymentRequest.type == "destroy"
input.template.name == "VPC"
}
format(meta) := meta.description

Enter fullscreen mode Exit fullscreen mode




Secure Remote Backend

The env0 Remote Backend simplifies infrastructure state management by handling everything for you, unlike other approaches that require manual setup (like setting up an S3 Bucket and configuring a DynamoDB Table for the backend).

Make sure that the env0 backend is enabled when spinning up an environment.

In addition, to secure state storage, state locks, and consistency, remote backend configurations enable users to execute Terraform remote plans, view the current state, and access all previous state versions. 

Moreover, it provides the flexibility to specify which environments can access a particular environment's state in env0.

IaC Reliability

Audit Logs

Auditing is particularly important in self-service, as it empowers users to have autonomy. With increased autonomy comes an increased risk of unauthorized access, which needs to be monitored. 

Therefore, auditing is crucial for ensuring data reliability and integrity, especially in large organizations with numerous users performing activities daily.

Audit logs record and track all activities performed at the organization level, providing detailed information on who performed each activity, when it occurred, and additional relevant data.

Project Hierarchy

As your organization expands, it's essential to manage and streamline your IaC for deploying various environments based on their use cases. 

By creating parent projects with nested sub-projects, you can isolate configurations such as templates, environments, and environment variables within their own scope. 

This setup ensures better organization and management tailored to specific needs, enabling different teams to simplify troubleshooting, monitor costs, and enhance operational stability across various segments of the infrastructure.

Destroy Protection

As the name suggests, Environment Destroy protection prevents anyone from destroying a particular environment. This enhances reliability by ensuring that only elevated users, such as admins, have the authority to destroy an IaC environment.

To enable it, navigate to the Project Settings > Policies.

Enabling Environment Destroy commonly restricts the Destroy option, the Time-To-Live (TTL) of an environment,  and disables the scheduling of a Destroy operation.

Cloud Cost Management

Cost Estimation

Cost estimation is a tool that estimates the cloud costs (via infracost) based on the infrastructure you provision. This functionality provides developers with a rough estimate of the upcoming infrastructure expenses before deployment. It helps developers make informed decisions about whether or not to proceed with the deployment.

Cost estimation can be enabled by navigating to Project settings > Policies 

Once activated for a project, each deployment plan will trigger a cost estimation calculation. This allows you to review the plan and its associated costs, enabling you to decide whether to proceed with the deployment.

Budget Notifications

Budgeting is essential for controlling financial thresholds during infrastructure deployment. With env0, you can set up Budget Notifications to track your cloud spending. Once you've defined your budget and thresholds, env0 will notify you if your spending exceeds those thresholds, helping you stay on top of your finances.​

For example, you can set a monthly budget amount and receive notifications when it reaches a specified threshold percentage.

Environment TTL

Environment Time-To-Live (TTL) specifies how long your IaC environment stays active. Once the TTL expires, env0 automatically destroys the environment. 

This is crucial for automating cost control by ensuring that unused resources are not kept active, thus reducing waste and optimizing resource utilization.

For example, testers can quickly set up a testing IaC environment to test the application on the specified infrastructure. This environment has a configurable TTL of up to 5 hours, which can be extended by administrators if needed. Once the testing is complete, the environment is automatically destroyed.

Cost Monitoring

Cost Monitoring offers a detailed, metric-based overview of expenses incurred over a specified time period, focusing on successful deployments within a project's scope and specific environments. This feature becomes essential for admins or users to track unexpected costs and understand the reasons behind them.

For example, a detailed cost monitoring graph can reveal insights about when and at what time frame the costs spiked or dropped. You can customize the cost breakdown to display data from the last day, week, or even a year.

This is just a glimpse of the self-service (automation, standardization, and governance) env0 offers.

Visibility and Monitoring

Organization Dashboards and Notifications

Dashboards provide a comprehensive overview of your platform activity, organized into. Through this visibility, organization admins can view everything in one place enabling them to monitor user activities, track the number of projects and environments, and plan strategically to optimize costs.

For example, you can view detailed metrics on your activity with infrastructure deployments, and also the expenses incurred for each project or environment.

You can configure env0 to send notifications about deployment events directly to your Slack, Microsoft Teams, or email. 

For instance, you can set the environment to send notifications to alert your Slack channel if a deployment, destroy, or a plan operation fails.

Receiving this kind of notification regarding any IaC deployment failure helps the DevOps teams take prompt action to address the issue.

You can set up notifications to alert you whenever a budget threshold is exceeded, which we'll cover later.

Best Practices

When adopting IaC self-service for developers in your organization, it's important to do so gradually to ensure a smooth transition and to address any issues on a smaller scale before a full rollout:

  • Phased Approach: Start with one or two teams before expanding to the entire organization. This gradual implementation allows for smoother adaptation, identification of potential issues, and easier training and support.
  • Soft Enforcement: Begin with "soft enforcement" by issuing warnings for policy violations for about a month. This period allows teams to adjust to the new policies and understand the implications of non-compliance. After this period, start blocking non-compliant activities to ensure adherence to the established policies. This phased enforcement helps build awareness and encourages compliance without immediate penalties.

Conclusion

Managed self-service capabilities become truly effective when automation and governance are integrated into a fast-paced environment, simplifying infrastructure deployment and management. 

env0 automates tedious IaC processes and enforces compliance with robust guardrails, ensuring organizations stay within their operational boundaries. 

As a result, developers gain the autonomy to innovate freely, while DevOps teams are relieved from the manual workload of resolving tickets. This balance allows both developers and DevOps teams to thrive, leveraging self-service capabilities to innovate efficiently and confidently in a dynamic environment.

To see env0's managed self-service features in action and understand how they can benefit your organization, schedule a 1:1 demo for a thorough overview.

Top comments (0)